Securing Government Systems — Our Nation’s security and economic prosperity depend on the stability and integrity of our Federal communications and information infrastructure. As stated in the Cyberspace Policy Review, the 60-day clean-slate evaluation of cyber activities ordered by the President, threats to cyberspace pose some of the most serious economic and national security challenges of the 21st century for the United States. The group of state and non-state actors who target U.S. citizens, businesses, and Federal agencies is growing. US-CERT, the computer response center for civilian agencies, sees millions of attempts daily to access open ports and vulnerable applications on Federal networks.
Historically, the Federal Government has not been as effective as necessary in its cyber defense. An inadequate cybersecurity workforce, a focus on compliance rather than outcomes, and a cumbersome and time-consuming process for collecting information regarding agency security postures have hindered our cyber security management capabilities. OMB will work with agencies, Inspectors General, Chief Information Officers, senior agency officials for Privacy, as well as GAO and the Congress, to strengthen the Federal Government’s IT security and privacy programs. As part of those activities, OMB will:
Identity Management—The Cyberspace Policy Review outlined a number of cybersecurity recommendations. To support this effort, the Federal Chief Information Officers’ Council developed the “Identity, Credential and Access Management (ICAM) Roadmap and Implementation Guidance” document to provide implementation guidance for program managers, leadership, and stakeholders as they plan and upgrade their architectures. One of the major outcomes of this effort is to enable agencies to create and maintain information systems that deliver more convenience, appropriate security, and privacy protection, with less effort and at a lower cost. The ICAM roadmap, issued in November 2009, outlines a number of transition activities for agencies to complete. It also serves as an important tool for providing awareness to external mission partners and driving the development and implementation of interoperable solutions. ICAM solutions will leverage the existing investments in the Federal Government while promoting efficient use of tax dollars when designing, deploying, and operating ICAM systems.
As part of this effort, OMB will continue to over-see the implementation of the strong Federal identity management scheme outlined in Homeland Security Presidential Directive 12 (HSPD-12). This directive, “Policy for a Common Identification Standard for Federal Employees and Contractors,” addressed the September 11th Commission recommendation to improve the security of Federal facilities and information systems. Agencies are required to follow specific, technical standards and business processes for the issuance of Federal credentials including a standardized background investigation to verify employees’ and contractors’ identities. HSPD-12 credentials facilitate physical access control and provide for digital signature, encryption, archiving of documents, multi-factor authentication, and single sign-on to improve security and facilitate information sharing. They also provide for a very high level of trust in identity credentials during disaster response, disaster recovery, and reconstitution of Government scenarios. As of September 1, 2009, more than 4.1 million credentials (71 percent of those needed) were issued to the Federal workforce and 3.3 million background investigations (57 percent of those needed) were completed. Additionally, 20 credential issuance infrastructures are in operation nationwide and 55 system integrators and 449 products are on the Approved Products and Services list maintained by GSA. Agencies are currently focusing on completing the issuance of credentials to their remaining employees and contractors and leveraging the electronic capabilities of the credentials.
Protecting Privacy — Federal agencies will continue to implement breach notification plans, eliminate unnecessary collection and use of Social Security numbers in agency programs, reduce unnecessary holdings of person-ally identifiable information, and develop policies outlining rules of behavior and identifying consequences and corrective actions to address non-compliance. Agencies are expected to demonstrate progress in all aspects of privacy protection. The Federal Government will continue to improve information security for Federal systems and the information sector overall. This focus, along with a commitment to ensuring privacy as investments are made in the widespread implementation of electronic health re-cords, will maintain the privacy of personal information for all Americans as a top priority.
|
|