Showing 19 ideas for tag "policy"
kudos icon +

8. Building Effective Security into Acquisitions

IT Hardware Country of Origin Limits

With the preponderance of IT devices and chipsets being manufactured in China, there is a distinct possibility that the PLA is hard-coding spyware and back-doors in the hardware built there. Acquisition laws need to specifically require that all components & sub-components used in sensitive IT / data communications systems be built / fabricated and assembled by U.S. companies in the US. Further, safeguards (inspections... more »

Voting

8 votes
Public Input
kudos icon +

8. Building Effective Security into Acquisitions

Enforce existing requirements

In 2011 the White House via OMB issued a Memo M-11-11 that stated "Effective the beginning of FY2012, existing physical and logical access control systems
must be upgraded to use PIV credentials , in accordance with NIST guidelines, prior to the agency
using development and technology refresh funds to complete other activities." https://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf. This memo, had... more »

Voting

5 votes
Public Input
kudos icon +

7. Executive Leadership-led Risk Management

Independent Organizational Assessment

Organizations in government tend to be overly optimistic about their capabilities and performance, reference OPM's epic failure. Cyber security is too important to be left to self-assessments. An organization should be externally assessed and rated by unbiased and competent evaluators. Risk is only one aspect of management performance. Governance, culture and technical competence are but three key facets that determine... more »

Voting

3 votes
Public Input
kudos icon +

4.Adopting a Threat-Aware Proactive Defense

A Proposed Strategy for the Cyber Defense of U.S. Critical Infra

Today, America is in constant contact with the enemy - and the form of conflict has changed. The expansion of the Internet globally is being accompanied by an explosion of cyber threats. Nation-state adversaries, terrorists, and criminals exploit our weakly secured technology. The United States is principally reliant on its technology for a competitive advantage across the globe. Now, thanks to the Internet and cyberspace,... more »

Voting

3 votes
Public Input
kudos icon +

5. Sharing of Threat Intelligence

"Skin in the Game”

A multifaceted approach of building trust, having “skin in the game” (“AntiFragile” - Taleb), incentives and penalties for both industry and government. It has to be made in the best interest of both “parties” to share threat intelligence. This coupled with a multifaceted approach of incentives, disincentives, non attribution, etc. Then you increase the probability that sharing will occur. The incentives for government... more »

Voting

2 votes
Public Input
kudos icon +

2. Business Initiated Vulnerabilities

Supported ITAPS recommendations

(Paragraphs preceded by [Non-ITAPS] are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force)

How can agencies sharpen focus on vulnerabilities created by (or exposed by) uninformed business/program users and the array of technology solutions embedded in service delivery that does not account for cyber?

[Non-ITAPS]... more »

Voting

1 vote
Public Input
kudos icon +

3. Breach-to-Response Acceleration

Supported ITAPS recommendations

(Regular print are supported ITAPS recommendations in response to questions, flagged are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force)

How can agencies effectively address current time lags with detection of and response to vulnerabilities and threats that will significantly compress breach-to-detection-to-response... more »

Voting

1 vote
Public Input
kudos icon +

4.Adopting a Threat-Aware Proactive Defense

Supported ITAPS recommendations

(Regular print are supported ITAPS recommendations in response to questions, flagged are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force)

How should the government expand beyond its emphasis on perimeter defense and even defense-in-depth, and instead put more relative resources toward combining actionable... more »

Voting

2 votes
Public Input
kudos icon +

5. Sharing of Threat Intelligence

Supported ITAPS recommendations

(Regular print are supported ITAPS recommendations in response to questions, flagged are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force)

How can agencies and industry implement and sustain threat data sharing and create a robust, timely and systemic sharing environment (more than just incidents) that can... more »

Voting

1 vote
Public Input
kudos icon +

7. Executive Leadership-led Risk Management

Supported ITAPS recommendations

(Regular print are supported ITAPS recommendations in response to questions, flagged are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force)

How can we sustain executive-level attention to this critical issue, and institutionalize cyber as an on-going component of agency risk management practices, not just... more »

Voting

1 vote
Public Input
kudos icon +

7. Executive Leadership-led Risk Management

Supported ITAPS recommendations, part 2

Provide for the escalation of risk-based decisions through senior leadership if critical security recommendations are rejected by owners of business lines or applications, ensuring critical security decisions are not made in isolation. For example, decisions to keep critical systems available while overriding security recommendations should no longer be routinely deferred exclusively to network, system, or application... more »

Voting

2 votes
Public Input
kudos icon +

8. Building Effective Security into Acquisitions

Supported ITAPS recommendations

(Regular print are supported ITAPS recommendations in response to questions, flagged are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force)

With the continued and growing dependence of the government on commercially provided IT services, what changes are needed to government acquisition policies and practices... more »

Voting

1 vote
Public Input
kudos icon +

1. Addressing Cyber Fundamentals

Fundamentals of Security and Privacy start w/Risk Mitigation

Security/Privacy Protection Controls consistency is critical to mitigating organizational risk. Risk mitigation begins at the highest level of an organization. It is a combination of three key things—governance, accountability, and culture. Implementing an organizational governance process will bring myriad benefits, including lower costs, greater control, and overall increased efficiency and effectiveness. A benchmarked... more »

Voting

3 votes
Public Input
kudos icon +

4.Adopting a Threat-Aware Proactive Defense

Start with the Crown Jewels & Stop Spreading Peanut Butter

Currently, the government is still focused on perimeter defense will only a shallow defense-in-depth strategy. The problem centers on an enterprise architecture that is designed to usually protect the entire network at the same level, thus peanut butter spreading network defense resources. Agencies fail built a network defense strategy that focus on protecting their crown jewels, vulnerability reduction, and adversary... more »

Voting

2 votes
Public Input
kudos icon +

5. Sharing of Threat Intelligence

Silos cripple information sharing--Mandate sharing

Threat data sharing or cybersecurity-related information sharing is essential to the protection of the federal government, other critical infrastructure sectors, and to furthering cybersecurity for the Nation. The government needs to set the global standard on establishing an environment that facilitates threat data information sharing, it still operates in silos. Action must be taken to arm stakeholders with needed information... more »

Voting

1 vote
Public Input