ACT-IAC Cybersecurity Innovation Initiative Browse Popular ideas

Federal executives continue to grapple with how best to allocate funds in addressing prevalent and emerging cyber threats. Federal agencies can empower executives in the fight against cyber crime by taking three calculated actions:

1. Size – Measure overall risk exposure across the organization's value chain
2. Monetize – Adopt a defensible framework for quantifying the benefits of cybersecurity investments
3. Operationalize... more »

No real accountability exists today for executives in regards to IT Security failures. Accountability should exist in cases where known security issues existed before the breach and executives failed to address them. Risk acceptance should not be used as an excuse for addressable security gaps.

With the preponderance of IT devices and chipsets being manufactured in China, there is a distinct possibility that the PLA is hard-coding spyware and back-doors in the hardware built there. Acquisition laws need to specifically require that all components & sub-components used in sensitive IT / data communications systems be built / fabricated and assembled by U.S. companies in the US. Further, safeguards (inspections... more »

There is a rapid increase in cyber insurance across the commercial landscape. This is getting the C-level attention because the risk and costs are being codified into actual numbers, not just fear of something bad happening. The Federal Government should leverage off this trend and require all Government contractors to have a level of insurance, which will likewise drive a level of accountability and measurement. This... more »

Although the OPM breach has been the major source of cybersecurity discussion the past few months, it is certainly not the only issue that needs to be addressed. During the panel discussion at the NACo Summit we also covered topics like the White House Cybersecurity Sprint and how to better protect systems and data for long-term security.
If you are not familiar with the 30-day White House Cybersecurity sprint, it is... more »

We talk about these issues inside the beltway everyday the THR CIO community. The business owners need to get a job done and take care of their customers. Again it comes down explaining in business oriented words to make the business owners understand not the cyber language. WE also need to do a better job explaining this outside the beltway. There needs to be a coordinated education blitz that is explained over and... more »

In 2011 the White House via OMB issued a Memo M-11-11 that stated "Effective the beginning of FY2012, existing physical and logical access control systems
must be upgraded to use PIV credentials , in accordance with NIST guidelines, prior to the agency
using development and technology refresh funds to complete other activities." https://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf. This memo, had... more »

Executive Leadership-led Risk Management has not been a part of the past because risk management issues were isolated to factions of the Organization. To keep Executive Leadership engaged in Risk Management activities execute a Risk Management Framework (NIST) which involves all Tiers 1-3(Organization., Mission-Business Processes, & Information Systems) in the Risk Management Process/Commuincations. Two-way Communication... more »

Talented students, particularly many female and minority students are unaware of the career opportunities available to them in cybersecurity. The government and CISO/CIO partner organizations can help colleges and universities grow the talent pool for qualified cybersecurity professionals by creating and publicizing internship opportunities for students. Presently most internships in cybersecurity recruit junior and... more »

Additional assistance can be provided through outreach initiatives that generate interest in this career field far before individuals are ready to seek employment. Providing training and certification in cyber tools and sponsoring cyber competitions, in addition to cyber ‘camps’ for students at the middle and high school level, are great ways to engage youth in this discipline and can connect the dots between success... more »

Currently agencies self assess their cybersecurity posture. OMB should create a assessment standard and have an independent assessment board of government and industry SME's assess each agency, via a framework such as the one used for FEDRAMP.

Walmart achieved a 92% reduction in security defects by creating a "Security Maven" role to drive security best practices into their software development teams that greatly outnumbered their security teams.

IT security in government is typically organized as a silo focused on protecting production systems. A government-wide security maven program would help tear down the existing" expertise" and "contractual" barriers... more »

The first step in tackling the cybersecurity talent search is in develop a better understanding of the competencies required for effective, and proactive, cyberdefense and intrusion response. With the rapid change in technologies and tactics for exploitation and intrusion, defining the required talent is a tall order. As such, new approaches for rapid creation, expansion or tailoring of job series will be needed so... more »

I like the idea of cybersecurity interns next summer , but I couldn't figure out how to comment on it.

I think the government needs to realize that there are big bucks to be made in the private sector if you are really good at this, and so they can't expect people to stay in Government. The Government should be prepared to depend on private sector contractors, who can do this work well.

However, experience in other... more »

Getting the highest return on investments in superior talent will require investing in creating and sustaining superior working conditions to ensure the best use of that talent. Accordingly, the creation of the work environment that allow government to optimally organize and manage the cybersecurity work and the talent that will perform that work, requires that government develop a taxonomy of cybersecurity functions... more »