2015 was a tumultuous year for federal cybersecurity. After notorious federal data breaches such as the attack on the Office of Personnel Management, Federal Chief Information Officer Tony Scott launched a 30-Day Cybersecurity Sprint for federal agencies to address their cyber vulnerabilities and updates security policies. The result is the Cybersecurity Strategy and Implementation Plan (CSIP), a document that aims to identify critical security gaps and provide specific recommendations for addressing them.
Agencies can use CSIP as strategic guidance in developing their own cybersecurity plans, as explained in Thursday’s GovLoop webinar. The speakers were Dr. Diana Burley, Executive Director and Chair of the Institute for Information Infrastructure Protection and Professor at George Washington University, and Niko Agnos, Territory Account Manager for Brocade Federal Government Software.
CSIP’s five high-level objectives include identification and protection; detection and response; recovery; recruitment and retention; and acquisition and deployment. Dr. Burley carefully broke down these high-level objectives into smaller pieces that agencies can use as concrete guides for how they should construct their cybersecurity strategies.
For identification and protection, Dr. Burley recommended identifying the value and risk associated with information as well as the information technology assets that are used with the information. She added that understanding who should have access to what and conducting constant security scans is essential to effective protection.
In terms of detections and response, she cited existing detection programs such as Continuous Data Monitoring and Department of Homeland Security’s EINSTEIN. Detection is also closely tied to information sharing; agencies need to share information so everyone can better detect and respond to cyber incidents.
As Dr. Burley emphasized several times in her presentation, one of the key steps in recovery from cyber incidents is the ability to quickly apply the lessons learned and adapt your security policies. CSIP requires the National Institute of Standards and Technology to provide a recovery framework for agencies while still allowing for flexibility for individual agency missions.
Being flexible requires a flexible workforce that is capable of dealing with new and complex issues on a regular basis. For that to happen, she noted that agencies must be able to hire and retain the most highly qualified cyber experts. Being able to speed up the hiring process through programs such as special hiring authorities.
Acquisition and deployment, she said, is about being able to procure the best technology in order to detect and respond to cybersecurity issues in the most effective way possible. CSIP established a cross-agency working group in order to guidance for agencies in the hopes that sharing these best practices will help agencies procure technology in the most efficient way.
Agnos approached cybersecurity implementation from a different perspective: what does an effective security system look like? For Agnos, controlling access is essential to protecting a system. Federal agencies currently use a public key infrastructure (PKI) to control access to secure information, and while the system has its strengths, breaches still occur. Outsider and insider threats can steal credentials or fabricate digital keys to wrongfully gain access to secure data.
As a solution, he proposed a layered approach to security. Agencies would still use PKI, but users would also have to go through another security check. If either the authentication fails, the user cannot gain access to the information. Through a traffic manager that takes in requests, processes them, and provides access, agencies can also finely control the level of access users have. In addition to this traffic manager, the use of a firewall that works on the level of business logic, protecting the code that determines how data can be created, displayed, stored or changed.
CSIP’s development has shaped how agencies approach their own security strategies and implementations, and this training highlighted how agencies can use the document to build their own strategies as well as how implementing an actual system based on identification and protection can provide a greater level of security. For more information on CSIP’s objectives and how a layered approach to security works, check out the on-demand webinar now.