8. Building Effective Security into Acquisitions
1. Addressing Cyber Fundamentals
Leadership Accountability
No real accountability exists today for executives in regards to IT Security failures. Accountability should exist in cases where known security issues existed before the breach and executives failed to address them. Risk acceptance should not be used as an excuse for addressable security gaps.
Voting
8. Building Effective Security into Acquisitions
Enforce existing requirements
must be upgraded to use PIV credentials , in accordance with NIST guidelines, prior to the agency
using development and technology refresh funds to complete other activities." https://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf. This memo, had... more »
Voting
Cybersecurity Interns
I think the government needs to realize that there are big bucks to be made in the private sector if you are really good at this, and so they can't expect people to stay in Government. The Government should be prepared to depend on private sector contractors, who can do this work well.
However, experience in other... more »
Voting
1. Addressing Cyber Fundamentals
Director
Currently agencies self assess their cybersecurity posture. OMB should create a assessment standard and have an independent assessment board of government and industry SME's assess each agency, via a framework such as the one used for FEDRAMP.
Voting
7. Executive Leadership-led Risk Management
Independent Organizational Assessment
Voting
1. Addressing Cyber Fundamentals
Supported ITAPS recommendations
(Regular print are supported ITAPS recommendations in response to questions, italics are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force)
1. Addressing Cyber Fundamentals
How do we move from inconsistent security/privacy protection control approaches to solid fundamentals... more »
Voting
1. Addressing Cyber Fundamentals
Supported ITAPS recommendations, part 2
Establish an outcome-focused Governance Framework that covers all aspects of the enterprise, resulting in effective direction-setting, decision-making, oversight, transparency, and accountability. For example, fully execute and enforce the Federal Information Security Management Act (FISMA) as contemplated in the authorizing legislation and seek legislative reform where necessary.
Escalate... more »
Voting
1. Addressing Cyber Fundamentals
Supported ITAPS recommendations, part 3
Make information security a core part of organizational culture, ensuring greater awareness and better computing practices. For example, information security training should be mandatory for all government employees and contractors and information security performance should be an item in performance reviews.
Optimize enterprise and workforce planning to leverage consolidation in security... more »
Voting
1. Addressing Cyber Fundamentals
Supported ITAPS recommendations, part 4
Organizational procurement programs should have clearly defined and communicated priorities, accompanied by clear direction to procurement agents on the procedures to acquire technology consistent with those priorities, resulting in a consistent, predictable, and agile acquisition approach that will result in more secure technology deployments. For example, the Director of the Office of Management... more »
Voting
2. Business Initiated Vulnerabilities
Supported ITAPS recommendations
How can agencies sharpen focus on vulnerabilities created by (or exposed by) uninformed business/program users and the array of technology solutions embedded in service delivery that does not account for cyber?
[Non-ITAPS]... more »
Voting
3. Breach-to-Response Acceleration
Supported ITAPS recommendations
How can agencies effectively address current time lags with detection of and response to vulnerabilities and threats that will significantly compress breach-to-detection-to-response... more »
Voting
3. Breach-to-Response Acceleration
Supported ITAPS recommendations, part 2
All incidents, exercises, and general activities offer opportunities to learn and improve planning.... more »
Voting
4.Adopting a Threat-Aware Proactive Defense
Supported ITAPS recommendations
How should the government expand beyond its emphasis on perimeter defense and even defense-in-depth, and instead put more relative resources toward combining actionable... more »
Voting
5. Sharing of Threat Intelligence
Supported ITAPS recommendations
How can agencies and industry implement and sustain threat data sharing and create a robust, timely and systemic sharing environment (more than just incidents) that can... more »