“Each of those priority objectives has a more detailed implementation plan that is agency based. This has been an agency-led process that we rolled up into the strategic implementation plan,” said Kshemendra Paul, the program manager of the ISE, in an exclusive interview with Federal News Radio. “We wanted to do that and release it here about a year after the original strategy came out to be able to demonstrate the progress in planning, and also, this is more than just a plan, it reflects ongoing activity governed primarily by the Information Sharing and Access Policy Committee that I co-chair with the National Security Staff, but also reflecting work of the Senior Steering Committee on Information Sharing and Safeguarding, the federal CIO Council and other bodies into this space.”
President Barack Obama released the National Strategy for Information Sharing in the wake of two major information breaches — WikiLeaks and Edward Snowden. Over the last year, the ISE and the White House led the interagency effort to develop an implementation plan, focusing on short and long term milestones for each of the 16 initiatives that represent the whole of government approach to information sharing and safeguarding.
The implementation plan is another in a long list of memos and executive orders from the Obama administration. Over the last five years, the White House has given agencies instructions for how to protect against insider threats, to cybersecurity information sharing to how best to share classified data among agencies.
“We have about 20 subcommittees and working groups where the bulk of this work happens,” Paul said. “We also are cross-latched with Senior Steering Committee for Information Sharing and safeguarding that is co-chaired by NSS Michael Daniel and OMB’s Lisa Schlosser. They are doing a lot of work post-WikiLeaks on improving things like identity access management and things like that. That’s reflected in the strategic implementation plan,” Paul said. “We are cross-latched with the federal CIO Council and some of the work they are doing. An example of that is the Federal Identity, Credential and Access Management (FICAM) framework, baseline interoperability capabilities and the centerpiece for that is the National Information Exchange Model (NIEM) and broad base used for that.”
The ISE’s role is one of planning and coordination support for these subcommittees under the Information Sharing and Access Policy Committee.
Paul said of the 16 initiatives, the first five are the most important:
Information sharing agreements
Identity credentialing and access management
Paul said many of these top five, and most of the 16, areas will provide short- term benefits. He said the initiatives are around data tagging and baseline interoperabilities.
“We are all about interoperability at the information level, semantic interoperability, network interoperability and business process interoperability,” he said. “So one of the things we have been working with our agency partners now for some time and it will come to fruition in the next six months is something called the ISE Interoperability Framework. It’s an update for the old enterprise architecture framework this office had published in the past.”
Paul said the framework will create and promote interoperable standards for these capabilities.
“Two exciting things that will happen in the next month-in-a-half are we will be doing a tabletop exercise to demonstrate the use of this framework, a tabletop exercise aimed at planning out architecture and capabilities,” he said. “People do operational tabletops, but this is a system development tabletop. To my knowledge, this is the first time something like has ever been done. We are doing this with the Maritime Domain Awareness community. We are looking forward to hearing back the results and we are going to integrate that into the interoperability framework to make sure it’s usable and not shelfware.”
Paul said part of what they are looking for out of the tabletop exercise is how easy is it to deliver interoperable capabilities in the Maritime Domain Awareness Community of Interest. He said that includes deciding whether the participants are aligning information sharing capabilities, policy frameworks, standards and requirements.
Paul said ISE also is reviewing the framework with industry groups to get their feedback.
Securing data continuously
Another short-term effort is the integration of continuous monitoring of information and how to incorporate that concept into the safeguarding activities.
The implementation plan lays out four milestones for 2014, including determining priorities for future years, developing new progress tracking criteria and conducting an annual baseline of information security practice assessments.
Paul said identity management and access control is another high priority initiative with a goal of ensuring information is used only for mission needs, reducing how much data is stored on devices and increasing the efficiencies around validating users’ “need-to-know” approvals.
“What we’ve seen over 2013 and what we will see coming into 2014 is really a focus on shifting to implementation of the capabilities described in the FICAM,” he said.
Paul said one way ISE is doing that is by working closely with the organizations that are running the pilots under the National Strategy for Trusted Identities in Cyberspace (NSTIC). Paul and NSTIC lead Jeremy Grant held a meeting with federal and private sector partners at the White House in November to discuss using the FICAM and how they can accelerate the use of federated identity management.
A huge part of many of these efforts is how data is tagged and classified. The plan stated outcome is to have common metadata standards for data tagging across agencies and cybersecurity domains to improve information sharing.
The milestones include the National Archives and Records Administration leading the effort to develop standards and specifications in 2015 and aligning them with the FICAM by 2018.
“Having an architecture for tagging doesn’t work unless you have policy agreement between organizations. Priority objective two is around information sharing agreements and the point with that is to move away from point-to-point information sharing agreements and to multi-lateral information sharing agreements that use a common vocabulary that can be automated. That automation uses that data tagging,” Paul said. “For that to work, you have to have effective governance where different agencies, different levels of government, public sector and private sector can have forums to come together and agree on core issues like how they think about individuals in their organization and core information assets and access to that.”
Paul said agencies face three big challenges to implementing and continuing to improve information sharing and safeguarding. He said the tight budgets continue to make it difficult for agencies to run pilots or invest a little to save a lot.
But he said the diverse and fragmented threat picture is probably the biggest obstacle that agencies need to overcome.
“Our big goal for the coming year is to more formally integrate those other communities as we look to enrich the plan,” Paul said. “This is not a static plan. It’s something will continue to improve as we execute it.”