Cyber official: IT rulebook revamp overdue, but not agile enough

The federal government is making progress in the never-ending cybersecurity fight, but everything from acquisition to network protection is lagging by decades, said retired Brig. Gen. Gregory Touhill, deputy assistant secretary of cybersecurity and communications at the Department of Homeland Security.

With regard to the Office of Management and Budget's proposed A-130 circular update, "I think that we're making progress, and we've got good velocity and precision," Touhill told FCW. "It was high time we had some improvements and upgrades that reflect today's information technology environment, and I think the new A-130 really helps with that, but I think that as we look into the future, we need to be a little more agile."

Other feds have said the proposed A-130 changes are silent on agile development methodologies and open-source software.

Touhill said he has "not read it all cover to cover," but the new A-130 focus on "outcome-based solutions" was positive.

An A-130 revamp was long overdue, he added.

"It was written 15 years ago," Touhill said. "If you follow Touhill's Theorem, which says that one human year equals 25 computer years, you can do the math on how old that guidance was."

The acquisition process in general "takes too darn long," Touhill told the audience at a Nov. 5 Chertoff Group event.

He and former DHS cybersecurity guru Mark Weatherford said the time had come for shared cybersecurity services and consolidation of security functions in a few agencies.

"We need to pool our resources and reduce our attack surface," Touhill said.

The spread of the latest Einstein capabilities through government and Internet service providers, spurred by agencies' recent cybersecurity sprint, is another good-but-overdue development, Touhill said.

"Einstein 3A is really where we needed to be around 15 years ago," he said, and even so, its use is far from omnipresent at agencies or the ISPs that serve them.

"The bureaucracy is holding us back," Weatherford said, adding that structural issues are slowing Einstein's deployment.

While guidance inches forward and agencies consider consolidation, are they actually making progress on improving IT acquisition?

The size and scale of federal acquisition regulations would indicate the answer is no, Touhill said.

"I double dog dare you to bench press 'em," he added of acquisition regulations.