The Office of Management and Budget worked hard over the last three years to repair a case of governmentwide cyber neglect.
OMB’s cyberstat effort had fallen on forgotten times.
But Trevor Rudolph, the chief of business operations and cybersecurity for Whitehawk and a former chief of OMB’s cyber and national security team, helped reinvigorate the White House’s oversight and assistance role. Rudolph left OMB in November.
He said the team played a key role in helping to refocus OMB on cyber during his five-plus years in the agency.
“The Obama administration, at least at the beginning of the administration, had not effectively resourced that [cyber] capability inside OMB. We had about one-fourth of one-half of one FTE dedicated to [the cyber] mission space. If you look at the Federal Information Security Management Act (FISMA) and you think OMB has the responsibility of oversight and policy development for the entire government, having one-half of a person is a little troubling,” Rudolph said. “What we were seeing was a significant ramp up on the threat activity on both the .gov and .mil sides of the government and also the private sector. I was just fortunate at the time to have the perfect storm. We had increased threat activity. We had a willingness on the part of Congress to resource this capability inside OMB. We also had really impressive leadership inside OMB at the time.”
Rudolph credits former OMB Deputy Director for Management Beth Cobert and former federal deputy CIO Lisa Schlosser for giving him the go-ahead to grow a team and execute cyber oversight.
Over the next five years, Rudolph’s team worked on everything from the rewrite of Circular A-130, the cyber sprint, the Cybersecurity Implementation Plan (CSIP) and the Cybersecurity National Action Plan (CNAP).
But Rudolph said one of the team’s biggest accomplishments was getting into the nitty-gritty of agency cyber defenses.
“Before we had this capability, the National Security Council and OMB were partnering with their limited resources on the CyberStat effort. In 2014, I think we did something like six CyberStats. The reason that is a problem is it limited our intelligence and the depths of our relationships in agencies to get stuff done,” he said. “In 2015, I believe the number was 14 and then in 2016 we just wrapped up 24 or 25 CyberStats using a massive ramp up in terms of our capability and how we are actually spending those resources effectively.”
Rudolph said OMB now has a better understanding about the state of cybersecurity at those large agencies, which can be used to develop budget and policy development.
“I had two goals in this space. One, we had to clean up our mess from the past. By not having the resources to keep the policies up to date and continually refresh them, we had a lot of legacy policies,” he said. “The second goal was to think strategically about where the federal government needed to be in the next 3 to 5 to 15 to 20 years and establishing a road map for how to actually get there.”
Rudolph said the A-130 update, as well as the action plan, are the two documents that will help agencies today and in the future.
“The real value of the CNAP is we spent the time to think through the root causes to our problems in the federal government, and built specific initiatives and budgeted a lot of those initiatives to really move the fall forward to fix some of the systemic issues that we have in the federal cybersecurity,” he said.
All of these efforts and many other initiatives helped put the government in a better position to defend its networks and data, Rudolph said.
“Without a doubt, we are better today than we were three-to-five years ago,” he said. “If you just look at the cyber sprint, we actually have the data to prove we have improved significantly in a short period of time.”
He said the 40 percent increase in the use of smart identity cards to log on to computers, the fact agencies now had a more complete inventory of privileged users on its network, and actions by agencies to routinely scan for indicators of compromise were among the biggest measurable changes in federal cybersecurity over the last few years.
“The sprint was the jolt to the system we needed for the last 20 years,” he said. “It was almost as if we were under some sort of cardiac arrest and that helped wake some things up.”
But he realizes it’s also hard to measure important things like increased awareness, better governance and leadership engagement.
“I think the OPM breach made things real for people because a lot of people actually received a letter or an email that says they had been impacted and specifically the most juicy details of your background haves been breached,” he said. “And frankly seeing the hearings with my colleagues from OPM and seeing them go through that punishment on the Hill, I think, woke up a lot of leadership that previously didn’t care about this particular issue.”
Rudolph said at the same time, agencies need to combat cyber fatigue and keep executives focused on the issues.