Although the federal government has made progress on cybersecurity in recent years, several items remain on the agenda for agencies to secure their networks.
With the help of cybersecurity experts both in and out of government, Federal News Radio has compiled a list of the major items still on the government’s cyber to-do list. (The items are in no particular order.)
— The Senate failed to update any cyber laws over the last three years, whether they were controversial, such as how to address critical infrastructure systems, or widely accepted, such as the update to the Federal Information Security Management Act (FISMA). The House passed four seperate cyber bills, but all failed to gain significant traction in the Senate.
— While there has been some progress in developing standards, such as the Defense Department’s 8570 policy, most agencies still face an uphill battle to train their workforces. The National Institute of Standards and Technology launched the National Initiative for Cybersecurity Education (NICE) in 2009 to train and increase cyber awareness among businesses, government and citizens.
Implement HSPD-12 for logical access
— The Office of Management and Budget found in the fiscal 2011 FISMA report to Congress that while 90 percent of all federal employees have HSPD-12 compliant smartcards, only four agencies — the departments of Defense, Education and Agriculture and the General Services Administration — required at least 44 percent of all users to log onto the network using the cards. Of the other 18 agencies, only four showed any progress — the departments of Homeland Security, State and Commerce and NASA — in using the cards. Agencies need to implement smart card readers and get away from usernames and passwords for logging onto networks and computers.
Supply chain risk management
— By some estimates, 1 in 10 technology systems or products have counterfeit parts in them. And there is no way to estimate how many IT systems have malicious malware or back doors. DoD and the White House are working on supply chain policies, but the government continues to buy based on price in order to meet cost and schedule requirements, which often drives them to acquisitions from untrusted and unauthorized sources from online brokers or gray market providers.
— The explosion of smartphones and tablet computers has put pressure on agencies to figure out how to protect these devices. The idea of bring-your-own-device adds another layer of complexity to the challenge. The Digital Government Strategy calls for NIST, DoD and DHS to develop a mobile/digital security platform over the next 12 months to include mobile and wireless security architectures and a governmentwide baseline. NIST also issued a guide for securing mobile devices in June.
— The Obama administration pushed agencies into the cloud, but without a clear approach to defend the systems in the cloud. OMB launched the Federal Risk and Authorization Management Program (FedRAMP) to bring standardization to the way cloud services are accredited and authorized. GSA, DoD and DHS must bring FedRAMP to full operational capability.
Rules of Engagement
— DoD is close to finalizing this policy that will direct how it will respond to a cyber attack. The strategy also will help define the roles DoD will not take, and therefore clarify the responsibilities for DHS, the Justice Department and other civilian agencies.
Insider Threat Policy
— A White House task force is developing a new policy to combat the potential of employees or contractors doing harm to federal networks. The draft policy is going through the interagency review process.
NSTIC Roll Out
— The National Strategy for Trusted Identities in Cyberspace has been hailed by cyber experts as a much needed and potential game-changer. The program just awarded five pilots, $10 million total, to test concepts for using third-party credentials to log onto government and private sector services.
— This is one of the biggest sticking points to getting comprehensive legislation passed. The White House is considering an executive order to promote voluntary standard creation. The Government Accountability Office found in December 2011 that there is too much guidance for each critical infrastructure sector, and it could be confusing on what they should follow. GAO said one set of guidance for each subsector, along with supplementary documents, addressed most risk management steps and most recommended security controls that are specified for federal information systems.