Office of Personnel Management Director Katherine Archuleta’s recent time in the congressional hot seat over her agency’s two cyber breaches is a wake up call for all agency chief information officers to look at how they do cyber.
If that’s not enough incentive, Federal Chief Technology Officer Tony Scott also ordered a 30-day cyber sprint on June 15 to get agencies to fix their systems.
Steve Cooper, Commerce Department CIO, told Federal News Radio Executive Editor Jason Miller the entire executive team at Commerce is involved in assessing his agency’s cybersecurity performance.
“We’ve approached it as either we are breached and if we are, we don’t recognize it yet, we better damn sure figure out exactly what’s going on and why and how,” Cooper said. “Or, we will be breached. So, this concept that, ‘Oh, we can protect ourselves’ is one that we simply don’t use. That’s not realistic. What we’re trying to do is move proactively toward immediate detection and identification of any real threat.”
One advantage the agency has is that the National Institute of Standards and Technology is part of Commerce, so the agency is able to implement NIST’s cybersecurity framework across the entire department.
“We want to move as rapidly as we can from identification and detection to mitigation, response, recovery, that kind of thing,” Cooper said. “We’ve made some changes inside the department that have strengthened our ability to detect and communicate that something has happened to our DoC CERT [Computer Emergency Readiness Team]. And then, under certain criteria, I then communicate directly to the secretary, the dep-sec and any executive management when something has occurred. That’s a change from what was in place before I got to the Department of Commerce, and, of course, that includes our communication directly to U.S. CERT in DHS.”
In addition, Commerce has focused on the plans of actions and milestones process (POAMs) as a way to address long-term problems and fix them. This examination revealed that a number of bureaus within Commerce had POAMs outstanding by more than 120 days.
“In one of my briefings to the secretary, we had a discussion about this and she asked, ‘Look, what could we do? Is there a way that we could bring some help, focus, that type of thing?'” Cooper said. “We together came up with the idea, ‘Look, why don’t we make them more visible?’ How about when executive management does their check in with the secretary and the dep-sec, how about if we add this to the agenda so that you guys, meaning the secretary and the dep-sec, can actually ask an undersecretary or the head of a bureau, ‘Hey, how are you doing with these? Why is this over 120 days?'”
Commerce looks at POAMs to identify risks
This wasn’t meant to blindside anyone. Rather, it was aimed at improving the risk profile of the entire department. This information was then shared out with everyone.
“Within about 60 days, the number of POAMs across the bureaus more than 120 days overdue dropped rather dramatically,” he said. “Relatively speaking, if I put it on a percentage scale, it dropped from about 100 percent of what was outstanding over 120 days to about 3 percent in almost all of the bureaus. The one remaining, I’m a little bit embarrassed, is my office in the bureaus that we support. We’re working on reducing the ones that are still outstanding more that 120 days. We’ll go after the next time frame as we resolve some of these.”
Examples of the types of things this process is looking to correct are bad patches on systems that aren’t high-risk or high-vulnerability.
“So, folks have kind of left them alone for a little while,” Cooper said. “Well, that’s still not a good idea. It’s not best practice. So, we brought resources to bear and we basically said, ‘OK, look, we really do have to fix those, even though they’re moderate or low-risk.’ None of these were high-risk in the sense that this was a critical vulnerability that really, we just kind of didn’t address for some odd reason. These are mostly our moderate risks and low risks are the categories that they fall into. But they still count. And by addressing them, we reduce our overall risk posture.”
Even though a system may be low-risk, it could potentially allow access to a high-risk area.
“We look for any type of vector through which threats and vulnerabilities can enter our environment,” Cooper said. “Another thing that we’ve been paying a lot of attention to, and this is part of the 30-day cyber sprint that Tony Scott has put in place for the agencies, we’re looking a lot at our privileged users, those people with access privileges that are beyond a normal employee’s use of our computer environment, and we’re looking for the simple things to correct very rapidly.”
97 percent of privileged users have strong authentication
Cooper said Commerce is in pretty good shape in response to the cyber sprint when it comes to privileged users and use of personal identity verification (PIV) cards.
“We actually stand at about 97 percent for privileged users’ strong authentication and we’re about 76 percent, which is about 1 percentage point above the target at the moment,” he said. “We need to push both of those as close to 100 percent by the target deadlines —July 15 for privileged users and by the end of August on all users.”
Commerce has some legacy systems that don’t lend themselves from a technology standpoint to supporting PIV cards for logical access.
“We don’t have the ability to issue PIV cards for some non-typical reasons to 100 percent of our workforce,” Cooper said. “Therefore, we are working with our office of security to try to figure out are there some backup ways that we can use the equivalent of a PIV card, maybe a local Commerce credential, or a Commerce credential and a token that will give us the equivalent of strong authentication, two-factor authentication.”
Memo reinforces Cooper’s cybersecurity role
Cooper’s boss, Secretary Penny Pritzker, recently issued a memo designating him the senior executive accountable for cybersecurity at Commerce. While this doesn’t really expand the scope of Cooper’s role, it has helped reinforce his responsibility over cyber.
“First and foremost, I am accountable,” he said. “The secretary, the dep-sec and anybody else in the department absolutely has the right, and anybody outside the department, the Hill, any of our overseers, OMB, have the right to hold me accountable, both personally and as part of my team. So, the advantage is it brings visibility to something that’s very, very important.”
The memo also helped Cooper’s ability to engage business leadership in a different dialogue.
“They are also part of our ability to have everyone accountable in the sense that there are things that they need to do inside their bureaus to assist, to ensure, for example, that everyone receives annual and appropriate training around cybersecurity,” he said. “Here are the things that you don’t want to do. Don’t click on links in emails that you don’t know. Don’t open attachments that you don’t know. That’s very, very valuable in helping the entire workforce together do everything we can to better protect the department. So, it’s that leverage of a different conversation. This isn’t the purview of just the CIO.”