Commerce's Cyber Hit List: Third-Party Apps, Phishing


CISO Rod Turk said the department is focused on collaboration between bureaus.

As it implements the Cybersecurity National Action Plan, the Commerce Department is focused on a cooperative approach across its components.

Speaking during a Wednesday webcast event hosted by Government Executive, Chief Information Security Officer Rod Turk said Commerce wants to ensure, "since we do have a very federated nature ... we are working closely in those areas where we can collaborate."

Commerce's components, especially the Census Bureau and the Patent and Trademark Office, house very sensitive information, "so we really want to keep that information from being exfiltrated," he said.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

He and many of Commerce's cybersecurity professionals met to discuss the department's cybersecurity goals for 2017. Commerce is currently working with the Homeland Security Department's Continuous Diagnostic and Mitigation program, "so that we have visibility" into both hardware and software assets, Turk explained.

Next year, Commerce plans to "really re-do our compliance" process, Turk said. For instance, he foresees collaborating with other bureaus to do assessments for third-party services, productivity tools and other applications that aren't necessary Federal Risk and Authorization Management Program compliant or granted an authority to operate.

"We intend to be looking at those kinds of products ... to make sure that they don't present any cybersecurity risk for us," he said.

And though Commerce has been emphasizing anti-phishing strategies, the department is also thinking about automating those strategies to ensure it can "look at those, and make sure they are caught," Turk added.