(Paragraphs preceded by [Non-ITAPS] are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force)
How can agencies sharpen focus on vulnerabilities created by (or exposed by) uninformed business/program users and the array of technology solutions embedded in service delivery that does not account for cyber?
[Non-ITAPS] Ensure appropriate, specific security requirements based on NIST and security best practices and guidelines are identified, shared, resourced, and followed by the Government, support contractors, and suppliers (department /agency heads, business executives/system sponsors, IT/security staff, users, support contactors, and HW/SW/Network/Applications suppliers).
Conduct an independent operational risk assessment of the whole U.S. government enterprise, including but not limited to infrastructure, applications, data, file sharing, and related dependencies using current NIST directives and controls to determine criticality, vulnerability, and highest risk across the government; subsequently prioritize and appropriately resource remediation with specific completion dates and track to expedite closure.
Escalate security from merely an IT concern to a business risk concern, providing independence and enabling security decision-making and implementation. For example, make permanent a central Administration role, with appropriate authorities and budgetary controls, to direct and oversee cyber activities across the government, including leadership of a cybersecurity “council” for interagency coordination; separate agency Chief Information Security Officer (CISO) functions from Chief Information Officer (CIO) functions; establish a mechanism to escalate agency CISO security concerns directly to the department or agency head or central cyber function for adjudication as appropriate.
Hold all personnel at all levels accountable for complying with security policies and fulfilling assigned cybersecurity roles and responsibilities; ensure this accountability is in job descriptions, personnel evaluations, vendor contracts, performance objectives, etc., with appropriate incentives and dis-incentives.
Increase information security training and awareness at all levels and in all areas in the government (e.g., elected officials, appointed officials, senior executives, IT personnel, users, contractors) and the number of information security professionals.
[Non-ITAPS] Strict development and enforcement of Cybersecurity requirements as a mandatory mission and business requirement for all general support systems/infrastructure and applications for the entire systems life cycle with check gates enforced to ensure compliance and with continuous monitoring to ensure timely risk mitigation.
Require the establishment of an outcome-based Cyber Governance Framework and federal governance entity* to set direction, make decisions, provide oversight and information sharing, and ensure transparency of management planning and execution of a cohesive, integrated cyber program for the federal government* as a whole; use the Framework to guide the development and implementation of frameworks for each department and agency .
* The overall federal governance entity should have very senior representatives and decision-makers with IT, risk, and cyber knowledge from the White House, OMB, DHS, DOD, OPM, IC, NIST, Cyber Command, and the IG community.
[Non-ITAPS] Implement and enforce existing best practices from NIST and private sector such as two-factor authentication, least privileges, access management, encryption, security intelligence, vulnerability management, risk management, security as a business requirement, DevOps and security life cycle processes, cyber governance, isolation of sensitive or critical systems, etc.