The Federal Housing Finance Agency has faced six audit reports from its inspector general since 2015 highlighting a host of challenges ranging from governance to business functions to supervisory activities related to risk.
Basically, FHFA, which oversees Fannie Mae, Freddie Mac and the federal home loan bank system, has many of the same problems protecting its systems and data like most of its federal brethren.
This is why FHFA’s recent contract notice detailing a potential award to a small women-owned business stands out. FHFA says it plans to hire Living Security, Inc. to “design, build, and operate a customized hands-on two day cybersecurity-themed escape room training on-site at [FHFA’s] headquarters” in Washington, D.C.
FHFA issued a intent to sole source to Living Security, but industry has until March 7 to respond and make the agency aware their similar capabilities before it finalizes the award.
That’s a pretty innovative approach to training employees at all levels how to deal with cybersecurity challenges, which impact nearly everything every agency does.
Living Security’s website describes its escape room as an “intelligence-driven security awareness training platform that leverages gamified learning to make cybersecurity training fun and effective.”
The Smallwood, Texas-based company said the game creates storylines and teaches lessons in security, safety and online privacy.
Under the four-month deal — a total cost figure wasn’t provided — Living Security will create an escape room that is customized to the FHFA’s IT and security policies, according to the sole-source notice. There isn’t a whole lot of other details about what the room will look like or what the challenges will address.
But if you’ve ever participated in an escape room with friends, your kids or through team building, you probably can see potential for cybersecurity. But for those of you who may not be familiar, the escape room concept is innovative because it teaches several important traits needed to address cyber challenges: Team building, critical thinking and problem solving.
FHFA not the only one
There are a handful of other federal cyber companies offering similar experiences. The Thales Group offers a “mobile box” that is a 10-minute experience that uses clues, hints and strategy to help participants complete the puzzle.
“In many ways, a well designed escape room can represent an attack kill-chain and poor defense-in-depth. Each puzzle represents a vulnerability that the participant is exploiting, and if best practices were followed, the puzzle could not have been solved,” SANS wrote in an online presentation about its escape room concept.
This concept also is gaining some momentum in other areas of government. A team from the Washington State Department of Revenue won a statewide contest last November.
“The Office of Cybersecurity’s escape room challenged players to solve a variety of high-tech and low-tech puzzles to uncover clues needed to access information on a laptop,” the office wrote in a press release. “The purpose of the competition was to heighten awareness about common bad practices many people fall into when it comes to securing their digital information.”
This type of approach to cybersecurity training just makes sense given the ever-increasing need to keep employees engaged and familiar with the latest cybersecurity threats. And maybe even more important, typical cyber training at your desk through webinars or through half-day classes are boring and too often tuned out by employees.
Kudos to the FHFA for trying something different to not only fix long-standing cyber challenges, but also for finding a way to hopefully get employees to remember why cybersecurity matters and how to protect themselves and their agency.