It was the year more than 21 million of us found out our personal data, including Social Security numbers, and health and financial records were stolen in a massive breach targeting background investigation data managed by the Office of Personnel Management.
In the wake of the breach, the Obama administration’s top IT policy official, Federal Chief Information Officer Tony Scott, initiated a rigorous, 30-day exercise aimed at raising the cybersecurity bar across government.
During that period, federal agencies addressed longstanding security gaps, including patching critical software vulnerabilities, reviewing and limiting the number of privileged users with access to their authorized systems, and dramatically speeding adoption of Personal Identity Verification (PIV) cards to verify the identity of all users on their networks. While these are basic steps, they’re critical steps that weren’t being implemented governmentwide, Scott explained during a FedScoop IT conference last November.
“One of the people I worked with a while ago said to me, ‘Everything’s already been said, just not by everybody,’ and I think that’s generally true,” he said. “But I also know that most things have already been learned, just not by everybody. And part of our journey on cybersecurity is to take the learnings that we get every day and share them broadly with the community of folks that we work with and that we partner with.”
These sentiments are driving many of the government’s top cybersecurity initiatives in 2016, several of which are listed below:
1. Improve federal response to major cyber incidents. For the first time, agencies are operating under new guidelines that better define what qualifies as a “major incident.” Those guidelines were included in fiscal 2016 Federal Information Security Modernization Act (FISMA) and Privacy Management reporting guidance published last October. To determine if a major incident has occurred, agencies should consider if the incident involves information that is classified, Controlled Unclassified Information (CUI) proprietary; has a high or medium functional impact to the mission of the agency; and involves the exfiltration, modification, deletion or unauthorized access or lack of availability to information or systems. Check out the full list of considerations on page 7 of this document.
2. Adopt the Cybersecurity Strategy Implementation Plan (CSIP). The Federal CIO released the plan last year in the wake of the 30-day cybersecurity exercise I mentioned earlier. The plan outlines a series of actions and deadlines for improving federal cybersecurity through better acquisition, recruitment of cyber talent, timely detection of cyber incidents and rapid response to those incidents. According to the plan, the Office of Management and Budget has until the end of January 2016 to release a plan for implementing new cybersecurity shared services that augment existing agency services. Those services will include identity, authentication, and authorization services; mobile security services; and encryption services. View all the CSIP deadlines here.
3. Recruit cyber talent. There are an estimated 10,000 openings in the federal government for cyber professionals “that we would love to fill, but there’s just not the talent available,” according to Scott. “We have a number of proposals working their way through now, whether it’s grants or specific training, and a number of other things that would guarantee a more steady supply, including partnering with the private sector.” The CSIP directed OPM and OMB by December 2015 to clarify legal guidelines and help agencies better understand the special hiring authorities they can use to bring cyber professionals on board faster.
4. Implement new cybersecurity legislation. Tucked away in the massive appropriations bill that funds the government through September was S. 754, the Cybersecurity Information Sharing Act (CISA) of 2015. The law calls for the development of new procedures for agencies to share and receive cybersecurity threat information with the private sector. Specifically, the Department of Homeland Security will be the point agency for receiving threat indicators and defensive measures shared by the private sector and ensuring that appropriate federal entities receive shared indicators in an automated, real-time manner.
5. Including security measures in contract clauses. The administration is scheduled to release guidance in the first quarter of this fiscal year that provides clarity for including security requirements in federal acquisitions. The guidance is based on public feedback and input from experts in security, privacy and federal acquisition. Here’s a little background information on the work that’s underway.
6. Simplify cybersecurity reporting. Starting in fiscal 2016, agencies should have began reporting the majority of their cybersecurity performance information through CyberScope. Agencies use the online platform to report their progress in meeting federal information security requirements. The increased move to CyberScope is expected to reduce reporting burdens and consolidate cyber-related information collections.
For additional resources to help you understand the federal cybersecurity landscape, check out our new GovLoop infographic Cyber Land: The Path to Security.
Photo Credit: www.af.mil