It was 2006 when the federal government got serious about cybersecurity. Jerry Davis, the outgoing NASA Ames Research Center chief information officer, was an employee of the Veterans Affairs Department and a laptop with the data of 26 million veterans was stolen.
Davis, who has spent much of his career in cyber, said the incident “opened eyes and sent shock waves across the federal government.” From that event came a number of executive orders, memos, initiatives and even laws that tried to reshape the way agencies approach cybersecurity, and protect data and networks.
“I think the biggest challenge the government and really every sector faces is the skill set of the people who are securing our networks and systems,” Davis said in an “exit” interview. “We as a nation are woefully behind when it comes to producing really good individuals that have skill sets to work in cybersecurity.”
Davis’ description of the challenges facing the public and private sectors is the impetus behind the Federal CIO Council’s new chief information security officer handbook.
In launching the 170-page CISO Handbook on June 26, the council wrote that “a central pillar of the administration’s IT modernization strategy is to improve the skills, leadership abilities, and overall pipeline of talent in the federal government to address our growing cybersecurity threats.”
The group said it sought to produce a compendium of key information, templates and processes for a “‘one stop shop’ for new and emerging information security professionals to begin their upskilling into future cybersecurity executives. The handbook is a foundational document that will help agency leadership drive transformational workforce changes in a standardized, repeatable manner and create greater collaboration and coordination across agencies to address systemic cybersecurity challenges.”
Trey Kennedy, a senior adviser to the CIO Council, said in a call with reporters that over the last 15 years, since the passage of the Federal Information Security Management Act (FISMA), the complexity of what federal IT security executives need to know has sprouted.
“The creation of the handbook wasn’t centered on the confusion around what was out there, but what really came up was a lot of folks were saying there are tons of resources out there to help us do our job that highlighted the role of CISOs,” Kennedy said. “But the thing we found and consistently heard through the councils was that these resources are in various places. And when you are onboarding a new employee it would be really great if there was a one-stop shop that lets you point folks to a single document that may not be the totality of the universe, but gives you that foundational knowledge, the key that you really need to be successful in the cybersecurity role.”
He said the goal of the handbook is not to be prescriptive as there are plenty of laws and policies that do that. But it should detail the goals and objectives of federal IT security whether one is a CISO, striving to be a CISO or just a non-IT executive trying to understand federal cybersecurity.
“The goal is to highlight some of the best practices, too. The appendix is really based upon successful policies for agencies to refer back to. Since then, we’ve had some feedback from CISOs who’ve asked us for a little bit of additional information about what those policies look like,” he said. “We are trying to make sure this information sharing occurs. This allows folks to read through the handbook, identify the challenges that they see in their own organization and see from the handbook’s perspective what their peers may be looking at foundational perspective to overcome those.”
OMB tried something similar in 2016 by creating cyber.gov, but that site never really amounted to much and today it is blank page. The CIO and CISO councils outlined three main sections in the handbook:
CISO roles and responsibilities, including reporting requirements
Managing risk across the enterprise, including NIST and governmentwide initiatives.
Management resources, including workforce and contracting
“Breaking the complex conversation of the CISO role and risk management into consumable pieces can only help the community succeed in bringing new talent onboard and meeting our mission needs,” Emery Csulak, CISO at the Centers for Medicare and Medicaid Services, said in the release about the handbook.
Kennedy said Csulak and Cord Chase, the former CISO at the Office of Personnel Management and now a senior advisor for the National Background Investigations Bureau spearheaded the handbook’s development for the CIO and CISO councils.
Csulak and Chase led the working group that started with a survey of CISOs to understand priority areas and challenges, and then brought all the reference material together to get feedback from the councils.
“The way we wrote the handbook and the way we structured it was really around plain language. We wanted it to be a very clearly written document and you don’t need a deep technical background to understand the elements that are in it,” Kennedy said. “Whether you are a seasoned cybersecurity professional who just wants a quick reference guide for a lot of these items that are out there or if you are somebody new to the field or you are just a regular employee who is trying to understand what your role in cybersecurity is, if you read this you understand what is out there.”
He said this is especially true for program staff who need to know what are the baseline of cybersecurity requirements they must follow.
Kennedy said the CIO Council followed a similar approach it took with the U.S. Digital Service to create the TechFAR Handbook in 2014 and the work the General Services Administration did to create the M3 framework in 2015 for shared services.
Kennedy said the councils will continually update the CISO handbook as new policies, laws and challenges arise.
“One of the things we want to do is the document right now is a PDF format and we’d like to come up with a more interactive form of displaying it online so that is one of our first areas to tackle to try to improve the usability and accessibility online,” he said. “We’ve made sure to socialize this with the small agencies since a lot of times they are looking for these resources to have them as they might have a smaller staff or less dedicated folks to it.”