Administration officials identify more than 250 requirements it will use to direct Obama's federal cybersecurity agenda, which will include sweeping policies.
Two officials in the Obama administration confirmed on Friday that the White House would oversee the coordination of securing networks governmentwide, identifying more than 250 requirements in an on-going 60-day review of federal cybersecurity initiatives.
The cyber review, now in its 46th day, is being led by Melissa Hathaway, senior director for cyberspace for the National Security and Homeland Security councils. Two officials that asked not to be named or directly quoted confirmed that the White House will not play an operational role in implementing Obama's cybersecurity agenda but will provide guidance to synchronize agencies' missions and responsibilities.
Members of Congress speculated last week, after an earlier Hathaway briefing, that the White House would likely take the lead in cybersecurity efforts.
During the 60-day review, the administration inventoried all policy directives, executive orders, national cyber strategies and studies from advisory boards and private sector groups that related to cybersecurity, an official said. Federal agencies also were asked to review and document how they addressed cybersecurity through internal statutes, governance and programs. The Social Security Administration, the Internal Revenue Service and the Federal Aviation Administration offered input on how to ensure public trust when managing sensitive information.
The purpose of the review is to understand cybersecurity requirements and initiatives taking place throughout government, the officials said, so that the Obama administration can approach cybersecurity with a clean slate to establish sweeping policies. Current programs will be evaluated, and could continue, depending on how they address identified requirements.
By relying on an unprecedented level of input from federal, state and local governments, industry, academia, international partners, and civil liberty and privacy groups, the administration identified more than 250 requirements that a comprehensive cybersecurity program should address. The requirements fall into four areas of interests that officials identified:
-- Governance. How policy coordination and operational activities will be organized across the executive branch.
-- Architecture. How to enable performance, cost and security in cyberspace through standards, research and development, procurement and monitoring of the supply chain.
-- Normative behaviors. How best to introduce laws, regulations and international treaties that encourage a more secure cyberspace.
-- Capacity building. How to bolster resources, activities, research and training to support cybersecurity efforts in the public and private sectors.
The review also considers how cybersecurity can complement or enhance information assurance, military operations and telecommunications to ensure public and private organizations can benefit from cyberspace without risking personal information or national security, the officials said.