recommended reading

Cybersecurity brings new wrinkle to 'essential' personnel

With a possible government shutdown looming, agencies face a tough decision that was barely an issue in 1995, the last time they had to furlough employees: Which computer security personnel should be required to continue working?

The stalemate between Congress and the White House over funding levels for the rest of the fiscal year could force the government to suspend services and employees who are not "essential" -- or critical to the safety of life and property. The lists of essential security personnel drawn up 15 years ago are irrelevant, computer specialists say. Pinpointing essential information technology personnel today is more important than ever, they note, because many crucial activities have moved online at agencies, notably at the Social Security Administration and Treasury Department.

"In 1995, the government wasn't really doing anything about security, with the exception of three-letter agencies and the military," said Jeffrey Wheatman, a security and privacy analyst with the Gartner research group, referring to such entities as the CIA and the FBI. Agencies immediately should be determining which systems need daily surveillance and strategic defense, as well as evaluating the job descriptions of the people operating those systems, according to former federal executives citing government policy.

"In 1995, we already had that decided," said Hord Tipton, a former Interior Department chief information officer who was Bureau of Land Management assistant director for resource use and protection during the shutdown that lasted from Dec. 16, 1995, to Jan. 6, 1996. "If they haven't done it, there's going to be a mad scramble, and there's going to be a hole in the system."

In the 1990s at Interior, the vital systems included those that monitored volcano and earthquake activity.

"You've got a week to do this," said Tipton, now executive director of the International Information Systems Security Certification Consortium, an association that certifies cybersecurity specialists. "If you haven't, you'd better get cracking. In this day and age, I would be surprised if they haven't."

Under federal rules, departments are supposed to have contingency plans on-hand that identify critical systems and the personnel associated with those tools. The last time around, the Office of Management and Budget began issuing guidance on winding down operations the previous August. OMB officials on Monday said they have not released new guidance but OMB Circular No. A-11, which addresses funding hiatuses, remains in effect. The memo was last updated July 2010.

"OMB is prepared for any contingency as a matter of course -- and so are all the agencies," Communications Director Kenneth Baer told reporters. "In fact, since 1980, all agencies have had to have a plan in case of a government shutdown, and they routinely update them. All of this is beside the point since, as the congressional leadership has said on a number of occasions and as the president has made clear, no one anticipates or wants a government shutdown."

The answer to who should be deemed essential depends in part on how long the shutdown endures, Wheatman said. A furlough lasting a couple of weeks would require incident-response personnel, network administrators and staff who monitor firewall logs for potential intrusions. But a monthlong shutdown would require more employees to report, he said. New threats could emerge during that time frame, which would demand people with strategy-oriented job functions to devise new lines of defense.

"The staff who develop policy for security are not necessarily essential," said Karen Evans, former White House administrator for e-government and information technology. "However, the ones who do operational activities related to network monitoring activities, in my opinion ... are essential. I don't know that I can name agencies where they are not necessary." Evans currently serves as the national director of U.S. Cyber Challenge, a nonprofit recruitment program for aspiring information security professionals.

Wheatman acknowledged that opinions on who is essential are subjective. "If you went six months without writing a new policy, that's not going to have much effect on your risk posture," he said, "but it's important to communicate that not everybody is going to view these functions the same way."

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.