As news of a second major cyber breach at the Office of Personnel Management spread across the country, the Office of Management and Budget gave agencies 30 days to fix their systems.
Tony Scott, the federal chief information officer, ordered agencies to take immediate and specific actions over the next month to further improve the security of their systems and data.
Scott also announced the creation of a “Cybersecurity Sprint Team” to review current federal policies and procedures and recommend a new cyber strategy for civilian agencies. Sources say both of these efforts were in the works for a few months, but now it looks like OMB is reacting to the problem.
At the heart of this sprint is the binding operational directive issued by the Homeland Security Department in May, which Federal News Radio first reported on June 8. It requires agencies to fix all critical vulnerabilities within 30 days or justify to DHS why they could not. OMB’s cyber sprint goes beyond that, according to a fact sheet issued by the Obama administration on June 12.
Scott instructed agencies to tighten policies for privileged users, dramatically accelerate the implementation of smart identity cards for logical access under Homeland Security Presidential Directive-12, and immediately deploy indicators provided by DHS to scan systems and logs to detect attacks or the possibility of a breach.
“Agencies shall inform DHS immediately if indicators return evidence of malicious cyber activity,” the OMB fact sheet states. “To the greatest extent possible, agencies should: minimize the number of privileged users; limit functions that can be performed when using privileged accounts; limit the duration that privileged users can be logged in; limit the privileged functions that can be performed using remote access; and ensure that privileged user activities are logged and that such logs are reviewed regularly. Agencies must report to OMB and DHS on progress and challenges within 30 days.”
As far as the faster implementation of HSPD-12 cards to log onto agency networks, OMB says the goal is to make it harder for bad actors to access federal networks or data.
A former government official, who requested anonymity, said HSPD-12 continues to be an administration priority, but the administration had to keep the option of using two-factor authentication broad enough to incorporate all agency needs.
The official said one of the most important initiatives is the “fix” of privileged users. OMB is expected to enlist the National Institute of Standards and Technology for help and possible guidance because “agencies are saying they are having trouble with that aspect, which, by the way, was the point — to reduce that access overall.”
The official also said the fact that agencies still have not fixed the data-at- rest encryption challenge is a shame because it’s something that should have been done years ago.
Alma Cole, vice president of cybersecurity for Robbins-Gioia and former head of the DHS security operations center, said the new emphasis on multi-factor authentication, especially for privileged users, should have been the focus for the government all along, instead of the use of smart identity cards for every employee.
“The fact breaches like this continue to happen despite progress made with continuous monitoring is troubling,” Cole said. “While timely patching is a critical part of any security program, I believe that more focus should be placed on detection and response capabilities. We must plan for the eventual reality that determined attackers will find a way past our first lines of defense. The impact of the event will then be determined by how quickly we discover intrusion and how effectively we can be in shutting it down.”
The data shows the departments of Agriculture, Veterans Affairs, State, Labor, Housing and Urban Development, Justice, Interior, Transportation and Energy as well as the Small Business Administration, the Nuclear Regulatory Commission, and the National Science Foundation have a long way to go to meet OMB’s requirements.
“At the end of the review, the Federal CIO will create and operationalize a set of action plans and strategies to further address critical cybersecurity priorities and recommend a Federal Civilian Cybersecurity Strategy,” OMB’s fact sheet stated.
OMB says the strategy will focus on eight key principles:
Protecting data: Better protect data at rest and in transit.
Improving situational awareness: Improve indication and warning.
Increasing cybersecurity proficiency: Ensure a robust capacity to recruit and retain cybersecurity personnel.
Increase awareness: Improve overall risk awareness by all users.
Standardizing and automating processes: Decrease time needed to manage configurations and patch vulnerabilities.
Controlling, containing and recovering from incidents: Contain malware proliferation, privilege escalation, and lateral movement. Quickly identify and resolve events and incidents.
Strengthening systems lifecycle security: Increase inherent security of platforms by buying more secure systems and retiring legacy systems in a timely manner.
Reducing attack surfaces: Decrease the complexity and amount of things defenders need to protect.
“We need to ensure that all the majority of effort is not spent on only identification and protection controls, but also goes to developing meaningful security-operations functions capable of finding previously unknown intrusions activity,” Cole said. “Cyber intelligence is a critical part of any security program; however, depending on intelligence indicators alone will likely delay your response, versus having an in-house capability to identify and respond to anomalous behavior.”
Over the years, OMB has tried to address many of these principles.
OMB created the Trusted Internet Connections Initiative in 2007 to reduce the number of Internet access points agencies oversaw.
In December 2000 and again in 2006 and 2007, OMB told agencies to protect their data by using encryption technologies and other approaches.