Small agencies say the administration’s new Cybersecurity National Action Plan (CNAP) could provide the path they need to collaborate and collectively address federal cyber challenges.
“The CIOs, the CISOs are working together saying, we collectively have these issues, how collectively can we address them?” said Mark Kneidinger, director of cybersecurity and communication at the Homeland Security Department’s National Protection and Programs Directorate, during an Independent Telecommunications Pioneer Association (ITPA) discussion March 3. “That drove the CNAP and then obviously the broader budget perspective.”
The directives in the administration’s new cyber plan, which President Barack Obama included in his 2017 budget request, are based off discussions IT leaders had during the 30-day cyber sprint and when developing the Cybersecurity Strategy and Implementation Plan (CSIP).
According to the administration’s plan, small agencies will tap into a shared services environment to help them address challenges in developing cyber technology, implementing new policies and hiring talented experts.
“If we just have to throw technology at everything — which is the easier piece — it doesn’t work,” said Kirit Amin, chief information officer at the U.S. International Trade Commission. “It’s the three-legged stool of people, process and technology. All those three legs have to be in balance or that stool is going to wobble or sometimes crash on you.”
Amin said the CNAP gives agencies like his an opportunity to better address IT modernization, particularly when they need to turn to industry for help.
“If I’m a small agency and I’m looking for a vendor to do something for me, I’m not going to have enough time, I’m too small, compared to the smaller agencies,” he said. “Is there a way that DHS, OMB can help us coalesce the small agencies together and we become a force collectively? Because each one of us by ourselves cannot do this, but collectively we can have centers of excellence, centers of something that would enable us to get there.”
For Amin, hiring is a top challenge. He said he has four cyber positions open and hasn’t had any luck filling them.
Under the CNAP, DHS is working with GSA to develop contracts that would let them quickly bring on a “surge” of cyber experts when an incident like the OPM cyber breach occurs.
But the “people” piece of the puzzle isn’t only about finding new hires. Esteve Mede, the chief information security officer for the Federal Election Commission said agencies need to find better ways to train and develop the employees they have.
“We always talk about [how] we need to get industry, we need to get people from the industry into the government, we cannot get cyber folks, but we always fail to develop the folks that we have,” he said. “The reason why we’re not getting the people and the reason why they’re leaving… is that they’re not being developed. If they are being developed, a lot of them will stay. Yes, we understand that money plays a role in it.”
The administration also requested $62 million to help agencies train and recruit cyber experts under the CNAP.
Mede said agencies need to teach their employees how to ask questions and make decisions, so they too can begin to understand and develop program requirements.
Some agencies will use shared services to help them meet these challenges, but it doesn’t mean they’re off the hook for securing their own networks.
“Shared services does not mean that the agency does not have the accountability and the authority and the responsibility for cybersecurity,” Kneidinger said. “That still remains with the agency. Nothing has changed in regards to the responsibility of the agency. It’s how we can work smartly in regards to being able to support the agencies.”
EINSTEIN, CDM pieces of the puzzle
DHS plays a key role in helping agencies with the technology piece.
The department is adding a fourth phase under its continuous and diagnostics mitigation (CDM) program, which would look at the data itself that agencies collect.
Kneidinger said DHS is in the early stages of discussing phase four, but the department is adding another phase to meet agencies’ growing needs.
In the meantime, DHS is working through the procurement process on a continuous monitoring-as-a-service for 41 small agencies. The contract would bring phases one and two of CDM to non CFO Act agencies in a shared services environment.
“That award is very close,” Kneidinger said. “The bids have been received, [we’re] in the evaluation process, and basically the roll-out to non CFO Act agencies will be under a shared service environment.”
Amim said he was happy to see that small agencies like his would get some help in implementing CDM under shared services, because he wouldn’t have the resources to adopt the program on his own.
As agencies are also knee-deep in implementing EINSTEIN 3A, Kneidinger said, DHS is looking at how and where else it could leverage the program to meet agencies’ needs. DHS is working with three large and one small agencies on four pilots, he said. He’s asking agencies how they’re using EINSTEIN now and how else they could use it in the future.