Three hearings. Nearly seven hours of testimony. Enough frustration to fill the Potomac River.
That was Katherine Archuleta’s week. The director of the Office of Personnel Management had a bullseye on her back as House and Senate lawmakers pressed her time and again for answers about the massive data breach impacting anywhere from 4 million to who knows how many current and retired federal employees, congressional members and staff, contractors and average citizens.
While details about the breach dribbled out at each consecutive hearing, many left the hearings unsatisfied and unhappy with OPM’s communications about what happened and when.
Here are my four takeaways from the seven hours of testimony across three hearings that I covered last week:
Insight by Galvanize: During this webinar Marianne Roth, the chief risk officer of the Consumer Financial Protection Bureau, will provide a deep dive into enterprise risk management at CFPB. Additionally, Dan Zitting, the CEO of Galvanize, will discuss how making better use of data and technology can help federal agencies more rapidly allow decision makers address and mitigate risks.
All are good ideas. But the first three also are things the Office of Management and Budget has been calling for over the last decade or longer.
There are policies about using two-factor authentication and data encryption dating back to 2006. FISMA, which became law in 2003, requires agencies to have a comprehensive inventory of systems and databases.
But the fiscal 2014 FISMA report to Congress shows OPM is not alone in its shortcomings.
OMB says 72 percent of all agencies require two-factor authentication to log-on to the network and 77 percent mandate the use of smart identity cards for remote access to the network.
But 14 agencies reported less than 10 percent of all employee use two-factor authentication for remote access, including the 10 departments, such as State, Education and NASA that do not use this technology at all.
OPM is clearly to blame for its cyber shortcomings that led to the massive data breach, but the lack of enforcement by OMB of its own policies also should be in this discussion. The administration shoulders some of the responsibility for the troubling state of cybersecurity in government.
Before Tony Scott, the federal CIO was not outwardly engaged in cyber. The White House’s Cybersecurity Coordinator started off focused on internal dot-gov issues, but over the last few years shifted to work with industry and critical infrastructure.This left DHS to do the heavy lifting but with little enforcement authority. And we know giving someone the responsibility, but not the authority to enforce the rules never works in any organization.It’s good to see OMB jumping back into the cyber ring. The question is just how aggressively will the E-Gov cyber unit come out swinging?
Here’s what he told Congress:
“Consider protecting a government facility against a physical threat. Adequate security is not only a fence, a camera or building locks, but combination of these measures that in aggregate make it difficult for an adversary to gain physical access. Cybersecurity also requires this defense in-depth, these multiple layers of security. No one measure is sufficient,” he said. “Our first line of defense against cyber threats is the EINSTEIN system, which protects agencies at its perimeter. Returning to the analogy of the physical government facility, EINSTEIN 1 is similar to a camera at the road onto a facility that records all traffic and identifies anomalies in the number of cars entering and leaving. EINSTEIN 2 adds the ability to detect suspicious calls based upon a watch list. EINSTEIN 2 doesn’t stop the cars, but does set off the alarms. The latest phase of the program, which is known as EINSTEIN 3A, is akin to a guard post at the highway that leads to multiple government facilities. It uses classified government information to look at the cars and compares and compares them to the watch list, and then it actively blocks prohibited cars from entering the facility.”
Ozment’s simple approach to detailing EINSTEIN is exactly what members of Congress need to understand the complexities of the program.
Other executives should follow the “King of Analogies” lead and simplify how you talk to lawmakers.
This article is part of Federal News Radio’s weekly Inside the Reporter’s Notebook feature. Read more from this week’s Notebook.