The Office of Management and Budget is directing federal agencies and the General Services Administration to come up with a single mechanism to rapidly hire outside expertise the next time a civilian agency’s systems are breached in a cyber attack, reasoning that time will be of the essence and that virtually no agency will have the resources needed to mount an adequate response with in-house staff.
Within the next two months, GSA will need to submit a general plan for the contracting equivalent of a 911 service that would let agencies rapidly plug any freshly-exploited security holes in the event of another cyber breach like the one disclosed by the Office of Personnel Management earlier this year. The actual contract vehicles must be in place and available for any agency’s use, on a reimbursable basis, by the end of next April.
“What we do not want to do is stand up just another paper tiger where you have to run through a bunch of bureaucratic mechanisms to access the assistance when you need it,” Trevor Rudolph, the chief of OMB’s new cyber and national security unit, told a recent cybersecurity conference organized by Federal Times. “The idea here is that the agency has access to the help beforehand, so that when there’s a problem we have help from industry very, very quickly.”
The rough outlines of the new rapid contracting capability for cyber were delineated in the cybersecurity strategy and implementation plan (CSIP) the White House released a month ago, and it’s a signal of OMB’s current thinking about cybersecurity: The government’s security apparatus has spent a lot of attention and money on trying to prevent breaches, but comparatively little on figuring out what to do after they’ve happened.
And so, in the same document, OMB promised that the 2016 version of its annual guidance to agencies on implementation of the Federal Information Security Management Act will instruct each of them that they need to designate, ahead of time, a single security operations center to manage all of their organizations’ responses in the event of a cyber incident and ensure cyber responders from the Department of Homeland Security have access to their networks so that DHS can rapidly deploy its own experts to a problem site. And within the next several months, OMB said it will draw up new guidance ensuring that those pre-designated security operations centers are all following consistent rules and operational procedures across the federal government.
Rudolph said an improved governmentwide cybersecurity posture also depends on being able to recover from an incident once the first responders have put out the immediate fires resulting from an intrusion.
Together with response, recovery is one of five elements of the National Institute of Standards and Technology’s cybersecurity framework, and from OMB’s perspective, it’s the one federal agencies are least equipped to handle.
“Just by natural evolution, we’re at the point where we’re good at protecting and detecting threats in some cases, but we still are not good at the recovery piece of the framework,” he said. “One of the things we’re going to be working on with the National Institute of Standards of Technology is developing guidance to agencies on how to recover from an incident. How do you actually reconstitute an individual system or business process or mission investment after it’s been taken down due to a cyber incident? Those are the things we need to get better at, and these are the things we’re going to dedicate resources to fixing.”
By next June, NIST will draw up governmentwide guidance on how to recover from a data breach or major malware attack. OMB said it will also update a 2007 memo that serves as federal agencies’ current guidance on how to deal with a breach of personally identifiable information (PII).
The CSIP also directs OPM to look into the possibility of making lifetime identity protection services a standard benefit provided to all federal employees, as opposed to the three years of protection being offered to workers who were identified as victims of this year’s OPM breach.
But Rudolph said the directions to improve post-incident recovery actions, most of which were borne out of the government’s recent cyber sprint, are only a start and are likely to keep changing as OMB and agencies continue to refine what it actually means to “recover” from a major breach.
“Does recovery mean that you’re just reconstituting a system that was damaged by hackers? Does it mean that you’re notifying your victims in a certain number of days? It could be a lot of different things, and we need to flesh that out.” he said. “Unfortunately, I think we’re going to be doing a lot more recovery, and practice makes perfect.”
OMB is also paying attention to how private contractors respond in the aftermath of a breach of one of their systems that hold government data. The office is reviewing public comments on a new set of draft guidelines for how agencies should build cybersecurity protections into their contracts in preparation for the release of a final version.
One aspect seeks to encourage contractors to notify their government customers about a data breach right away by requiring that agencies create a single point of contact, define what a “breach” means under the terms of each contract and predefined penalties for vendors who don’t live up to the breach notification language in their specific agreements.
“The reason for that guidance is that in the aftermath of several contractor breaches last year, it turned out that the rules of the game were very, very unclear,” Rudolph said. “If you’re a vendor with government data and you’ve been breached, who do you call? What’s the government’s responsibility to inspect your systems prior to that breach? [OMB Circular] A-130 goes into it a little bit, FISMA goes into it a little bit, but we heard from agencies as well as contractors that they wanted more prescriptive guidance on what to do both before and after a breach.
Rudolph said OMB has finished reviewing public comments on the initial proposed guidance. It’s now within the interagency review process and a final version will be published, he said, “as soon as possible.