4.Adopting a Threat-Aware Proactive Defense

Think Like The Adversary

By nature, defensive safeguards place the adversary in control; he need only breach one point of weakness to reach success. In contrast, the defender must attempt to cover all possible weaknesses. Shoring up these weaknesses becomes a costly enterprise and the economies of scale help ensure the attacker maintains the advantage. Current security tools independently address weaknesses; suites of tools offer more complete... more »

Voting

1 vote
Public Input

1. Addressing Cyber Fundamentals

Hold agencies accountable to NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) did a great job describing what is needed to have a good cyber security posture, but it leaves you hanging on how do you do it; what are good practices; how do you measure it? To help assess the operational cyber defense posture of Department of Defense (DoD) systems, Office of Secretary of Defense (OSD), Director Operational Test and Evaluation (DOT&E) developed metrics using the... more »

Voting

2 votes
Public Input

4.Adopting a Threat-Aware Proactive Defense

Design defense around your mission or business Cyber Key Terrain

What is your most important line of business or function of your agency? What are your crown jewels (as another author here wrote)? What is the risk to those? What does the enemy want to achieve? This is the just the starting point of protecting your agency or business. Today, it is important to create a threat-aware proactive defense around your Cyber Key Terrain (C-KT) and manage the risk per line of business or... more »

Voting

1 vote
Public Input

7. Executive Leadership-led Risk Management

NEWS FLASH America--CEOs & Sr Ldrs get FIRED over breaches

As enterprises strive to gain value by leveraging technology, the risk associated with digital business is increasing. Isolated approaches to information security, business continuity and incident response are a thing of the past; today, the urgency of providing continuously available services for customers and business partners in the digital economy requires enterprises to become resilient. A resilient enterprise protects... more »

Voting

2 votes
Public Input

5. Sharing of Threat Intelligence

Silos cripple information sharing--Mandate sharing

Threat data sharing or cybersecurity-related information sharing is essential to the protection of the federal government, other critical infrastructure sectors, and to furthering cybersecurity for the Nation. The government needs to set the global standard on establishing an environment that facilitates threat data information sharing, it still operates in silos. Action must be taken to arm stakeholders with needed information... more »

Voting

1 vote
Public Input

4.Adopting a Threat-Aware Proactive Defense

Start with the Crown Jewels & Stop Spreading Peanut Butter

Currently, the government is still focused on perimeter defense will only a shallow defense-in-depth strategy. The problem centers on an enterprise architecture that is designed to usually protect the entire network at the same level, thus peanut butter spreading network defense resources. Agencies fail built a network defense strategy that focus on protecting their crown jewels, vulnerability reduction, and adversary... more »

Voting

2 votes
Public Input

1. Addressing Cyber Fundamentals

Fundamentals of Security and Privacy start w/Risk Mitigation

Security/Privacy Protection Controls consistency is critical to mitigating organizational risk. Risk mitigation begins at the highest level of an organization. It is a combination of three key things—governance, accountability, and culture. Implementing an organizational governance process will bring myriad benefits, including lower costs, greater control, and overall increased efficiency and effectiveness. A benchmarked... more »

Voting

3 votes
Public Input

8. Building Effective Security into Acquisitions

Supported ITAPS recommendations

(Regular print are supported ITAPS recommendations in response to questions, flagged are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force) With the continued and growing dependence of the government on commercially provided IT services, what changes are needed to government acquisition policies and practices... more »

Voting

1 vote
Public Input

7. Executive Leadership-led Risk Management

Supported ITAPS recommendations, part 2

Provide for the escalation of risk-based decisions through senior leadership if critical security recommendations are rejected by owners of business lines or applications, ensuring critical security decisions are not made in isolation. For example, decisions to keep critical systems available while overriding security recommendations should no longer be routinely deferred exclusively to network, system, or application... more »

Voting

2 votes
Public Input

4.Adopting a Threat-Aware Proactive Defense

Supported ITAPS recommendations

(Regular print are supported ITAPS recommendations in response to questions, flagged are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force) How should the government expand beyond its emphasis on perimeter defense and even defense-in-depth, and instead put more relative resources toward combining actionable... more »

Voting

2 votes
Public Input

1. Addressing Cyber Fundamentals

Supported ITAPS recommendations

Part 1 - Security Risk Management (Regular print are supported ITAPS recommendations in response to questions, italics are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force) 1. Addressing Cyber Fundamentals How do we move from inconsistent security/privacy protection control approaches to solid fundamentals... more »

Voting

2 votes
Public Input