In a similar way to State Governors being able to declare a "State of Emergency" to unlock resources and federal assistance, perhaps Federal CISO's should be able to declare an "InfoSec State of Emergency" to unlock some shared assets and capabilities to enable the 30 day Cyber sprint a reality.
Perhaps an alternative is providing prioritization for allocation of existing funds (This mandate is #1, then this exec order etc etc).
With the "public" availability of such a list, audit should become more effective,... more »
Use certifications similar to FedRAMP (standard baseline assessment) for all IT acquisitions, not just for cloud.
Get R&D activities in cyber being done in government and quasi-government labs (DARPA, DHS S&T, NIST, etc.) placed into acquisition availability faster. Issue challenges to the government and commercial labs to address specific cyber capability needs
Require federal contractors to have cyber insurance or, alternatively, make it a + evaluation factor in bid assessments.
Engage agency executives to be proactively demanding requirements/expectations/priorities from cyber shops
Use FITARA governance requirements to get cyber risks built into program and budgeting evaluations up front, not afterwards
Cement the relationship between CISOs and RMOS and CDOs; not just an exclusive reporting relationship to CIOs
Create an elite CyberSec Reserve Corps that have passed necessary screening that can be used by government on challenging security projects. Do same for College grads; recruit them to be part of this group with return of visibility, rich career enhancing assignments, college loan repayment
Attract high and college grads with more aggressive recruiting that accepts more than USAJOBs applications; utilize on-line reach-out for potential candidates of interest, encourage games that attract students