Chief Information Officers Council - Chapter19-4

 

Securing Government Systems — Our Nation’s security and economic prosperity depend on the stability and integrity of our Federal communications and information infrastructure. As stated in the Cyberspace Policy Review, the 60-day clean-slate evaluation of cyber activities ordered by the President, threats to cyberspace pose some of the most serious economic and national security challenges of the 21st century for the United States. The group of state and non-state actors who target U.S. citizens, businesses, and Federal agencies is growing. US-CERT, the computer response center for civilian agencies, sees millions of attempts daily to access open ports and vulnerable applications on Federal networks.

 

Historically, the Federal Government has not been as effective as necessary in its cyber defense. An inadequate cybersecurity workforce, a focus on compliance rather than outcomes, and a cumbersome and time-consuming process for collecting information regarding agency security postures have hindered our cyber security management capabilities. OMB will work with agencies, Inspectors General, Chief Information Officers, senior agency officials for Privacy, as well as GAO and the Congress, to strengthen the Federal Government’s IT security and privacy programs. As part of those activities, OMB will:

 

• Utilize a Modern Platform for Federal Information Security Management Act (FISMA) Reporting. On October 19, 2009, OMB launched an interactive data collection tool—CyberScope—enabling agencies to fulfill their FISMA reporting requirements through a modern digital platform. The broad range of meaningful information collected, the use of secure two-factor authentication, and the online access to data provides for a more efficient and effective reporting process. In the spring of 2010, OMB will unveil a cybersecurity dashboard, unlocking the value of agency FISMA reporting by presenting the information gathered to agencies’ IT professionals and management in a timely, comprehensive, and secure manner.
  
• Collect More Specific Cost/Budget Information. Beginning with the 2009 FISMA report, OMB is collecting cost estimates and actual amounts spent on IT security. Collection of this information, especially when combined with performance-based metrics, will allow both OMB and agency management to make informed, risk-based decisions on where to al-locate scarce resources.
  
• Implement New Security Metrics. In September 2009, OMB established a task force which has developed new, outcome-focused metrics for information security performance for Federal agencies rather than merely demonstrating compliance. These metrics will be used in agencies 2010 FISMA reports to OMB and the Congress. Additionally, OMB and the task force will release a roadmap for future reporting under FISMA, which will incorporate real-time metrics and enhance Government-wide situational awareness in 2010.
  
• Move towards Situational Awareness across the Government. More frequent reporting, near or at real-time, is imperative for developing situational awareness across the Federal enterprise. The use of Security Information Management or Security Information Event Management tools will assist in progressing towards real time security awareness and management in the Government.
  
• Cybersecurity Workforce. On October 1, 2009, as a result of OMB collaboration with the Office of Personnel Management, DHS Secretary Janet Napolitano announced that DHS has the authority to hire up to 1,000 new cyber security professionals over the next three years to fill staffing gaps at various DHS agencies. This new hiring authority will enable DHS to recruit skilled cyber analysts, developers and engineers to serve their country by helping to secure the Nation against cyber threat.

 

Identity Management—The Cyberspace Policy Review outlined a number of cybersecurity recommendations. To support this effort, the Federal Chief Information Officers’ Council developed the “Identity, Credential and Access Management (ICAM) Roadmap and Implementation Guidance” document to provide implementation guidance for program managers, leadership, and stakeholders as they plan and upgrade their architectures. One of the major outcomes of this effort is to enable agencies to create and maintain information systems that deliver more convenience, appropriate security, and privacy protection, with less effort and at a lower cost. The ICAM roadmap, issued in November 2009, outlines a number of transition activities for agencies to complete. It also serves as an important tool for providing awareness to external mission partners and driving the development and implementation of interoperable solutions. ICAM solutions will leverage the existing investments in the Federal Government while promoting efficient use of tax dollars when designing, deploying, and operating ICAM systems.

 

As part of this effort, OMB will continue to over-see the implementation of the strong Federal identity management scheme outlined in Homeland Security Presidential Directive 12 (HSPD-12). This directive, “Policy for a Common Identification Standard for Federal Employees and Contractors,” addressed the September 11th Commission recommendation to improve the security of Federal facilities and information systems. Agencies are required to follow specific, technical standards and business processes for the issuance of Federal credentials including a standardized background investigation to verify employees’ and contractors’ identities. HSPD-12 credentials facilitate physical access control and provide for digital signature, encryption, archiving of documents, multi-factor authentication, and single sign-on to improve security and facilitate information sharing. They also provide for a very high level of trust in identity credentials during disaster response, disaster recovery, and reconstitution of Government scenarios. As of September 1, 2009, more than 4.1 million credentials (71 percent of those needed) were issued to the Federal workforce and 3.3 million background investigations (57 percent of those needed) were completed. Additionally, 20 credential issuance infrastructures are in operation nationwide and 55 system integrators and 449 products are on the Approved Products and Services list maintained by GSA. Agencies are currently focusing on completing the issuance of credentials to their remaining employees and contractors and leveraging the electronic capabilities of the credentials.

 

Protecting Privacy — Federal agencies will continue to implement breach notification plans, eliminate unnecessary collection and use of Social Security numbers in agency programs, reduce unnecessary holdings of person-ally identifiable information, and develop policies outlining rules of behavior and identifying consequences and corrective actions to address non-compliance. Agencies are expected to demonstrate progress in all aspects of privacy protection. The Federal Government will continue to improve information security for Federal systems and the information sector overall. This focus, along with a commitment to ensuring privacy as investments are made in the widespread implementation of electronic health re-cords, will maintain the privacy of personal information for all Americans as a top priority.