Where's the new cyber strategy?
A week after the end of the federal "sprint," OMB is working past its own deadline on the Federal Civilian Cybersecurity Strategy.
He told federal agencies to hurry up and “sprint.” Now it’s hurry up and wait.
Federal CIO Tony Scott had promised that the results of the federal cyber sprint would be made public July 20. But his office -- wrestling with the influx of data and the crafting of a government-wide cyber strategy -- has yet to release the highly anticipated report.
The Office of Management and Budget has declined to officially offer an alternate publication date; a source familiar with the review could only say results would be published “later this summer.”
"As we're nearing the end of the 30-day sprint, I have positive results to report," Scott told reporters July 9, saying agencies have "dramatically increased" two-factor authentication for privileged users and claiming that "a number of agencies have hit 100 percent."
Speaking with Reuters July 11, Scott took a realist’s tone, noting that when it came to accomplishing the broad goals of the sprint, "Some [agencies] will get there, and some won't."
Those major goals include:
- Immediately deploying indicators provided by the Homeland Security Department regarding priority threat-actor techniques, tactics and procedures to scan systems and check logs.
- Patching critical vulnerabilities without delay.
- Tightening policies and practices for privileged users.
- Dramatically accelerating implementation of multi-factor authentication, especially for privileged users.
The reviews will inform a new Federal Civilian Cybersecurity Strategy.
A government-wide push
Paul Christman, vice president for federal at Dell Software, said he’s been struck by the embrace of the sprint across government.
“I was expecting people in the intelligence community, in the Defense Department, to sort of shrug,” Christman said. “But it’s actually been across the board.”
The Marine Corps, Interior Department and VA are among the agencies seizing the sprint’s opportunity to beef up security.
Some agencies, such as the independent, non-CFO Act Federal Communications Commission, aren’t reporting to Scott’s office, but are following the sprint’s developments nonetheless.
“We're tracking the guidance and incorporating it into our own practices,” said FCC CIO David Bray, “[even though] technically we don't have to report what we did to OMB.”
New breaches uncovered?
The whole sprint was inspired by the massive breaches discovered at the Office of Personnel Management in June.
As Scott told Reuters, it’s possible the sprint uncovers new breaches in other agencies.
"I think it's a realistic chance,” he said.
An inspector general investigation sparked by the OPM breach found 3,000 "critical and high-risk vulnerabilities in publicly accessible computers" at Interior, Deputy IG Mary Kendall said last week.
New breaches or no, the sprint will only be as effective as agencies make it, and not all have been on the right track.
“I’ve had some really, really depressing conversations with people on how they’re implementing two-factor authentication,” Christman noted. Applications, not just physical devices, need to be able to recognize and accept two-factor credentials, Christman stressed. Otherwise, agencies revert back to username/password combos for application logins, leaving huge security gaps.
As for the federal CIO’s report, one reason it is taking a while might be because of the volume and variety of data reported from across the government.
“[T]here is no single pane of glass for the federal government,” noted NASA CIO Larry Sweet. “The data gathered from each agency reflects the diverse infrastructure across the federal government.”
“The responses will be so varied, it will be interesting to see how they’re aggregated,” said Dell’s Christman, noting that compiling results will be more like “grading an essay test” than a multiple-choice quiz.
The report should expose the true state of federal cybersecurity.
“There's probably no CIO in any federal agency now who wants to be the bottom of the list,” Scott told Reuters.
But the sprint and the ensuing cyber strategy are not the end of anything – they’re just the beginning.
“[The s]print should be thought of as ‘warm-up exercise’ for where we plan to go,” Scott tweeted July 19. “[N]o one should be confused ...”