(Regular print are supported ITAPS recommendations in response to questions, flagged are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force)
How should the government expand beyond its emphasis on perimeter defense and even defense-in-depth, and instead put more relative resources toward combining actionable threat intelligence with robust response and resiliency strategies and architectures that account for the adversary’s point of view?
Determine criticality, sensitively, and vulnerability of systems and data, prioritize accordingly to achieve an effective, risk-based approach to protecting systems. For example, using current NIST directives and controls, immediately conduct an independent operational risk assessment of all U.S. government infrastructure, applications, and data to determine highest risk across the government and subsequently prioritize and appropriately resource remediation with specific completion dates, and track to expedite closure.
(non-ITAPS) Ensure existing vulnerabilities and risks are identified and remediated immediately (US-CERT, vendors, SA&A, vulnerability and penetration scans, incidents, and US Gov’t Cyber Board, etc. may be sources) and escalate open residual risks (vulnerabilities, open POAMs, etc.) to the highest levels (Department/Agency head, OMB, Cyber Board, etc.) for prioritization and risk acceptance as appropriate.
(non-ITAPS) Implement and enforce existing best practices from NIST and private sector such as two-factor authentication, least privileges, access management, encryption, security intelligence, vulnerability management, risk management, security as a business requirement, DevOps and security life cycle. Cyber governance, isolation of sensitive or critical systems, etc.
Modernize security approaches beyond the perimeter-focused “moats and walls” approach, transitioning from a “secure network of systems” to a “network of secured systems” to achieve security in depth and improved resilience. For example, agency security strategies should emphasize detection, identification, protection, response, supply chain transparency, security intelligence, predictive analysis, data encryption, and a “zero trust network” philosophy.
Escalate security from merely an IT concern to a business risk concern, providing independence and enabling security decision-making and implementation. For example, make permanent a central Administration role, with appropriate authorities and budgetary controls, to direct and oversee cyber activities across the government, including leadership of a cybersecurity “council” for interagency coordination; separate agency Chief Information Security Officer (CISO) functions from Chief Information Officer (CIO) functions; establish a mechanism to escalate agency CISO security concerns directly to the department or agency head or central cyber function for adjudication as appropriate.