The last time the federal government updated its IT strategy, the requirements dealt with protecting "dial-in access," bulletin boards, and passwords. That was in 2000.
The plan -- still in effect today and labeled Circular A-130 -- makes no mention of contractor security, encryption, multistep ID authentication, or patching security holes -- protections that could have lessened the blow of data breaches at the federal retirement Thrift Savings Plan, the military's TRICARE health program, Office of Personnel Management and a background check provider.
Now, after a push from Congress, the White House is upgrading its information management principles.
The proposal, posted online Wednesday, also recognizes the existence of "insider threats." These are federal employees and contractors with legal access to U.S. secrets who can compromise as much intelligence, if not more, than outsiders. The 2000 plan was issued almost a decade before former soldier Chelsea Manning transferred military files to the anti-secrets website WikiLeaks.
In 2000, the big focus was on granting everyone access to as little digital information as possible. Then, the Sept. 11, 2001, terrorist attacks demonstrated a need for more information sharing.
Some of the draft minimum requirements in the rewrite are aimed at reducing "the potential for abuse of authorized privileges" and "the risk of malicious activity without collusion." In addition, agencies should "continuously monitor, log and audit" the network activities by "privileged users" with sweeping access "to detect misuse and to help reduce the risk from insider threats."
The rise of a system called the "World Wide Web" partly prompted the last A-130 refresh, according to the document. In addition,1995 amendments to the "Paperwork Reduction Act" required the White House provide agencies guidelines on conducting business electronically.
Fast forward to the age of daily data breaches, Congress last year passed an update to a 2002 federal cybersecurity legislation. The reforms mandated an A-130 rewrite.
Beyond addressing information security threats, the draft policy outlines pointers for managing IT investments and streamlining the process for acquiring new technology. The Obama administration will accept comments on the strategy for the next 30 days. A final plan is expected to be is released in December.
- 2000 - Security incidents, whether caused by viruses, hackers, or software bugs, are becoming more common.
- 2015 - Information is subject to threats that could potentially harm organizational operations, assets, individuals, or the nation. These risks include environmental disruptions, purposeful attacks, structural failures, human errors, among others.
- 2000 - Review the security controls in each system after a major upgrade, but at least every three years.
- 2015 - Review common controls on a time- or event-driven basis.
Agency In Charge of Incident Handling
- 2000 - Commerce Department coordinates agency incident response activities
- 2015 - The Department of Homeland Security now exists and runs a governmentwide information security incident center
- 2000 - Crickets.
- 2015 - Agencies must have procedures for incidents affecting contractor systems, including timelines for breach notification. There must also be agreements for connections between contractor and government-owned systems. Agencies are also told to protect against the insertion of system components that are counterfeit or tainted, throughout a system's lifecycle.
Use of Outdated IT
- 2000 - No guidelines.
- 2015 - Prohibit the use of unsupported software and system components (When vendors are no longer providing critical software patches for system parts, it's easier for adversaries to exploit weaknesses discovered later on.) Implement and maintain current updates and patches for all software and firmware components of information systems
- 2000 - Nothing to stop agencies from saving and transmitting people's Social Security numbers and passwords in plain text, ripe for interception.
- 2015 - Encrypt all stored and in-transit information that would disrupt an agency's mission if breached, to the extent feasible.
- 2000 - A password
- 2015 - Provide employees and contractors with multifactor authentication and encryption features to protect personal information