A new action plan designed to plug long-festering gaps in federal agencies’ information security policies is set to be released any day now.
Federal Chief Information Officer Tony Scott on Tuesday said his office was “days away” from issuing the “Cybersecurity Sprint Implementation Plan,” which is a follow-up to the 30-day “sprint” Scott ordered in the wake of the devastating breach of sensitive Office of Personnel Management files.
Officials say the plan won’t be another piece of policy guidance but will instead lay out specific recommendations agencies will be expected to address in the short term. But specifics are still hard to come by.
"This is really an action plan,” said Chris DeRusha, a senior analyst in OMB's cybersecurity unit. “This is: What can we do right now, either immediately or over the next six to 12 months to really [make] some progress?"
DeRusha, who’s the project leader for the cyber plan, spoke Wednesday at a meeting of the National Institute of Standards and Technology’s Information Security and Privacy Advisory Board.
During the 30-day sprint this summer, agencies were directed to scan their networks for indicators of compromise, immediately patch critical vulnerabilities and tighten policies for allowing privileged users network access. The percentage of federal employees required to use a smart card in addition to a password to log on to computer networks increased from about 42 percent to more than 72 percent during the cyber sprint, according to OMB.
That percentage has continued to climb since the exercise ended and is now nearly 79 percent, DeRusha said.
The new action plan is “focused on closing a lot of the either policy or capability gaps that were identified during the cybersecurity sprint,” DeRusha added.
There are five broad areas to the forthcoming implementation plan:
- Prioritizing the identification and protection of high-value information and assets;
- Quickly detecting and responding to cyberthreats;
- Rapidly recovering from incidents when they occur and accelerating adoption of lessons learned from these events;
- Recruiting and retaining a qualified cyber workforce; and
- Efficiently and effectively acquiring and deploying both existing and emerging technology.
"The latter two are sort of the overarching or fundamental areas that we think really need some attention,” DeRusha said. “They're kind of the bedrock of everything we're doing -- making sure that we have the right people and the right technology.”
Scott, speaking at an event on federal IT acquisition Tuesday, said he had initially hoped to release the plan by the beginning of October, but it’s been hung up a bit by “internal bureaucracy.”
At that event, Scott, responding to a question, said the plan would include efforts to “accelerate” the implementation of the Department of Homeland Security-managed intrusion-detection system known as EINSTEIN.
The plan will also include specific requests to Congress to update legislation, Scott said.
Separately, on Wednesday, the administration released a long-awaited update to the federal government’s strategy for buying, managing and securing agency IT systems, known as OMB Circular A-130.