1. Addressing Cyber Fundamentals

Hold agencies accountable to NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) did a great job describing what is needed to have a good cyber security posture, but it leaves you hanging on how do you do it; what are good practices; how do you measure it? To help assess the operational cyber defense posture of Department of Defense (DoD) systems, Office of Secretary of Defense (OSD), Director Operational Test and Evaluation (DOT&E) developed metrics using the... more »

Voting

2 votes
Public Input

3. Breach-to-Response Acceleration

Cyber Battlerooms to learn to recognize adversary action

The old adage "it takes 10,000 hours of practice to become an expert" is very true in cyber defense. We can't teach people to prevent zero day exploits but we can provide an inexpensive way to show what happens when an exploit is used. Technology today is finally available to provide ubiquitous Cyber Battlerooms, like Netflix, where you log into the cloud and "play" on a Virtual Clone Network of a government agency,... more »

Voting

1 vote
Public Input

6. Solving the Talent Search

Change the paradigm-Invest in Cybersecurity Workforce Dev

Reports and articles keep surfacing on the issue of lacking cybersecurity talent in the federal government. Since 2010, little improvement has been seen regarding increased knowledge, skills, and abilities among the federal cybersecurity workforce. (Williams, 2015b).This can be attributed large to leadership failures across the agencies. Cybersecurity experts in the trenches, industrial organizational psychologists, and... more »

Voting

3 votes
Public Input

4.Adopting a Threat-Aware Proactive Defense

Start with the Crown Jewels & Stop Spreading Peanut Butter

Currently, the government is still focused on perimeter defense will only a shallow defense-in-depth strategy. The problem centers on an enterprise architecture that is designed to usually protect the entire network at the same level, thus peanut butter spreading network defense resources. Agencies fail built a network defense strategy that focus on protecting their crown jewels, vulnerability reduction, and adversary... more »

Voting

2 votes
Public Input

3. Breach-to-Response Acceleration

Response Time--Combines Technology, Threat Knowledge, & Skills

Agencies must plan for success. Increasing response time is a combination of technology, threat knowledge, and skill sets of cybersecurity practitioners. Lag time exists because organizations unable to effectively integrate practitioner skills, threat knowledge, and technology. Although agencies are in possession of effective tools (e.g., Einstein and CDM) that collect indicators and signatures of malicious traffic crisscrossing... more »

Voting

2 votes
Public Input

2. Business Initiated Vulnerabilities

Create Gov Wide "Security Maven" Program for Gov IT Developers

Walmart achieved a 92% reduction in security defects by creating a "Security Maven" role to drive security best practices into their software development teams that greatly outnumbered their security teams. IT security in government is typically organized as a silo focused on protecting production systems. A government-wide security maven program would help tear down the existing" expertise" and "contractual" barriers... more »

Voting

4 votes
Public Input

6. Solving the Talent Search

Supported ITAPS recommendations

(Regular print are supported ITAPS recommendations in response to questions, flagged are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force) How can government tackle the cybersecurity talent search in a way that strengthens skills, experience, and knowledge both within government CISO/CIO and partner organizations... more »

Voting

2 votes
Public Input

2. Business Initiated Vulnerabilities

Supported ITAPS recommendations

(Paragraphs preceded by [Non-ITAPS] are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force) How can agencies sharpen focus on vulnerabilities created by (or exposed by) uninformed business/program users and the array of technology solutions embedded in service delivery that does not account for cyber? [Non-ITAPS]... more »

Voting

1 vote
Public Input

1. Addressing Cyber Fundamentals

Supported ITAPS recommendations, part 3

People and Organizations: Make information security a core part of organizational culture, ensuring greater awareness and better computing practices. For example, information security training should be mandatory for all government employees and contractors and information security performance should be an item in performance reviews. Optimize enterprise and workforce planning to leverage consolidation in security... more »

Voting

2 votes
Public Input

6. Solving the Talent Search

Leverage and Inclusion of All Career Fields

Given that such a small percentage of the US population is in technical fields, the majority of population is not even in the target group. It is important to consider more than just technical people or those who self opt in to the cyber field. Cyber is relevant to all jobs. However, the education and training aspect of cyber is not made relevant to other than cyber focused career fields. Those who work in a range of... more »

Voting

3 votes
Public Input

6. Solving the Talent Search

Understanding cybersecurity talent requirements

The first step in tackling the cybersecurity talent search is in develop a better understanding of the competencies required for effective, and proactive, cyberdefense and intrusion response. With the rapid change in technologies and tactics for exploitation and intrusion, defining the required talent is a tall order. As such, new approaches for rapid creation, expansion or tailoring of job series will be needed so... more »

Voting

3 votes
Public Input