Federal CIO Tony Scott’s 30-day Cybersecurity Sprint
A new Obama administration cybersecurity initiative isn’t placing new burdens on federal agencies; it’s aimed at getting them to comply with recommended safeguards they’ve failed to implement.
Federal CIO Tony Scott is heading up the initiative, unveiled late last week, to require agencies to patch critical vulnerabilities without delay; tighten policies to access systems and applications, especially for privileged users who are delegated with extra levels of control; and accelerate use of multi-factor authentication.
The initiative also would require federal agencies to immediately inform the Department of Homeland Security of malicious activities in their IT systems.
Doubling Down
Karen Evans, who held Scott’s job in the George W. Bush White House, says government initiatives to get agencies to comply with cybersecurity processes aren’t new, but the clock is ticking for the Obama administration to improve security during its remaining months in office.
“This is doubling down,” Evans says. “It’s the last 18 months of the [Obama] administration, and look at everything that has happened. You have [Scott] who is an operational CIO. He’s looking at it and saying, ‘You should have these things done.'”
Evans’ predecessor, Mark Forman, says the outcome of the initiative could give agencies fodder in making the argument for more money for critical cybersecurity projects. “We’re almost three-quarters the way through the fiscal year, so resources are fairly far along in being consumed,” Forman says. “But now with having this memo and having all this guidance, the CIOs and the information security officers can go to the budget process and show that this is a priority. It’s the unwritten purpose of this memo, if you know what I mean.”
Those CIOs and CISOs need help because getting agencies to implement cybersecurity safeguards hasn’t been easy for government IT security practitioners. “This is hard; it’s not trivial to do this,” says former DHS Deputy Undersecretary for Cybersecurity Mark Weatherford, a principal at the security consultancy The Chertoff Group. “And, it’s going to take a lot of work. But as long as people can build a remediation plan, and stick to that, and be measured against that, that’s best effort, and you can’t fault people for best effort. But it’s really going to require somebody to hold them accountable and make sure they are doing that.”
And who should that person be? Weatherford answers: “Tony Scott. He’s the one who put the memo out. He’s the one who’s leading this effort.”
Initiative Preceded IRS, OPM Hacks
The Obama administration has issued over the years a number of programs and directives to improve federal government cybersecurity. Work on this initiative began before the Internal Revenue Service and Office of Personnel Management had been victimized by majorbreaches in the past month. Scott telegraphed his intentions to pursue such an initiative at his first appearance before Congress in April (see New Federal CIO Withholds InfoSec Judgement). “There is no agency, even the ones that we looked at so far, who we believe is doing a really good job, who would say, ‘We’re done’ or ‘we’ve done enough and, you know, it’s the end of job,'” Scott told the House Oversight and Government Reform Committee. “Everyone believes there’s more that we can and should do.”
Still, the administration is using those breaches to get buy-in to its initiative. “Recent events underscore the need to accelerate the administration’s cyber strategy and confront aggressive, persistent malicious actors that continue to target our nation’s cyber infrastructure,” a White House statement says.
The White House created a “cybersecurity sprint team,” led by Scott, to lead a 30-day review of the federal government’s cybersecurity policies, procedures and practices. Team members include other cybersecurity experts from OMB, where Scott is based, the National Security Council, Defense Department and DHS. Once the review is completed, according to the White House, Scott will create and implement a set of action plans and strategies to further address critical cybersecurity priorities and recommend a federal civilian cybersecurity strategy.
Self Reflection
One goal of the initiative is to compel agencies to identify their respective cybersecurity shortfalls and to get them to develop plans to fix them.
Key principles of the strategy the White House expects to come out of the review are:
View the original content and more from this author here: http://ift.tt/1SiZ2ZZ
from cyber security caucus http://ift.tt/1JVttCB
via IFTTT
No comments:
Post a Comment