The Obama administration is turning up the pressure on agencies to accomplish four specific cybersecurity goals.
The Office of Management and Budget, the Homeland Security Department and the White House cyber coordinator’s office gave deputy secretaries a high-level scorecard highlighting their agency’s current status against goals for Trusted Internet Connections, implementing continuous monitoring and using secured identity cards to log on to computer networks.
Howard Schmidt, the White House cyber coordinator, said DHS developed the scorecard from the CyberStat sessions that have been held with agencies. During the sessions, DHS, OMB and Schmidt’s office reviewed agency progress in securing computers and networks. “They can look at the allocation of resources,” said Schmidt, who spoke at the Information Security and Privacy Advisory Board (ISPAB) meeting this week in Washington, D.C. “They can make sure the correct emphasis is put on the cyber things they care about.”
The administration issued the first scorecard earlier this summer during a meeting of the President’s Management Council, which is made up of agency deputy secretaries.
“The scorecard is something that is at their level,” he said. “The more technical things go through the CyberStat working with the departments and agencies. Clearly this is something the deputy secretaries through their senior management role can then focus on.”
One member of ISPAB described the four areas of the report card:
Continuous monitoring: How agencies are prepared to do it? Do they have an update-to-date IT inventory? Can they do configuration scans and vulnerability scans?
Trusted Internet Connections initiative:
What percentage of the agency’s network traffic is going through the TIC?
What percentage of the TIC reference architecture is in place?
HSPD-12 or secure identity cards: What percentage of the agency’s employees are using the secure identity card to log on to the computer network?
The goal is to set thresholds and hold agencies accountable for meeting these goals, Schmidt said. OMB set multiple deadlines for agencies to comply with TIC and HSPD-12, but few have actually met them. OMB and DHS mandated agencies use their HSPD-12 cards for logical access in 2012.
Additionally, the administration mandated that agencies
“It’s hard to say whether the problem has been that senior managers weren’t aware of the programs before or if these things are complicated technical and policy issues that could explain the delay in implementation,” he said. “I don’t think there is anything inherently wrong with creating scorecards and letting senior managers know what’s happening on their systems and with their networks. The other positive aspect is it really provides the legislative branch with a little more access into what’s happening on agency systems so they can begin to have a more complete understanding.”
Olcott, who recently left the Hill as a former counsel for Chairman of the Senate Commerce committee Sen. Jay Rockefeller (D-W.Va.), worked on the cyber legislation that is currently going through Congress.
Having a high-level scorecard could also get senior officials to put more emphasis, including people and financial resources, into these programs to either meet the deadlines or at least show progress to OMB and DHS, Olcott added.
Along with these four initiatives, Schmidt said his office is considering creating governmentwide security controls.
Schmidt said agencies are using different tools with varying levels of effectiveness. He said a set of governmentwide controls would set the baseline for what the software must do to secure the network. This is similar to the way OMB, the National Institute of Standards and Technology and the National Security Agency developed the Federal Desktop Core Configuration, or what is now called the U.S. Government Configuration Baseline. This baseline provides agencies with a minimum set of standards for the Microsoft operating system.
As part of the continuous monitoring effort, DHS is working with the Justice Department on the legal issues to implement Einstein 2 and pave the way for Einstein 3. Einstein is software that helps secure agency networks by collecting data about the traffic on agency networks and funneling it to a central location where DHS can identify trends. Einstein 2 is focused on intrusion detection, whiel Einstein 3 is focused on intrusion prevention and will give DHS the ability to automatically detect and disrupt malicious cyber activity.
While there still is plenty to be done this year, Schmidt said plans for 2012 are starting to come together.
“We looking back through the 2003 National Strategy to Secure Cyberspace, The Comprehensive National Cybersecurity Initiative and the Cyberspace Policy Review to see where things are and where they need to go,” Schmidt said. “What are the things we have defined process now? Whether it’s coordination across all of government, bringing in the law enforcement community, the homeland security remediation, the intelligence and defense communities, we now have a process that when something bad happens we have group that comes together making sure we are all working together. That’s institutionalized … Part A is done and what are the next things we put on the schedules? Yes, we need to make progress on these. What are they? What are the milestones? Who’s involved? Who has a stick on this?”
Among the areas that likely will be on the 2012 plan is mobile computing and identity management, Schmidt added.
Also among the 2012 outlook is the renewed push for comprehensive cyber legislation.
“Anytime you look at something on paper, there oftentimes followed behind it ‘What is the intent of this? Why did you use this particular phrase instead of something else?'” Schmidt said describing the conversation on the Hill. “That was a very positive discussion.”
The data breach notification proposal was one of the biggest areas lawmakers and staff had questions about, he said.
Optimistic on cyber bill
Schmidt said lawmakers have a strong commitment to move forward and he remains optimistic.
But Olcott said getting the comprehensive cyber bill through both houses of Congress depends on time — of which there is little — and Congress still has a lot to get done.
“There is a lot of common ground when you think about information sharing and roles and responsibilities of certain federal agencies, and certainly reforming the Federal Information Security Management Act,” he said. “The devil is always in the details. That is where members and staff have been spending their time trying to figure out how to write the legislation and reflect their priorities.”
The House and Senate are taking different paths to a final bill, Olcott said. The House formed a cyber task force and has been holding hearings and investigations.