The U.S. government was shaken last year when theOffice of Personnel Management disclosed that employment records affecting 21.5 million people had been breached. The Obama administration acted quickly and initiated several comprehensive actions designed to shore up federal data protection — including an immediate 30-day cybersecurity sprint.
A parallel initiative that theAmerican Council for Technology and the Industry Advisory Council, or ACT-IAC, launched in July revealed that federal agencies still have a long way to go to strengthen cybersecurity performance.
“Despite decades of law and policy that require government to improve its security and privacy, many federal agencies still struggle to effectively defend themselves against a torrent of cybersecurity vulnerabilities and threats,” according to an ACT-IAC report released last month.
ACT-IAC is a forum for private sector and government cooperation on information technology issues.
“Until actions are taken that effectively counter these kinds of threats systematically across the government, agencies risk losing public confidence and trust in online activity that are key to delivering citizen and business services more efficiently through the use of technology,” ACT-IAC said.
Five Elements for Better Security
ACT-IAC undertook its initiative not as an exercise critical of the government but as a project designed to provide recommendations to assist federal agencies in improving security. The cooperative effort included contributions from the private sector, academia and government. The organization functioned as a facilitator in developing recommendations.
The report incorporates “ideas or suggestions from a wide variety of sources, and as such it does not constitute recommendations or endorsement of those ideas by ACT-IAC,” Michael Howell, senior director, Institute for Innovation and Special Projects at ACT-IAC, told the E-Commerce Times.
The initiative generated 127 recommendations for strengthening federal cyber protections.
In the process of gathering suggestions, a panel ACT-IAC assembled turned up five major factors at work in the federal cyber environment:
- Not rocket science: While improved technology is crucial, much of what is required for boosting protection is already known but hasn’t been fully or properly implemented government-wide.
- Talk to each other: Cybersecurity experts and federal agency business executives need to improve communications “more directly and diligently” about the connection between cybersecurity and agency missions.
- Risk and IT connections: It seems logical, but ACT-IAC found that emerging cadres of executive-level risk managers such as chief risk officers and chief data officers need to work with their traditional counterparts in IT, such as agency CIOs.
- Boosting cyber IQ: Cybersecurity-related training in government is largely deficient. Greater emphasis is needed on competencies, practice sessions and drills, and shared cyber knowledge management.
- See something, say something: “Enhanced and timely operational information sharing (threats, incidents, solutions and responses) between industry and government” is critical to improving cyber safeguards, ACT-IAC found.
Vendor Issues Addressed
One section of the report deals with cybersecurity issues associated with IT vendors that compete for business in the federal market.
“The success of cybersecurity across the federal government depends on an acquisition process that is agile, dynamic, and responsive to procure goods, services, and capabilities consistent with the 21st century imperative to operate at the speed of the web,” the report noted.
One suggestion is to utilize a cyber-protection standard across all federal contracts, modeled on the Federal Risk and Authorization Management Program, or FedRAMP, which is used to ensure security in the acquisition of cloud technologies. A CyberRAMP process would involve third-party certification administered on an acquisition-by-acquisition basis, or generally for all acquisitions where IT is involved. The General Services Administration could host the program.
Recently, however, the FedRAMP process has led to excessive delays in the cloud acquisition process.
“Ensuring that adequate cybersecurity is built into information technology acquisitions, while simultaneously accelerating the acquisition process to deliver the best solutions available to meet mission requirements, is a big challenge,” said David McClure, chief strategist ofVeris Group and a co-chair of the ACT-IAC initiative.
“Programs like FedRAMP have the potential to provide important, reliable assurance of cybersecurity in IT products in timely and cost-efficient ways. The federal government and industry have identified the need to accelerate the processing of FedRAMP certifications and are working on ways to do that,” he told the E-Commerce Times.
“Based on the ideas contained in the report, we believe it is important and possible to accelerate IT acquisitions without sacrificing cybersecurity in the process,” McClure said.
Another acquisition-related suggestion involves the creation of a federal cybersecurity acquisition portal, which would be open to government and industry to help accelerate sharing, adoption, and implementation of best practices and tools.
“This portal could help address inconsistencies in how acquisition policies, rules, and regulation are implemented in the federal government,” the report noted.
Information available through the portal should include all current and proposed federal government contract requirements, as a minimum, as well as sample acquisition evaluation criteria and evaluation methodologies.
A Role for the NIST Framework
More generally, contributors to the report noted the potential value to government agencies of theNational Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity. Issued in 2014, the NIST framework has gotten traction in the private sector as a sound baseline reference for dealing with cyberthreats — and it has relevance to government agencies as well.
“The NIST framework, along with other NIST publications and standards, was identified by multiple contributors to the ACT-IAC report as useful tools that could help strengthen federal agency cybersecurity programs. For example, it was suggested that metrics based on the NIST framework could help strengthen proactive defenses,” noted ACT-IAC’s Howell.
An underlying theme of the ACT-IAC report indicates that a more proactive approach to cybersecurity is in order, rather than a reactive, post-incident approach.
However, prevention of cyberincidents should be just one element of a comprehensive strategy, according to Howell.
“The report recognizes that cybersecurity threats are rapidly evolving, and incidents with significant impacts are increasing,” he said, noting that old, well-known methods of cyberattacks are still successful, while newer more sophisticated methods are increasing.
“Coping with these challenges requires a comprehensive understanding of vulnerabilities, threats and exploits that can come from both outside and inside the agencies,” Howell added. A balanced combination of capabilities to address the full range of prevention, detection, response and recovery capabilities is required.
Questions designed to spur ideas for improvement were drafted after consultation with senior government officials as to the types of recommendations that would be most useful. In August and September, ACT-IAC conducted an open public platform and established a process for people to submit their ideas and vote on ideas submitted by others.
Kenneth Allen, executive director of ACT-IAC, sent the results of the project to federal CIO Tony Scott in late December.