Part 1 - Security Risk Management
(Regular print are supported ITAPS recommendations in response to questions, italics are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force)
1. Addressing Cyber Fundamentals
How do we move from inconsistent security/privacy protection control approaches to solid fundamentals that address most basic risks faced by agencies?
Federal government accelerate the transformation of its approach to cybersecurity management along four primary cybersecurity management disciplines: Security Risk Management; Governance and Accountability; People and Organizations; and Finance and Procurement:
Security Risk Management:
Determine criticality of systems and data and prioritize accordingly to achieve an effective, risk-based approach to protecting systems. For example, using current NIST directives and controls, immediately conduct an independent operational risk assessment of all U.S. government infrastructure, applications, and data to determine highest risk across the government and subsequently prioritize and appropriately resource remediation with specific completion dates, and track to expedite closure.
Develop and execute strategies to keep systems on most up-to-date or secure versions and mitigate risk posed by those systems that cannot be immediately updated, ensuring security deployments are inherently more secure. For example, agencies should clearly define risk mitigation plans, phase-out deadlines, and justification statements.
Modernize security approaches beyond the perimeter-focused “moats and walls” approach, transitioning from a “secure network of systems” to a “network of secured systems” to achieve security in depth and improved resilience. For example, agency security strategies should emphasize detection, identification, protection, response, supply chain transparency, security intelligence, predictive analysis, data encryption, and a “zero trust network” philosophy.
Use industry-accepted approaches, standards, and lexicon to allow for improved, consistent understanding and communication about security, both across the organization and with vendors. For example, adopt and enforce the National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST directives across the federal government.