1. Addressing Cyber Fundamentals

Hold agencies accountable to NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) did a great job describing what is needed to have a good cyber security posture, but it leaves you hanging on how do you do it; what are good practices; how do you measure it? To help assess the operational cyber defense posture of Department of Defense (DoD) systems, Office of Secretary of Defense (OSD), Director Operational Test and Evaluation (DOT&E) developed metrics using the... more »

Voting

2 votes
Public Input

1. Addressing Cyber Fundamentals

Budget Alignment and Accountability

Adding additional cyber requirements from the OMB / DHS without allocating funds implies that existing funds have to be spread ever thinner , or monies have to be diverted from the Department Agency mission. Perhaps an alternative is providing prioritization for allocation of existing funds (This mandate is #1, then this exec order etc etc). With the "public" availability of such a list, audit should become more effective,... more »

Voting

2 votes
Public Input

1. Addressing Cyber Fundamentals

Security Self Audit Checklist (SuperSIG)

Create a self-audit checklist that agencies could use on a regular basis to assess themselves on fundamental security capabilities. It would be risk profile based for each agency. Addresses the problem of just having this done by auditors (GAO/IG) or consultants. Keeps attention and resource needed to close weaknesses and vulnerabilities.

Note: FCC is example.

Voting

2 votes
Public Input

5. Sharing of Threat Intelligence

Silos cripple information sharing--Mandate sharing

Threat data sharing or cybersecurity-related information sharing is essential to the protection of the federal government, other critical infrastructure sectors, and to furthering cybersecurity for the Nation. The government needs to set the global standard on establishing an environment that facilitates threat data information sharing, it still operates in silos. Action must be taken to arm stakeholders with needed information... more »

Voting

1 vote
Public Input

4.Adopting a Threat-Aware Proactive Defense

Start with the Crown Jewels & Stop Spreading Peanut Butter

Currently, the government is still focused on perimeter defense will only a shallow defense-in-depth strategy. The problem centers on an enterprise architecture that is designed to usually protect the entire network at the same level, thus peanut butter spreading network defense resources. Agencies fail built a network defense strategy that focus on protecting their crown jewels, vulnerability reduction, and adversary... more »

Voting

2 votes
Public Input

1. Addressing Cyber Fundamentals

Fundamentals of Security and Privacy start w/Risk Mitigation

Security/Privacy Protection Controls consistency is critical to mitigating organizational risk. Risk mitigation begins at the highest level of an organization. It is a combination of three key things—governance, accountability, and culture. Implementing an organizational governance process will bring myriad benefits, including lower costs, greater control, and overall increased efficiency and effectiveness. A benchmarked... more »

Voting

3 votes
Public Input

8. Building Effective Security into Acquisitions

Supported ITAPS recommendations

(Regular print are supported ITAPS recommendations in response to questions, flagged are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force) With the continued and growing dependence of the government on commercially provided IT services, what changes are needed to government acquisition policies and practices... more »

Voting

1 vote
Public Input

7. Executive Leadership-led Risk Management

Supported ITAPS recommendations, part 2

Provide for the escalation of risk-based decisions through senior leadership if critical security recommendations are rejected by owners of business lines or applications, ensuring critical security decisions are not made in isolation. For example, decisions to keep critical systems available while overriding security recommendations should no longer be routinely deferred exclusively to network, system, or application... more »

Voting

2 votes
Public Input

3. Breach-to-Response Acceleration

Supported ITAPS recommendations, part 2

Consistent with the concept that security is the responsibility of all employees, all agency employees should be educated and trained on general incident response planning concepts and any related responsibilities, including how to notify response organizations, the information to report, and other relevant activities. All incidents, exercises, and general activities offer opportunities to learn and improve planning.... more »

Voting

2 votes
Public Input

3. Breach-to-Response Acceleration

Supported ITAPS recommendations

(Regular print are supported ITAPS recommendations in response to questions, flagged are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force) How can agencies effectively address current time lags with detection of and response to vulnerabilities and threats that will significantly compress breach-to-detection-to-response... more »

Voting

1 vote
Public Input

2. Business Initiated Vulnerabilities

Supported ITAPS recommendations

(Paragraphs preceded by [Non-ITAPS] are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force) How can agencies sharpen focus on vulnerabilities created by (or exposed by) uninformed business/program users and the array of technology solutions embedded in service delivery that does not account for cyber? [Non-ITAPS]... more »

Voting

1 vote
Public Input

1. Addressing Cyber Fundamentals

Supported ITAPS recommendations, part 2

Governance and Accountability: Establish an outcome-focused Governance Framework that covers all aspects of the enterprise, resulting in effective direction-setting, decision-making, oversight, transparency, and accountability. For example, fully execute and enforce the Federal Information Security Management Act (FISMA) as contemplated in the authorizing legislation and seek legislative reform where necessary. Escalate... more »

Voting

2 votes
Public Input