OMB readies next phase of cyber sprint plan

The federal government is putting the finishing touches on its follow-on policy to the “cyber sprint” that came after the massive hack of the Office of Personnel Management, federal CIO Tony Scott told FCW Sept. 11. Agency lawyers are now reviewing the plan, which could feature the furtherance of key cyber programs like Einstein 3A and continuous diagnostics and mitigation.

Scott said he was hoping to have the Cybersecurity Sprint Strategy and Implementation Plan (CSSIP) announced by the end of the month, but it is looking more likely to come shortly thereafter. The deliberation is to ensure that “anything we announce that we’re going to do, that we have the capability and resources in place to go do,” Scott told FCW after his appearance at a cybersecurity conference in Washington, D.C.

The 30-day “cyber sprint” coordinated by Scott’s office at the Office of Management and Budget assessed the security of federal civilian and military IT networks after the OPM breach, which exposed data on 22 million current and former federal employees, contractors and others. The results of the sprint showed that 14 major civilian agencies surpassed Scott’s goal of 75 percent strong authentication, while several agencies hit 100 percent for privileged users alone.

The question then became how to turn any momentum from the sprint into longer-term success. One hundred experts from across the government and industry came together to examine “some of the hard problems” vis-à-vis federal cybersecurity, whether in “policy or process or org structure or resources,” Scott said. The fruits of their labor will be the CSSIP.

The greater use of Einstein 3A, the latest iteration of a $3 billion intrusion-detection program run by the Department of Homeland Security, was one technology solution mulled by the working group, Scott said.

A source close to the new plan told FCW that the plan could mandate that, by September 2016, all agencies use Internet service providers signed onto Einstein 3A, though DHS and OMB spokesmen S.Y. Lee and Jamal Brown declined to comment on that possibility. Implementation of the Einstein program with ISPs has not been all smooth sailing. Negotiations between DHS and AT&T over the program stalled over liability concerns, according to a Politico report.

Lee’s only answer to questions about the potentially enhanced role of Einstein 3A in federal cybersecurity policy was to point to a recent speech from DHS Secretary Jeh Johnson. The secretary said he has “challenged [his federal colleagues] to make aspects of E3A available to all federal civilian departments and agencies by the end of 2015,” according to his prepared remarks. Lee did not answer a question on just what “aspects” of the program Johnson was referencing.