The White House on Friday issued a broad new plan designed to better respond to cybersecurity incidents such as those that exposed secrets on millions of citizens as well as government operations.
The new guidance, which aims to protect the most high-value information assets the federal government holds, is the latest step in the months-long fallout from the devastating hack of sensitive federal employee files from the Office of Personnel Management revealed this summer.
“We must continue to double down on this administration’s broad strategy to enhance federal cybersecurity and fundamentally overhaul information security practices, policies, and governance,” said federal Chief Information Officer Tony Scott in an Office of Management and Budget blog post Friday.
The new plan -- a memorandum to the heads of federal agencies and departments from Scott and OMB Director Shaun Donovan -- builds on a 30-day “cybersecurity sprint” this summer, during which Scott’s office called on agencies to immediately tighten online defenses in the wake of the OPM breach. Agency deputy secretaries will be in charge of implementing the plan, according to the document.
The plan lays out an initial set of deadlines. By the end of the year,
- OMB will issue new “incident response best practices” to agencies;
- The Department of Homeland Security will extend the protections under its intrusion-detection system known as EINSTEIN. A new DHS contract will equip all agencies with updated “EINSTEIN 3A” email and network surveillance technology that also blocks certain malicious activities;
- Agencies will be required to report all cyber positions to OPM and a group of agency CIOs will create a special subcommittee focused on rapid deployment of emerging technology.
During the cyber sprint, agencies were directed to identify and review the security of their high-value assets -- those containing sensitive or critical data that, presumably, would be of high-value to hackers, too.
By Dec. 31, the director of national intelligence will lead a threat assessment of those assets “that are at high-risk of targeting by adversaries,” according to the plan. DHS will lead a separate team -- made up of personnel from the Pentagon, the intelligence community and others -- to “continuously diagnose and mitigate the cybersecurity protections” for the high-value assets.
The DHS team will continue to conduct “proactive assessments on a rolling basis” as officials identify new threats, the plan stated.
Longer-term deadlines include:
- By Jan. 31, OMB will release a plan for implementing new cybersecurity shared services;
- By March 31, OMB will release new guidance on safeguarding personally identifiable information;
- By the end of April, GSA will finalize a contract vehicle for pre-vetted services for incident response services that can quickly be leveraged by agencies in the wake of a breach;
- By June 30, the National Institute of Standards and Technology will issue new guidance to agencies on recovering from cyber events.
DHS is also expected to expand a suite of tools to help agencies continuously monitor and respond to threats on their networks. Full deployment of “Phase 2” capabilities under the Continuous Diagnostics and Mitigation program -- dealing with access control and authentication -- should be completed by the end of fiscal 2016.
In addition, the action plan itself pushes agencies to implement stronger identity management for users seeking wide access to federal networks. The percentage of federal employees required to use a smart card in addition to a password to log on to computer networks increased from about 42 percent to more than 72 percent during the cyber sprint, OMB said at the time. That’s continued to grow and is now about 80 percent, according to Scott.
Thanks to the cyber sprint and other action taken by the administration, the state of federal cybersecurity “is stronger than ever before,” Scott said in the blog post.
But Scott, who has frequently described the federal government’s cybersecurity challenges as more akin to a marathon than a sprint, also hinted at deep challenges that remain.
“Cyberthreats cannot be eliminated entirely, but they can be managed much more effectively,” he said.
Agencies sometimes neglect to patch security holes identified half a decade ago, and struggle to take inventory of information and devices connected to the Internet, according to numerous Government Accountability Office reports.
“Across the federal government, a broad surface area of legacy systems with thousands of different hardware and software configurations contains vulnerabilities and opportunities for exploitation,” Scott said in the blog post.
The new plan, he added, “helps get our current federal house in order, but it does not re-architect the house.”
Scott and OMB Director Shaun Donovan also issued updated guidance under the annual Federal Information Security Management Act.
This year’s guidance, for the first time, defines a “major” cyberincident and mandates agencies report these incidents to Congress within seven days.
The new cyber action plan comes a week after Scott’s office proposed a broad rewrite of the federal government’s strategy for buying, managing and securing agency IT systems, known as Circular A-130.
Over the summer, the administration also issued updated guidance on how contractors should secure government data.