For agency managers responsible for cybersecurity, the last few weeks have been challenging. The data breach affecting millions might have been the direct responsibility of the Office of Personnel Management, but the response has been all-of-government — starting with the now-concluded 30-day cyber sprint.
Last Friday, the Office of Management and Budget posted the latest data from the sprint, which federal Chief Information Officer Tony Scott had ordered.
The main metric to come out of OMB’s blog post was that agencies had improved their use of strong authentication for both privileged and unprivileged users. Over the length of the sprint, agencies were able to grow that number from 42 percent to 72 percent.
Alan Paller, the director of research at the SANS Institute, told Jared Serbu on the Federal Drive Monday that this measure of performance is both good and bad. It’s good in that agencies have made strides in one area of cybersecurity, but it’s also bad in that more than 25 percent of employees remain in username/password mode.
Insight by Galvanize: During this webinar Marianne Roth, the chief risk officer of the Consumer Financial Protection Bureau, will provide a deep dive into enterprise risk management at CFPB. Additionally, Dan Zitting, the CEO of Galvanize, will discuss how making better use of data and technology can help federal agencies more rapidly allow decision makers address and mitigate risks.
“What’s most interesting out of that is how quickly they went that far and the reason they did,” he said. “And that was the sort of simple truth of ‘What gets watched gets done,’ and for the last 30 days, that particular metric was being watched. If you come back in a few months, you will see that the change has slowed radically because OMB will go on to other metrics. It’s like the Lazy Susan, pick your metric of the month and they’ll focus agencies on other things, the agencies will stop doing this one.”
The question then becomes: what should agencies be focusing on now that the cyber sprint is over?
Paller sees five steps that agencies should take moving forward:
“None of them are really hard,” Paller said, of his five steps. “They aren’t, ‘Go get another $80 billion and do something big. None of them are that. They’re actually small steps, no bigger than what’s been done over the last 30 days. But, they have to be sustained and they have to be constantly measured, not measured for 30 days the way OMB did in its sprint.”
A task force of industry technology experts convened by the IT Alliance for Public Sector (ITAPS) offered its own set of cybersecurity recommendations Monday for federal agencies in the aftermath of the cyber sprint.
“These are cybersecurity experts with extensive experience in the technology and public sectors,” said Trey Hodgkins, senior vice president for the public sector, in a release. “Working diligently, the task force identified steps the government can take immediately and in the months ahead to improve their cybersecurity posture and strengthen the networks our government relies upon.”
The task force identified five broad issues that it said needed to be addressed in order for agencies to improve their cybersecurity.
ITAPS recommended the government continue to accelerate its approach to managing cybersecurity in several different approaches to managing cybersecurity.
Using Security Risk Management, for example, agencies would us a tool like the Risk Management Framework developed by the National Institute of Standards and Technology to assess the vulnerability of their systems. They would then develop strategies to update their systems so they were more secure and mitigate potential risks.
In addition, agencies would need to make information security a core principle of their organizational structure. This would mean extending that principle to management areas beyond technology, including finance and procurement.
These fixes should begin immediately and then extend beyond the current administration.
“While these efforts should result in immediate enhancements, they will also set the foundation for the government’s future efforts,” the task force report said. “Most importantly these efforts will begin the long process of restoring the American people’s trust in the ability of the federal government to protect its networks and the information that resides in and transits those networks. The actions provided below are intended to serve as a continuation of the many good activities initiated through the Cybersecurity Sprint, and provide a roadmap to implement many of our recommendations.”
The task force called for the creation of an online communication portal between agencies, the public and industry, where information about the latest cybersecurity issues can be exchanged. This would allow for the sharing of up-to-date information about possible cyber threats and technology that could provide effective countermeasures.
“We recommend the addition or reevaluation of internal, government-wide groups and procedures that allow for acquisition of the best technologies to combat the newest threats,” the report said. “We believe that this combination will provide a well-rounded and balanced measure for finding the best solutions.”
The task force considered crisis planning to be crucial moving forward.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
“Combined with protection and detection capabilities, appropriate crisis response activities can minimize the impact of an incident,” the report said. “Effective response planning takes place well in advance of an incident and considers a range of scenarios, capabilities, conditions, and environments. Effective planning also requires education, training, and exercises for all elements of a response plan.”
It’s not just enough to make a plan. Equally important is to track the plan’s success and improve it to meet new threats.
The task force criticized the government, saying it had “vague lines of responsibility and accountability.” Like Paller, the task force looked to industry for a solution.
“Understanding how business establishes clear lines of responsibility and whom to hold accountable in a cyber crisis would be beneficial to establishing better cybersecurity accountability in the federal government,” the report said. “The current lines of responsibility and accountability are not getting the desired results across the federal government as demonstrated through recent incidences occurring at federal agencies. Exact lines are blurred and in some cases may even present a potential conflict of interest, such as the CISO [chief information security officer] reporting to the CIO [chief information officer]. There are some key actions that must be taken to improve the responsibilities and accountability for cybersecurity in the federal government.”
The task force said that everyone in an agency should understand their role in maintaining information security and it should become part of the performance review process. Agencies should also increase information security awareness throughout their organizations.