But the Office of Management and Budget says the “sprint” helped it uncover some valuable lessons of its own about getting things done in government. And it’s applying some of those best practices as it prepares for the upcoming presidential transition in six months.
“What we discovered during and post-cybersecurity sprint, is that if you really want to get stuff done in the government — cybersecurity just being one of those topics — the best way to do it is to engage directly with … the deputy secretaries of departments and agencies,” Trevor Rudolph, chief of the Cyber and National Security Unit at OMB, said during an ACT-IAC panel discussion in Washington July 20. “These are the people who actually have the control over the entire management suite within their particular departments and they can truly drive change, especially in very, very large and federated agencies.”
OMB is now reviewing its cybersecurity accomplishments from the past eight years, as well as the items it has left on its to-do list with agency deputy secretaries.
Michael Daniel, special assistant to the President and cybersecurity coordinator, said the goal is to put agencies on the right policy path so that the work can continue when the new administration starts in January.
“There are some things that I would like to get across the finish the line,” he said. “But it’s actually more important that we put in place the right policy structure to enable agencies to continue improving their cybersecurity over the long term. This is not an area where you’re going to reach ‘done.'”
Daniel, who has worked on two previous presidential transitions in the White House, said there is always a “blip” in policy as the new administration comes in, gets itself organized and appoints its leaders.
“How do you actually get the natural, bureaucratic inertia of the government working for you instead of against you in this case?” he said. “You have the stuff that can keep moving forward, that can work toward program implementation, things that everybody recognizes are good policy to do that agencies can continue executing on even as the transition occurs.”
For the administration, improving agency cybersecurity is one of those tasks that nearly everyone can agree on, and putting together pieces of the recently announced, inaugural cyber workforce strategy is a top priority.
Agencies filled roughly 3,000 cyber positions so far this year, Rudolph said. The goal is to pick up speed and hire another 3,500 over the next six months. The administration outlined a series of steps that agencies should take to better recruit and retain new professionals who can secure and defend federal networks.
But the administration is encouraging agencies to take a more holistic approach— rather than competing against each other — when they hire new cyber professionals. Instead, the new strategy pushes agency chief human capital officers to look more broadly at their human resources needs across the whole enterprise, Rudolph said.
And the effort will take major shifts in government culture, Daniel added.
“We still have to shift our mindset in the federal government,” he said. “Although we have tried to do this, we still have much of the culture and the policies and the procedures baked in very much at the agency level, that assume that we’re going to recruit 20-somethings out of college, and we’re going to keep them for 40 years, probably in the same bureau, and they’re going to retire from the federal government. That’s just not reality anymore. That’s not how it works. We have to get much better at allowing people to come in and out of government service on a regular basis.”
The administration is not only looking for coders, developers and other IT specialists, but it’s also seeking economists and lawyers who know the cybersecurity world as well, Daniel said.
He acknowledged that strengthening the federal cyber workforce won’t happen overnight, and it won’t happen within the next six months.
“This is a strategy that we believe will need to be executed over the long term,” Daniel said. “We did not get ourselves into this situation quickly, and we’re not going to get ourselves out of it very quickly. It’s going to take a while. That’s why, when you look at that strategy, it has different prongs to try to really expand the pipeline of available talent, not just for the federal government but for the country as a whole. It’s really designed to try to start to figure out if we can get at some of those systemic barriers … that are preventing the workforce from expanding as rapidly as it needs to.”
Beyond the administration’s focus on the cyber workforce, OMB is also continuing to work with the Homeland Security Department on agency high value asset reviews, Rudolph said.
DHS finished the first round of security tests on major agency IT systems.
“We have our DHS partners go in and independently verify the security of those high value assets,” Rudolph said. “That process is underway. We want to complete that before the end of the administration, so that we know moving into the next administration where our biggest weaknesses are that we need to prioritize Jan. 21 or so.”
“It may look, feel and smell a little bit like the [cyber] sprint,” he said. “So you can expect that from us.”
And the Obama administration has a lot to live up to as it prepares for the transition, Daniel said.
“The Bush administration when it left did a very good job on that,” he said. “We want to meet that standard at least, if not exceed it even, because that was a very well done transition and that’s what we’re working toward as well.”