CRS Reports & Analysis

Cybersecurity: Cybercrime and National Security Authoritative Reports and ResourcesNovember 14, 2017 (R44408) Jump to Main Text of ReportRita Tehan, Information Research Specialist (rtehan@crs.loc.gov, 7-6739)

Related Author

Rita Tehan

ContentsIntroduction

TablesTable 1. Cybercrime, Data Breaches, and Data SecurityTable 2. National Security, Cyber Espionage, and CyberwarTable 3. Cloud Computing, "The Internet of Things," Smart Cities, and FedRAMP

Summary

As online attacks grow in volume and sophistication, the United States is expanding its cybersecurity efforts. Cybercriminalscontinue to develop new ways to ensnare victims, whereas nation-state hackers compromise companies, government agencies, andbusinesses to create espionage networks and steal information. Threats come from both criminals and hostile countries, especiallyChina, Russia, Iran, and North Korea.

Much is written on this topic, and this CRS report directs the reader to authoritative sources that address many of the mostprominent issues. The annotated descriptions of these sources are listed in reverse chronological order, with an emphasis onmaterial published in the past several years. This report includes resources and studies from government agencies (federal, state,local, and international), think tanks, academic institutions, news organizations, and other sources:

Table 1—cybercrime, data breaches and security, including hacking, real-time attack maps, and statistics (such as economicestimates)Table 2—national security, cyber espionage, and cyberwar, including Stuxnet, China, and the Dark WebTable 3—cloud computing, the Internet of Things (IoT), smart cites, and FedRAMP

The following reports comprise a series of authoritative reports and resources on these additional cybersecurity topics:

CRS Report R44405, Cybersecurity: Overview Reports and Links to Government, News, and Related Resources, by RitaTehan.CRS Report R44406, Cybersecurity: Education, Training, and R&D Authoritative Reports and Resources, by Rita Tehan.CRS Report R44408, Cybersecurity: Cybercrime and National Security Authoritative Reports and Resources, by Rita Tehan.CRS Report R44410, Cybersecurity: Critical Infrastructure Authoritative Reports and Resources, by Rita Tehan.CRS Report R44417, Cybersecurity: State, Local, and International Authoritative Reports and Resources, by Rita Tehan.CRS Report R44427, Cybersecurity: Federal Government Authoritative Reports and Resources, by Rita Tehan.CRS Report R43317, Cybersecurity: Legislation, Hearings, and Executive Branch Documents, by Rita Tehan.CRS Report R43310, Cybersecurity: Data, Statistics, and Glossaries, by Rita Tehan.

Introduction

As online attacks grow in volume and sophistication, the United States is expanding its cybersecurity efforts. Cybercriminalscontinue to develop new ways to ensnare victims, whereas nation-state hackers compromise companies, government agencies, andbusinesses to create espionage networks and steal information. Threats come from both criminals and hostile countries, especiallyChina, Russia, Iran, and North Korea.

Much is written on this topic, and this CRS report directs the reader to authoritative sources that address many of the mostprominent issues. The annotated descriptions of these sources are listed in reverse chronological order, with an emphasis onmaterial published in the past several years. This report includes resources and studies from government agencies (federal, state,local, and international), think tanks, academic institutions, news organizations, and other sources:

Table 1—cybercrime, data breaches and security, including hacking, real-time attack maps, and statistics (such as economicestimates)Table 2—national security, cyber espionage, and cyberwar, including Stuxnet, China, and the Dark WebTable 3—cloud computing, the Internet of Things (IoT), and FedRAMP

Table 1. Cybercrime, Data Breaches, and Data Security

(include data breaches1, hacking, real-time attack maps, statistics)

Title Source Date Notes

The Cyberfeed Anubis Networks ContinuouslyUpdated

This site provides real-time threat intelligencedata worldwide.

Digital Attack Map Arbor Networks ContinuouslyUpdated

The map is powered by data fed from 270+ ISPcustomers worldwide who have agreed to sharenetwork traffic and attack statistics. The mapdisplays global activity levels in observed attacktraffic, which it collected anonymously, and doesnot include any identifying information about theattackers or victims involved in any particularattack.

Cyber Incident Timeline Center for Strategic& InternationalStudies (CSIS)

ContinuouslyUpdated

The CSIS's Strategic Technologies program'sinteractive "Cyber Incident Timeline" details thesuccessful attacks on government agencies,defense and high tech companies, andinternational economic crimes with losses of morethan $1 million, since 2006. It includes newsreports and videos on most incidents.

Summary of U.S. State Data BreachNotification Statutes

Davis WrightTremaine LLP

ContinuouslyUpdated

Click on any of the states to see a full summary oftheir data breach notification statute.

DataBreaches.net Dissent(pseudonym)

ContinuouslyUpdated

This site is a combination of news aggregation,investigative reporting, and commentary on databreaches and data breach laws. Can browse databreaches by sector.

ThreatExchange Facebook ContinuouslyUpdated

ThreatExchange is a set of applicationprogramming interfaces, or APIs, that let disparatecompanies trade information about the latestonline attacks. Built atop the Facebook Platform—a repository of a standard set of tools for codingapplications within the worldwide social network—ThreatExchange is used by Facebook and ahandful of other companies, including Tumblr,Pinterest, Twitter, and Yahoo. Access to theservice is strictly controlled, but [Facebook] hopesto include more companies as time goes on.

Federal Trade Commission List ofSettled Data Security Cases

Federal TradeCommission (FTC)

ContinuouslyUpdated

The FTC's Legal Resources website offers acompilation of laws, cases, reports, and more. Theuser can filter the FTC's legal documents by type

(case) and topic (data security), resulting in a listof 55 data security cases from 2000 to 2015, inreverse chronological order. Clicking the casename provides more details, such as the casecitation, timeline, press releases, and pertinentlegal documents.

Threat Intelligence Database Fidelis Barncat ContinuouslyUpdated

The database includes more than 100,000 recordswith configuration settings extracted frommalware samples gathered during Fidelis' incidentresponse investigations and other intelligencegathering operations over the past decade. Thetypical malware sample includes a large numberof configuration elements, including thosecontrolling the behavior of the malware on thehost and others related to command-and-controltraffic. Barncat is updated with hundreds of newconfiguration records each day. Barncat isavailable for use by CERTs, researchorganizations, government entities, ISPs and otherlarge commercial enterprises. Access is free, butusers must request access and meet specificcriteria.

IdentityTheft.gov FTC ContinuouslyUpdated

The one-stop website is integrated with the FTC'sconsumer complaint system, allowing consumerswho are victims of identity theft to rapidly file acomplaint with the FTC and then get apersonalized guide to recovery that helpsstreamline many of the steps involved. Theupgraded site, which is mobile and tabletaccessible, offers an array of easy-to-use tools thatenables identity theft victims to create thedocuments they need to alert police, the maincredit bureaus, and the Internal Revenue Service(IRS) among others.

HHS Breach Portal: BreachesAffecting 500 or More Individuals

Health and HumanServices (HHS)

ContinuouslyUpdated

As required by Section 13402(e)(4) of theHITECH Act, P.L. 111-5 HHS must post a list ofbreaches of unsecured protected healthinformation affecting 500 or more individuals.These breaches are posted in a more accessibleformat that allows users to search and sort theposted breaches. Additionally, the format includesbrief summaries of the breach cases that theOffice for Civil Rights (OCR) has investigatedand closed, as well as the names of privatepractice providers who have reported breaches ofunsecured protected health information.

Combatting Cyber Crime Homeland Security ContinuouslyUpdated

DHS works with other federal agencies to conducthigh-impact criminal investigations to disrupt anddefeat cyber criminals, prioritize the recruitmentand training of technical experts, developstandardized methods, and broadly share cyberresponse best practices and tools. Criminalinvestigators and network security experts withdeep understanding of the technologies maliciousactors are using and the specific vulnerabilitiesthey are targeting work to effectively respond toand investigate cyber incidents.

HoneyMap Honeynet Project ContinuouslyUpdated

The HoneyMap displays malicious attacks as theyhappen. Each red dot represents an attack on acomputer. Yellow dots represent "honeypots" orsystems set up to record incoming attacks. Theblack box on the bottom gives the location of eachattack. The Honeynet Project is an international501(c)(3) nonprofit security research organization,dedicated to investigating the latest attacks anddeveloping open source security tools to improveInternet security.

Data Breaches Identity TheftResource Center

ContinuouslyUpdated

The report presents detailed information aboutdata exposure events along with running totals fora specific year. Breaches are broken down intofive categories: business,financial/credit/financial, educational,governmental/military, and medical/healthcare.

Regional Threat Assessment: InfectionRates and Threat Trends by Location

Microsoft SecurityIntelligence Report(SIR)

ContinuouslyUpdated

The report provides data on infection rates,malicious websites, and threat trends by regionallocation, worldwide. (Note: Select "All Regions"or a specific country or region to view threatassessment reports.)

No More Ransom National High TechCrime Unit of theNetherlands' police,Europol's EuropeanCybercrime Center,Kaspersky Lab andIntel Security

ContinuouslyUpdated

The online portal offers a one-stop shop forbattling ransomware infections.

ThreatWatch NextGov ContinuouslyUpdated

ThreatWatch is a snapshot of the data breacheshitting organizations and individuals, globally, ona daily basis. It is not an authoritative list becausemany compromises are never reported or evendiscovered. The information is based on accountspublished by outside news organizations andresearchers.

No More Ransom National High TechCrime Unit of theNetherlands' police,Europol's EuropeanCybercrime Center,Kaspersky Lab andIntel Security

ContinuouslyUpdated

The online portal offers a one-stop shop forbattling ransomware infections.

Information about OPM CybersecurityIncidents

Office of PersonnelManagement(OPM)

ContinuouslyUpdated

In April 2015, OPM discovered that the personneldata of 4.2 million current and former federalgovernment employees had been stolen.Information such as full name, birth date, homeaddress, and Social Security numbers wasaffected. While investigating this incident, in earlyJune 2015, OPM discovered that additionalinformation had been compromised, includingbackground investigation records of current,former, and prospective federal employees andcontractors.

Chronology of Data Breaches,Security Breaches 2005 to the Present

Privacy RightsClearinghouse(PRC)

ContinuouslyUpdated

The listed (U.S.-only) data breaches have beenreported because the personal informationcompromised includes data elements useful toidentity thieves, such as Social Security numbers,account numbers, and driver's license numbers.This list is not a comprehensive compilation of allbreach data. Most of the information is obtainedfrom verifiable media stories, governmentwebsites (e.g., state Attorneys General, such as theCalifornia AG's breach website), or blog postswith information pertinent to the breach inquestion.

Criminal Underground EconomySeries

Trend Micro ContinuouslyUpdated

A review of various cybercrime markets aroundthe world.

Global Botnet Map Trend Micro ContinuouslyUpdated

Trend Micro continuously monitors maliciousnetwork activities to identify command-and-control (C&C) servers and help increaseprotection against botnet attacks. The real-timemap indicates the locations of C&C servers andvictimized computers they control that have beendiscovered in the previous six hours.

The Equifax Data Breach: What to Do FTC September 8,2017

FTC information on what to do after the Equifaxdata breach, including information how to set up acredit freeze and/or fraud alert.

Data Integrity: Recovering fromRansomware and Other DestructiveEvents (DRAFT)

NIST September 6,2017

Data integrity incidents, such as ransomware,destructive malware, malicious insider activity,and even honest mistakes, can compromiseenterprise information, including emails,employee records, financial records, and customerdata. (456 pages)

The FDIC's Processes for Respondingto Breaches of Personally IdentifiableInformation

FDIC InspectorGeneral

September2017

An FDIC audit found that protocols forresponding to a data breach aren't being followed,even as the agency has faced dozens of securityincidents in the past two years. The audit stemmedfrom a series of data breaches at the FDIC overnearly two years, from January 2015 to December2016. Overall the agency has confirmed orsuspects that it was compromised 54 times withinthat time period. The Office of Inspector Generalselected 18 of those breaches to evaluate for theaudit. (51 pages)

The CERT Guide to CoordinatedVulnerability Disclosure

Carnegie Mellon August 2017 This document is intended to serve as a guide tothose who want to initiate, develop, or improvetheir own CVD capability. In it, the reader willfind an overview of key principles underlying theCVD process, a survey of CVD stakeholders andtheir roles, and a description of CVD processphases, as well as advice concerning operationalconsiderations and problems that may arise in theprovision of CVD and related services. (121pages)

Social Security Numbers: OMB GAO July 27, 2017 GAO was asked to review federal government

Actions Needed to Strengthen FederalEfforts to Limit Identity Theft Risksby Reducing Collection, Use, andDisplay

efforts to reduce the collection and use of SSNs.This report examines (1) what governmentwideinitiatives have been undertaken to assist agenciesin eliminating their unnecessary use of SSNs and(2) the extent to which agencies have developedand executed plans to eliminate the unnecessaryuse and display of SSNs and have identifiedchallenges associated with those efforts.

Highlights of a Forum: CombatingSynthetic Identity Fraud

GAO July 26, 2017 According to experts, synthetic identity fraud(SIF) has grown significantly in the last five yearsand has resulted in losses exceeding hundreds ofmillions of dollars to the financial industry in2016. A key component of synthetic identities isSSNs—the principal identifier in the creditreporting system. GAO convened and moderated adiverse panel of 14 experts on February 15, 2017to discuss: how criminals create syntheticidentities; the magnitude of the fraud; and issuesrelated to preventing and detecting SIF andprosecuting criminals. (33 pages)

Counting the Cost: Cyber ExposureDecoded

Lloyd's of London July 10, 2017 Lloyd's Class of Business team estimates that theglobal cyber market is worth between $3 billionand $3.5 billion. Despite this growth, insurers'understanding of cyber liability and riskaggregation is an evolving process as experienceand knowledge of cyber-attacks grows. (56 pages)

2017 Cost of Data Breach Study:Global Overview

Ponemon and IBM June 28,2017

According to the report, the average total cost ofdata breach for the 419 companies participating inthe research study decreased from $4.00 to $3.62million. The average cost for each lost or stolenrecord containing sensitive and confidentialinformation also significantly decreased from$158 in 2016 to $141 in this year's study.However, despite the decline in the overall cost,companies in this year's study are having largerbreaches. (35 pages)

2016 Internet Crime Report Internet CrimeComplaint Center's(IC3)

June 21,2017

IC3 is a joint project of the National White CollarCrime Center and the FBI. In 2016, IC3 received atotal of 298,728 complaints with reported losses inexcess of $1.3 billion. This past year, the top threecrime types reported by victims were non-payment and nondelivery, personal data breach,and payment scams. (28 pages)

Stateless Attribution: TowardInternational Accountability inCyberspace

RAND June 2017 This report reviews the state of cyber attributionand examines alternative options for producingstandardized and transparent attribution that mayovercome concerns about credibility. In particular,this exploratory work considers the value of anindependent, global organization whose missionconsists of investigating and publicly attributingmajor cyber attacks. (64 pages)

Worldwide DDoS Attacks & CyberInsights Research Report

Neustar May 2, 2017 Public and private organizations globally aregetting slower at detecting and responding todistributed denial of service (DDoS) attacks as

they become larger and more complex, newresearch shows. More than half of organizationssurveyed in a global study reported taking threehours or more to detect a DDoS attack on theirwebsites in the past year. Forty-eight percent saidthat they take at least three hours to respond tosuch an attack. (52 pages)

Data Breach Digest: Perspective isReality

Verizon April 26,2017

In the Data Breach Digest, we share some of ourmost interesting cases—anonymized of course—so you can learn from the lessons of others. Our16 cybercrime case studies cover the most lethaland prevalent threats you face—from partnermisuse to sophisticated malware. We set out themeasures you can take to better defend yourorganization and respond quickly if you are avictim of an attack. (100 pages)

Data Breach Investigative Report(registration required)

Verizon April 27,2017

The latest report examined 42,068 incidents and1,935 breaches from 84 countries, drawing fromthe collective data of 65 organizations. Cyberespionage accounts for 21% of breaches, still farbehind the 73% hat are financially motivated.Breaches are heavily concentrated in three sectors:financial, health care, and public sector. (76pages)

2017 Internet Security Threat Report(registration required)

Symantec April 26,2017

Cyberattackers are seeking bigger financial hauls,targeting massive dollar amounts, and more thantripling their asking price via ransomware from2015 to 2016. In 2015, ransomware demandsaveraged $294, but that jumped to $1,077 in 2016.The probable cause is that victims are paying up:globally, 34% paid the ransom, and in the UnitedStates, 64% did. (77 pages)

The Cyber-Value Connection:Revealing the link between cybervulnerability

CGI/OxfordEconomics

April 2017 The report looks at the reduction in companyvalue that arises from a cyber breach, vividlydemonstrating how a severe incident leads to adecline in share price. To ensure rigor andindependence, CGI commissioned OxfordEconomics to develop a robust econometric modelusing a "difference in differences" technique toisolate the damage caused to company value by acyber breach from other movements in the market.(28 pages)

Identity Theft Services: Services OfferSome Benefits but Are Limited inPreventing Fraud

GAO March 30,2017

GAO was asked to examine issues related toidentity theft services and their usefulness. Thereport examines, among other objectives, (1) thepotential benefits and limitations of identity theftservices and (2) factors that affect government andprivate-sector decisionmaking about them. GAOreviewed products, studies, laws, regulations, andfederal guidance and contracts, and interviewedfederal agencies, consumer groups, industrystakeholders, and eight providers selected becausethey were large market participants. (70 pages)

Zero Days, Thousands of Nights: The RAND March 13, This report provides findings from real-world

Life and Times of Zero-DayVulnerabilities and Their Exploits

2017 zero-day vulnerability and exploit data that couldaugment conventional proxy examples and expertopinion, complement current efforts to create aframework for deciding whether to disclose orretain a cache of zero-day vulnerabilities andexploits, inform ongoing policy debates regardingstockpiling and vulnerability disclosure, and addextra context for those examining the implicationsand resulting liability of attacks and data breachesfor U.S. consumers, companies, insurers, and forthe civil justice system broadly. (133 pages)

IBM X-Force Threat IntelligenceIndex 2017: The Year of the Mega-Breach

IBM March 2017 In 2016, more than 4 billion records were leakedworldwide, exceeding the combined total from thetwo previous years, according to a report fromIBM Security. The leaked documents comprisedthe usual credit cards, passwords, and personalhealth information, but the report also notes a shiftin cybercriminal strategies, finding a number ofsignificant breaches were related to unstructureddata such as email archives, business documents,intellectual property, and source code. (30 pages)

The Web of Vulnerabilities: Hunters,Hackers, Spies, and Criminals

Christian ScienceMonitor's Passcodeteam andNorthwesternUniversity's MedillSchool ofJournalism

February 10,2017

In a joint multimedia project between TheChristian Science Monitor's Passcode team andNorthwestern University's Medill School ofJournalism, they explore the growing arms race todiscover software vulnerabilities and what itmeans for national security and everyone's digitalprivacy and safety.

2017 Identity Fraud: Securing theConnected Life (press release)

Javelin Strategy &Research

February2017

The study revealed that the number of identityfraud victims increased by 16% (rising to 15.4million U.S. consumers) in the last year, a recordhigh since Javelin Strategy & Research begantracking identity fraud in 2003. The study foundthat despite the efforts of the industry, fraudsterssuccessfully adapted to net two million morevictims this year with the amount fraudsters tookrising by nearly $1 billion to $16 billion. (6 pages)

In 2017, The Insider Threat EpidemicBegins

Institute for CriticalInfrastructureTechnology

February2017

The report offers a comprehensive analysis of theInsider Threat Epidemic, including research on (1)Characterizing Insider Threats (the insider threatcyber "kill chain," non-malicious insider threats,malicious insider threats) (2) The Insider ThreatDebate (3) Policies, Procedures, and Guidelines toCombat Insider Threats (4) Non-TechnicalControls (5) Technical Controls. (52 pages)

Risk and Anxiety: A Theory of DataBreach Harms

Texas Law Review December14, 2016

The essay examines why courts have struggledwhen dealing with harms caused by data breaches.The difficulty largely stems from the fact that databreach harms are intangible, risk-oriented, anddiffuse. The report explores how existing legalfoundations support the recognition of such harm.It demonstrates how courts can assess risk andanxiety in a concrete and coherent way.

Verisign Distributed Denial of Service Verisign December Provides a view into attack statistics and

Trends Report 2016 behavioral trends during the third quarter of 2016:81% of attacks peaked over 1 Gbps' 82% increasein attack size year over year; 59% of attacks usedmultiple attack types. (12 pages)

Department Releases Intake andCharging Policy for Computer CrimeMatters

Department ofJustice

October 25,2016

In the course of litigation, DOJ released the policyunder which it chooses whether to bring chargesunder the Computer Fraud and Abuse Act. As setforth in the memorandum, prosecutors mustconsider a number of factors to ensure thatcharges are brought only in cases that serve asubstantial federal interest.

Data Breach Response: A Guide forBusinesses

Federal TradeCommission (FTC)

October 25,2016

The guidance document provides a basic checklistto help identify the general legal coverage forvarious types of data and point businesses to therelevant legal standards. It also includes a modelnotice letter for individuals whose Social Securitynumbers may have been breached. (16 pages)

IoT Devices as Proxies forCybercrime

Krebs on Security October 13,2016

The post looks at how crooks are using hackedIoT devices as proxies to hide their true locationonline as they engage in a variety of other types ofcybercriminal activity—from frequentingunderground forums to credit card and tax refundfraud.

Examining the Costs and Causes ofCyber Incidents

RAND October 10,2016

Researchers found that the typical cost of a breachwas about $200,000 and that most cyber eventscost companies less than 0.4% of their annualrevenues. The $200,000 cost was roughlyequivalent to a typical company's annualinformation security budget. (15 pages)

From the Trenches: Current Status ofSecurity and Risk in the FinancialSector

SANS Institute October 6,2016

According to a recent SANS survey, some 55% offinancial services firms report ransomware as thetop attack threat, followed by phishing (50%),which previously held the top spot. More than32% of financial firms say they've lost anywherefrom $100,000 to $500,000 due to ransomwareattacks.

2016 Internet Organised Crime ThreatAssessment (IOCTA)

Europol September28, 2016

The IOCTA reports a continuing and increasingacceleration of the security trends observed inprevious assessments. The additional increase involume, scope, and financial damage combinedwith the asymmetric risk that characterizescybercrime has reached such a level that in someEU countries cybercrime may have surpassedtraditional crime in terms of reporting. (72 pages)

The Rising Face of Cyber Crime:Ransomware

BitSight September21, 2016

Ransomware attacks on government agenciesaround the world have tripled in the past year.Government entities are second most likely to betargeted by ransomware attacks, following onlythe education sector. About 4% of governmentagencies had been exposed to Nymaim, and 3% toLocky, both ransomware strains. Of all industries,government had the second lowest security ratingand the highest ransomware attack rate. (11 pages)

Ransomware Victims Urged to ReportInfections to Federal LawEnforcement

FBI September15, 2016

The FBI is requesting victims reach out to theirlocal FBI office or file a complaint with theInternet Crime Complaint Center, athttp://www.IC3.gov, with ransomware infectiondetails (as detailed on the website).

Workshop on Data Breach Aftermathand Recovery for Individuals andInstitutions

National AcademiesPress

September2016

In January 2016, the National Academies ofSciences, Engineering, and Medicine hosted theWorkshop on Data Breach Aftermath andRecovery for Individuals and Institutions.Participants examined existing technical andpolicy remediations, and they discussed possiblenew mechanisms for better protecting and helpingconsumers in the wake of a breach. Speakers wereasked to focus on data breach aftermath andrecovery and to discuss ways to remediate harmsfrom breaches. The publication summarizes thepresentations and discussions from the workshop.(67 pages)

Examining the costs and causes ofcyber incidents

Journal ofCybersecurity

August 25,2016

Researchers examined a sample of more than 12000 cyber events that include data breaches,security incidents, privacy violations, andphishing crimes. The findings suggest that publicconcerns regarding the increasing rates ofbreaches and legal actions may be excessivecompared with the relatively modest financialimpact to firms that suffer these events.Specifically, they found that the cost of a typicalcyber incident is less than $200 000 (about thesame as the firm's annual IT security budget),which represents only 0.4% of a firm's estimatedannual revenues. (15 pages)

Bugs in the System: A Primer on theSoftware Vulnerability Ecosystem andits Policy Implications

New America July 28, 2016 The report offers five initial policyrecommendations to ensure that morevulnerabilities are discovered and patched sooner:(1) The U.S. government should minimize itsparticipation in the vulnerability market, becauseit is the largest buyer in a market that discouragesresearchers from disclosing vulnerabilities to bepatched; (2) The U.S. government shouldestablish strong, clear procedures for governmentdisclosure of the vulnerabilities it buys ordiscovers, with a heavy presumption towarddisclosure; (3) Congress should establish clearrules of the road for government hacking to betterprotect cybersecurity and civil liberties; (4)Government and industry should support bugbounty programs as an alternative to thevulnerabilities market and investigate otherinnovative ways to foster the disclosure andprompt patching of vulnerabilities; and (5)Congress should reform computer crime andcopyright laws, and agencies should modify theirapplication of such laws to reduce the legal chillon legitimate security research. (40 pages)

Second Interim Status Report on theU.S. Office of Personnel

OPM May 18,2016

The report finds that funding for the troubled ITsecurity upgrades project remains an issue in part

Management's (OPM) InfrastructureImprovement Project – Major ITBusiness Case

because of the agency's poor planning. Theinspector general finds the agency still lacks a"realistic budget" for the massive upgrade. (12pages)

Consumer Attitudes Toward DataBreach Notifications and Loss ofPersonal Information

RAND Corp. April 20,2016

Key findings include (1) 26% of respondents, oran estimated 64 million U.S. adults, recalled abreach notification in the past 12 months; (2) 44%of those notified were already aware of thebreach; (3) 62% of respondents accepted offers offree credit monitoring; (4) only 11% ofrespondents stopped dealing with the affectedcompany following a breach; (5) 32% ofrespondents reported no costs of the breach andany inconvenience it garnered, while, amongthose reporting some cost, the median cost was$500; and (6) 77% of respondents were highlysatisfied with the company's post-breach response.

2016 Internet Security Threat Report |Government

Symantec April 13,2016

Public-sector data breaches exposed some 28million identities in 2015, but hackers wereresponsible for only one-third of thosecompromises, according to new research.Negligence was behind nearly two-thirds of theexposed identities through government agencies.In total, the report suggests 21 million identitieswere compromised accidentally, compared with 6million by hackers.

Combatting the RansomwareBlitzkrieg: The Only Defense is aLayered Defense, Layer One:Endpoint Security

The Institute forCriticalInfrastructureTechnology

April 2016 The report introduces the ins and outs of the moreprevalent ransomware variants as well as otherendpoints vulnerable to ransomware attacks, suchas SCADA/ICS, IoT, cars, cloud, servers,specialized hardware, personal computers, and themost easily exploitable vulnerability, the human.(27 pages)

2016 Data Breach InvestigationsReport

Verizon April 2016 Provides analysis and statistics on worldwide databreaches. "In 93% of cases, it took attackersminutes or less to compromise systems.Organizations, meanwhile, took weeks or more todiscover that a breach had even occurred—and itwas typically customers or law enforcement thatsounded the alarm, not their own securitymeasures." (85 pages)

A Look Inside Cybercriminal CallCenters

Krebs on Security January 11,2016

Crooks who make a living via identity theftschemes, dating scams, and other con games oftenrun into trouble when presented with a phone-based challenge that requires them to demonstratemastery of a language they do not speak fluently.Enter the criminal call center, which allowsscammers to outsource those calls to multilingualmen and women who can be hired to close thedeal.

Target Settlement Memorandum U.S. District Court,District ofMinnesota

December 2,2015

Target Corporation has agreed to pay financialinstitutions almost $40 million to settle a class-action suit related to its massive 2013 data breach.The proposed settlement of up to $39,357,938.38

will apply to all U.S. financial institutions thatissued payment cards put at risk as a result of thedata breach. (20 pages)

The Cyberwar is On (Special Issue) The Agenda(Politico)

December2015

The cyber issue of The Agenda magazine contentsinclude "Why Politicians can't Handle Cyber,""Inside the NSA's Hunt for Hackers," "America'sSecret Arsenal," " The Biggest Hacks (We KnowAbout)," "Survey: What Keeps America'sComputer Experts Up at Night?," The 'ElectronicPearl Harbor'," " Our Best Frenemy, Time for aRalph Nader Moment," "The Crypto Warrior,"and "America's CIO."

Fiscal Year 2015 Top ManagementChallenges

Office of PersonnelManagement(OPM), Office ofInspector General(OIG)

October 30,2015

See Internal Challenges section (pp. 15-22) for adiscussion of challenges related to informationtechnology, improper payments, the retirementclaims process, and the procurement process.Officials in OPM's Office of ProcurementOperations violated the Federal AcquisitionRegulation and the agency's own policies inawarding a $20.7 million contract to providecredit monitoring and ID theft services.Investigators turned up "significant deficiencies"in the process of awarding the contract to WinvaleGroup and its subcontractor CSID. (22 pages)

With Stolen Cards, Fraudsters Shop toDrop

Krebs on Security September28, 2015

Fraudsters have perfected the reshipping service, acriminal enterprise that allows card thieves andthe service operators to essentially split the profitsfrom merchandise ordered with stolen credit anddebit cards.

Drops for Stuff: An Analysis ofReshipping Mule Scams

Federal Bureau ofInvestigation (FBI),University of CASanta Barbara,Stony BrookUniversity, Krebson Security,University CollegeLondon

September23, 2015

In reshipping scams, cybercriminals purchasehigh-value or high-demand products from onlinemerchants using stolen payment instruments, andthen ship the items to a credulous citizen. Thisperson, who has been recruited by the scammerunder the guise of "work-from-home"opportunities, then forwards the received productsto the cybercriminals, most of whom are locatedoverseas. Once the goods reach thecybercriminals, they are then resold on the blackmarket for an illicit profit. (12 pages)

Follow the Data: Dissecting DataBreaches and Debunking Myths

Trend Micro September22, 2015

Trend Micro's Forward-Looking Threat Research(FTR) Team has taken 10 years (2005-2015) ofinformation on data breaches in the United Statesfrom the Privacy Rights Clearinghouse (PRC) andsubjected it to detailed analysis to betterunderstand the real story behind data breaches andtheir trends. (51 pages)

Timeline: Government Data Breaches GovernmentExecutive

July 6, 2015 The timelines are based mainly on testimony fromOPM Director Catherine Archuleta and AndyOzment, assistant secretary for Cybersecurity andCommunications at DHS, supplemented byinformation from news reports.

2015 Cost of Data Breach Study: Ponemon Institute May 27, The average cost of a breach was up worldwide in

Global Analysis and IBM 2015 2014, with U.S. firms paying almost $1.5 millionmore than the global average. In the United States,a data breach costs organizations on average $5.85million (the highest of the 10 nations analyzed),up from $5.4 million in 2013. Globally, the cost ofa breach is up 15% this year to $3.5 million. TheUnited States likewise had the highest cost perrecord stolen, at $201, up from $188 last year. Thecountry also led in terms of size of breachesrecorded: U.S. companies averaged 29,087records compromised in 2014. (Free registrationrequired to download.) (31 pages)

Meet 'Tox': Ransomware for the Restof Us

McAfee Labs May 23,2015

The packaging of malware and malware-construction kits for cybercrime "consumers" hasbeen a long-running trend. Various turnkey kitsthat cover remote access plus botnet plus stealthfunctions are virtually anywhere. Ransomware,though very prevalent, has not yet appeared inforce in easy-to-deploy kits. However, Tox is nowavailable free.

2014 Internet Crime Report Internet CrimeComplaint Center(IC3)

May 19,2015

IC3, a joint project of the National White CollarCrime Center and the FBI, received 269,422complaints last year consisting of a wide array ofscams affecting victims across all demographicgroups. In 2014, victims of Internet crimes in theUnited States lost more than $800 million. Onaverage, approximately 22,000 complaints werereceived each month. (48 pages)

Fifth Annual Benchmark Study onPrivacy and Security of HealthcareData

Ponemon Institute May 2015 A rise in cyberattacks against doctors andhospitals is costing the U.S. health-care system $6billion a year as organized criminals who oncetargeted retailers and financial firms increasinglygo after medical records. Criminal attacks are up125% compared with five years ago lost laptopswas the leading threat. The study also found mostorganizations are unprepared to address newthreats and lack adequate resources to protectpatient data. (7 pages)

Best Practices for Victim Responseand Reporting of Cyber Incidents

Department ofJustice(DOJ)

April 29,2015

DOJ issued new guidance for businesses on bestpractices for handling cyber incidents. Theguidance is broken down into what companiesshould do—and should not do—before, during,and after an incident. The recommendationsinclude developing an incident response plan,testing it, identifying highly sensitive data and riskmanagement priorities, and connecting with lawenforcement and response firms in advance. (15pages)

2014 Global Threat Intel Report CrowdStrike February 6,2015

The report summarizes CrowdStrike's year-longdaily scrutiny of more than 50 groups of cyberthreat actors, including 29 different state-sponsored and nationalist adversaries. Keyfindings explain how financial malware changedthe threat landscape and point of sale malwarebecame increasingly prevalent. The report alsoprofiles a number of new and sophisticated

adversaries from China and Russia. (Freeregistration required.)

Unique in the Shopping Mall: on theReidentifiability of Credit CardMetadata

Science Magazine January 30,2015

Massachusetts Institute of Technology (MIT)scientists showed they can identify an individualwith more than 90% accuracy by looking at justfour purchases; three if the price is included—andthis is after companies "anonymized" thetransaction records, saying they wiped awaynames and other personal details. (5 pages)

Ransomware on the Rise: FBI andPartners Working to Combat ThisCyber Threat

FBI January 20,2015

Ransomware scams involve a type of malwarethat infects computers and restricts users' access totheir files or threatens the permanent destructionof their information unless a ransom—anywherefrom hundreds to thousands of dollars—is paid.The site offers information on the FBI's andfederal, international, and private-sector partners'proactive steps to neutralize some of the moresignificant ransomware scams through lawenforcement actions against major botnets.

Exploit This: Evaluating the ExploitSkills of Malware Groups

Sophos LabsHungary

January 2015 Researchers evaluated the malware and advancedpersistent threat (APT) campaigns of severalgroups that all leveraged a particular exploit—asophisticated attack against a specific version ofMicrosoft Office. The report found that none ofthe groups were able to modify the attack enoughto infect other versions of Office, even thoughseveral versions were theoretically vulnerable tothe same type of attack. Despite the aura of skilland complexity that seems to surround APTs, theyare much less sophisticated than they are givencredit for. (26 pages)

The Cost of Malware Containment Ponemon Institute January 2015 A survey of more than 600 U.S. IT securitypractitioners found that in a typical week,organizations receive an average of nearly 17,000malware alerts; only 19% are deemed reliable orworthy of action. Compounding the problem,respondents believe their prevention tools miss40% of malware infections in a typical week.(Free registration required.)

Addressing the CybersecurityMalicious Insider Threat

Schluderberg, Larry(Utica CollegeMaster's Thesis)

January 2015 "The purpose of this research was to investigatewho constitutes Malicious Insider (MI) threats,why and how they initiate attacks, the extent towhich MI activity can be modeled or predicted,and to suggest risk mitigation strategies. Theresults reveal that addressing the MaliciousInsider threat is much more than just a technicalissue. Dealing effectively with the threat involvesmanaging the dynamic interaction betweenemployees, their work environment and workassociates, the systems with which they interact,and organizational policies and procedures." (80pages)

The Underground Hacker Markets areBooming with Counterfeit Documents,

Dell Secure Works December2014

Researchers examined dozens of undergroundhacker markets and found that business is

Premiere Credit Cards, HackerTutorials, and 1000% SatisfactionGuarantees

booming. Prices have gone down for many itemsand the offerings have expanded. According to thereport, "Underground hackers are monetizingevery piece of data they can steal or buy and arecontinually adding services so other scammers cansuccessfully carry out online and in-person fraud."(16 pages)

What Happens When You Swipe YourCard?

60 Minutes November30, 2014

From the script for the segment "Swiping YourCard": "Sophisticated cyberthieves steal yourcredit card information. Common criminals buy itand go on shopping sprees—racking up billions ofdollars in fraudulent purchases. The cost of thefraud is calculated into the price of every item youbuy. When computer crooks swipe your cardnumber, we all end up paying the price. 2014 isbecoming known as the 'year of the data breach.'"

Continuing Federal Cyber BreachesWarn Against CybersecurityRegulation

Heritage Foundation October 27,2014

A list of federal government cybersecuritybreaches and failures, most of which occurredduring 2013 and 2014. The list is part of acontinuing series published by Heritage thatserves as a long-term compilation of open-sourcedata about federal cybersecurity breaches datingback to 2004.

2014 Cost of Cybercrime GlobalReport

Hewlett-PackardEnterprise Securityand the PonemonInstitute

October 8,2014

This 2014 global study of U.S.-based companies,which spanned seven nations, found that over thecourse of a year, the average cost of cybercrimeclimbed by more than 9% to $12.7 million forcompanies in the United States, up from $11.6million in the 2013 study. The average time toresolve a cyberattack is also rising, climbing to 45days from 32 days in 2013. (30 pages) (Emailregistration required.)

The Deep Web (Special Issue) The Kernel September28, 2014

A special issue devoted to the Deep Web, Tor,Silk Road, black markets, etc.

How Consumers Foot the Bill for DataBreaches (infographic)

NextGov.com August 7,2014

More than 600 data breaches occurred in 2013alone, with an average organizational cost of morethan $5 million. But in the end, it is the customerswho are often picking up the tab, from higherretail costs to credit card reissue fees.

Is Ransomware Poised for Growth? Symantec July 14, 2014 Ransomware usually masquerades as a virtual"wheel clamp" for the victim's computer. Forexample, pretending to be from the local lawenforcement, it might suggest the victim had beenusing the computer for illicit purposes and claimthat to unlock his or her computer the victimwould have to pay a fine—often between $100and $500. The use of Ransomware escalated in2013, with a 500% (sixfold) increase in attacksbetween the start and end of the year.

iDATA: Improving Defences AgainstTargeted Attack

Centre for theProtection ofNationalInfrastructure (UK)

July 2014 The iDATA program consists of a number ofprojects aimed at addressing threats posed bynation-states and state-sponsored actors. iDATAhas resulted in several outputs for the

cybersecurity community. The document providesa description of the iDATA program and asummary of the reports. (8 pages)

Cyber Risks: The Growing Threat InsuranceInformationInstitute

June 27,2014

Although cyber risks and cybersecurity are widelyacknowledged to be serious threats, manycompanies today still do not purchase cyber riskinsurance. Insurers have developed specialistcyber insurance policies to help businesses andindividuals protect themselves from the cyberthreat. Market intelligence suggests that the typesof specialized cyber coverage being offered byinsurers are expanding in response to this fast-growing market need. (27 pages)

Hackers Wanted: An Examination ofthe Cybersecurity Labor Market

RAND Corporation June 24,2014

RAND examined the current status of the labormarket for cybersecurity professionals—with anemphasis on their being employed to defend theUnited States. This effort was in three parts: first,a review of the literature; second, interviews withmanagers and educators of cybersecurityprofessionals, supplemented by reportage; andthird, an examination of the economic literatureabout labor markets. RAND also disaggregatedthe broad definition of cybersecurity professionalsto unearth skills differentiation as relevant to thisstudy. (110 pages)

Big Data and Innovation, Setting TheRecord Straight: De-identificationDoes Work

InformationTechnology andInnovationFoundation and theInformation andPrivacyCommissioner,Ontario, Canada

June 16,2014

The paper examines a select group of articles thatare often referenced in support of the myth thatde-identified data sets are at risk of re-identifyingindividuals through linkages with other availabledata. It examines the ways in which the academicresearch referenced has been misconstrued andfinds that the primary reason for the popularity ofthese misconceptions is not factual inaccuracies orerrors within the literature but rather a tendencyon the part of commentators to overstate orexaggerate the risk of re-identification. (13 pages)

Net Losses: Estimating the GlobalCost of Cybercrime

Center for Strategicand InternationalStudies and McAfee

June 2014 The report explores the economic impact ofcybercrime, including estimation, regionalvariances, IP theft, opportunity and recoverycosts, and the future of cybercrime. (24 pages)

2014 U.S. State of Cybercrime Survey PricewaterhouseCoopers, CSOMagazine, theCERT Division ofthe SoftwareEngineeringInstitute at CarnegieMellon University,and the U.S. SecretService

May 29,2014

The cybersecurity programs of U.S. organizationsdo not rival the persistence, tactical skills, andtechnological prowess of their potential cyberadversaries. This year, three out of four (77%)respondents to the survey had detected a securityevent in the past 12 months, and more than one-third (34%) said the number of security incidentsdetected had increased over the previous year. (21pages)

Privileged User Abuse and The InsiderThreat

Ponemon Instituteand Raytheon

May 21,2014

The report looks at what companies are doingright and the vulnerabilities that need to beaddressed with policies and technologies. Oneproblematic area is the difficulty in actually

knowing if an action taken by an insider is truly athreat. Sixty-nine percent of respondents say theydo not have enough contextual information fromsecurity tools to make this assessment, and 56%say security tools yield too many false positives.(32 pages) (Requires free registration to access.)

Online Advertising and HiddenHazards to Consumer Security andData Privacy

Senate PermanentSubcommittee onInvestigations

May 15,2014

The report found consumers could exposethemselves to malware just by visiting a popularwebsite. It noted that the complexity of theindustry made it possible for both advertisers andhost websites to defer responsibility and thatconsumer safeguards failed to protect againstonline abuses. The report also warned that currentpractices do not create enough incentives for"online advertising participants" to takepreventive measures. (47 pages)

Sharing Cyberthreat InformationUnder 18 USC § 2702(a)(3)

Department ofJustice (DOJ)

May 9, 2014 DOJ issued guidance for Internet serviceproviders to assuage legal concerns aboutinformation sharing. The white paper interpretsthe Stored Communications Act, (18 U.S.C. §2701 et seq.) which prohibits providers fromvoluntarily disclosing customer information togovernmental entities. The white paper says thelaw does not prohibit companies from divulgingdata in the aggregate, without any specific detailsabout identifiable customers. (7 pages)

The Target Breach, by the Numbers Krebs on Security May 6, 2014 A synthesis of numbers associated with the Targetdata breach of December 19, 2013 (e.g., numberof records stolen, estimated dollar cost to creditunions and community banks, and the amount ofmoney Target estimates it will spend upgradingpayment terminals to support Chip-and-PINenabled cards).

The Rising Strategic Risks ofCyberattacks

McKinsey andCompany

May 2014 The authors suggest that companies are strugglingwith their capabilities in cyber risk management.As highly visible breaches occur with increasingregularity, most technology executives believethey are losing ground to attackers. Organizationslarge and small lack the facts to make effectivedecisions, and traditional "protect the perimeter"technology strategies are proving insufficient.

Big Data: Seizing Opportunities,Preserving Values

White House May 2014 Findings include a set of consumer protectionrecommendations, such as national data-breachlegislation, and a fresh call for baseline consumer-privacy legislation first recommended in 2012. (85pages)

Russian Underground Revisited Trend Micro April 28,2014

The price of malicious software—designed toenable online bank fraud, identity theft, and othercybercrimes—is falling dramatically in some ofthe Russian-language criminal markets in which itis sold. Falling prices are a result not of decliningdemand but rather of an increasingly sophisticatedmarketplace. The report outlines the products andservices being sold and their prices. (25 pages)

Federal Agencies Need to EnhanceResponses to Data Breaches

GovernmentAccountabilityOffice (GAO)

April 2, 2014 Major federal agencies continue to face challengesin fully implementing all components of agency-wide information security programs, which areessential for securing agency systems and theinformation they contain—including personallyidentifiable information (PII). (19 pages)

A "Kill Chain" Analysis of the 2013Target Data Breach

Senate CommerceCommittee

March 26,2014

The report analyzes what has been reported todate about the Target data breach, using theintrusion kill chain framework, an analytical toolintroduced by Lockheed Martin securityresearchers in 2011 and widely used today byinformation security professionals in both thepublic and private sectors. The analysis suggeststhat Target missed a number of opportunitiesalong the kill chain to stop the attackers andprevent the massive data breach. (18 pages)

Markets for Cybercrime Tools andStolen Data

RAND CorporationNational SecurityResearch Divisionand JuniperNetworks

March 25,2014

The report, part of a multiphase study on thefuture security environment, describes thefundamental characteristics of the criminalactivities in cyberspace markets and how theyhave grown into their current state to explain howtheir existence can harm the information securityenvironment. (83 pages)

Merchant and Financial TradeAssociations Announce CybersecurityPartnership

Retail IndustryLeaders Association

February 13,2014

Trade associations representing the merchant andfinancial services industries announced a newcybersecurity partnership. The partnership willfocus on exploring paths to increased informationsharing, better card security technology, andmaintaining the trust of customers. Discussionregarding the partnership was initiated by theRetail Industry Leaders Association and theFinancial Services Roundtable.

FTC Statement Marking the FTC's50th Data Security Settlement

Federal TradeCommission (FTC)

January 31,2014

The FTC announced its 50th data securitysettlement. What started in 2002 with a single caseapplying established FTC Act precedent to thearea of data security has grown into anenforcement program that has helped to increaseconsumer protections and encouraged companiesto make safeguarding consumer data a priority. (2pages)

Worst Practices Guide to InsiderThreats: Lessons from Past Mistakes

American Academyof Arts and Sciences

January 2014 The report presents a worst practices guide ofserious past mistakes regarding insider threats.Although each situation is unique, and seriousinsider problems are relatively rare, the incidentsreflect issues that exist in many contexts and thatevery security manager should consider. Commonorganizational practices—such as prioritizingproduction over security, failure to shareinformation across subunits, inadequate rules orinappropriate waiving of rules, exaggerated faithin group loyalty, and excessive focus on externalthreats—can be seen in many past failures toprotect against insider threats. (32 pages)

ENISA Threat Landscape 2013—Overview of Current and EmergingCyber-Threats

European UnionAgency forNetwork andInformationSecurity (ENISA)

December11, 2013

The report is a comprehensive compilation of thetop 15 cyber threats assessed in the 2013-reportingperiod. ENISA has collected more than 250reports regarding cyber threats, risks, and threatagents. (70 pages)

Agency Responses to Breaches ofPersonally Identifiable InformationNeed to Be More Consistent

GAO December 9,2013

GAO recommends that "to improve theconsistency and effectiveness of government widedata breach response programs, the Director ofOMB should update its guidance on federalagencies' responses to a PII-related data breach toinclude (1) guidance on notifying affectedindividuals based on a determination of the levelof risk; (2) criteria for determining whether tooffer assistance, such as credit monitoring toaffected individuals; and (3) revised reportingrequirements for PII-related breaches to US-CERT [Computer Emergency Response Team],including time frames that better reflect the needsof individual agencies and the government as awhole and consolidated reporting of incidents thatpose limited risk." (67 pages)

Cyber-enabled Competitive DataTheft: A Framework for ModelingLong-Run CybersecurityConsequences

BrookingsInstitution

December2013

Economic espionage has existed at least since theindustrial revolution, but the scope of moderncyber-enabled competitive data theft may beunprecedented. The authors present what theybelieve is the first economic framework andmodel to understand the long-run impact ofcompetitive data theft on an economy by takinginto account the actual mechanisms and pathwaysby which theft harms the victims. (18 pages)

Illicit Cyber Activity Involving Fraud Carnegie MellonUniversity SoftwareEngineeringInstitute

August 8,2013

Technical and behavioral patterns were extractedfrom 80 fraud cases—67 insider and 13 external—that occurred between 2005 and the present. Thesecases were used to develop insights and riskindicators to help private industry, government,and law enforcement more effectively prevent,deter, detect, investigate, and manage maliciousinsider activity within the banking and financesectors. (28 pages)

The Economic Impact of Cybercrimeand Cyber Espionage

Center for Strategicand InternationalStudies (CSIS)

July 22, 2013 According to CSIS, losses to the United States(the country in which data is most accessible) mayreach $100 billion annually. The cost ofcybercrime and cyber espionage to the globaleconomy is some multiple of this, likely measuredin hundreds of billions of dollars. (20 pages)

Cyber-Crime, Securities Markets, andSystemic Risk

World Federation ofExchanges and theInternationalOrganization ofSecuritiesCommissions

July 16, 2013 The report explores the nature and extent ofcybercrime in securities markets and the potentialsystemic risk aspects of this threat. It presents theresults of a survey to the world's exchanges ontheir experiences with cybercrime, cybersecuritypractices, and perceptions of the risk. (59 pages)

Remaking American Security: SupplyChain Vulnerabilities and NationalSecurity Risks Across the U.S.

Alliance forAmericanManufacturing

May 2013 Reportedly because the supply chain is global, itmakes sense for U.S. officials to cooperate withother nations to ward off cyberattacks. Increased

Defense Industrial Base international cooperation to secure the integrity ofthe global IT system is a valuable long-termobjective. (355 pages)

Comprehensive Study on Cybercrime United NationsOffice on Drugs andCrime

February2013

The study examined the problem of cybercrimefrom the perspective of governments, the privatesector, academia, and international organizations.It presents its results in eight chapters, covering(1) Internet connectivity and cybercrime; (2) theglobal cybercrime picture; (3) cybercrimelegislation and frameworks; (4) criminalization ofcybercrime; (5) law enforcement and cybercrimeinvestigations; (6) electronic evidence andcriminal justice; (7) international cooperation incriminal matters involving cybercrime; and (8)cybercrime prevention. (320 pages)

Does Cybercrime Really Cost $1Trillion?

ProPublica August 1,2012

In a news release to announce its 2009 report,Unsecured Economies: Protecting VitalInformation, computer security firm McAfeeestimated a $1 trillion global cost for cybercrime.The number does not appear in the report itself.This estimate is questioned even by the threeindependent researchers from Purdue Universitywhom McAfee credits with analyzing the raw datafrom which the estimate was derived. Anexamination by ProPublica has found newgrounds to question the data and methods used togenerate these numbers, which McAfee andSymantec say they stand behind.

Proactive Policy Measures by InternetService Providers against Botnets

Organization forEconomic Co-operation andDevelopment(OECD)

May 7, 2012 The report analyzes initiatives in a number ofcountries through which end-users are notified byInternet service providers (ISPs) when theircomputers are identified as being compromised bymalicious software and encouraged to take actionto mitigate the problem. (25 pages)

Developing State Solutions toBusiness Identity Theft: Assistance,Prevention and Detection Efforts bySecretary of State Offices

NationalAssociation ofSecretaries of State(NASS)

January 2012 The white paper is the result of efforts by the 19-member NASS Business Identity Theft TaskForce to develop policy guidelines andrecommendations for state leaders dealing withidentity fraud cases involving public businessrecords. (23 pages)

Twenty Critical Security Controls forEffective Cyber Defense: ConsensusAudit Guidelines

SANS Institute October 3,2011

The 20 security measures are intended to focusagencies' limited resources on plugging the mostcommon attack vectors. (77 pages)

Revealed: Operation Shady RAT: anInvestigation Of Targeted IntrusionsInto 70+ Global Companies,Governments, and Non-ProfitOrganizations During the Last 5 Years

McAfee August 2,2011

A cyber-espionage operation lasting many yearspenetrated 72 government and otherorganizations, most of them in the United States,and has copied everything from military secrets toindustrial designs, according to technologysecurity company McAfee. (See page 4 for thetypes of compromised parties, page 5 for thegeographic distribution of victim's country oforigin, pages 7-9 for the types of victims, andpages 10-13 for the number of intrusions for2007-2010). (14 pages)

The Role of Internet Service Providersin Botnet Mitigation: an EmpiricalAnalysis Based on Spam Data

Organisation forEconomic Co-operation andDevelopment(OECD)

November12, 2010

The working paper considers whether ISPs can becritical control points for botnet mitigation, howthe number of infected machines varies acrossISPs, and why. (31 pages)

Untangling Attribution: Moving toAccountability in Cyberspace(Testimony)

Council on ForeignRelations

July 15, 2010 Robert K. Knake's testimony before the HouseCommittee on Science and Technology on the roleof attack attribution in preventing cyberattacksand how attribution technologies can affect theanonymity and privacy of Internet users. (14pages)

Technology, Policy, Law, and EthicsRegarding U.S. Acquisition and Useof Cyberattack Capabilities

National ResearchCouncil

2009 The report explores important characteristics ofcyberattacks. It describes the current internationaland domestic legal structure as it might apply tocyberattacks and considers analogies to otherdomains of conflict to develop relevant insights.(368 pages)

Source: Highlights compiled by CRS from the reports.

Notes: Page counts are for documents; other cited resources are webpages.

Table 2. National Security, Cyber Espionage, and Cyberwar

(includes Stuxnet, Dark Web/Dark Net)

Title Source Date Notes

Cybersecurity Legislation InternationalTelecommunicationsUnion

ContinuouslyUpdated

An integral and challenging component ofany national cybersecurity strategy is theadoption of regionally and internationallyharmonized, appropriate legislation againstthe misuse of information andcommunication technologies (ICTs) forcriminal or other purposes.

Cyberthreat: Real-Time Map Kaspersky Labs ContinuouslyUpdated

Kaspersky Labs has launched an interactivecyber threat map that lets viewers seecybersecurity incidents as they occur aroundthe world in real time. The interactive mapincludes malicious objects detected duringon-access and on-demand scans, email andweb antivirus detections, and objectsidentified by vulnerability and intrusiondetection subsystems.

Cyberwarfare RAND ContinuouslyUpdated

Explore RAND reports on cyberwarfare byproduct type (research, blog, multimedia,event, etc.) or author. Featured reports are atthe top of the page.

Too Connected To Fail: How Attackers CanDisrupt the Global Internet, Why It Matters,And What We Can Do About It

Belfer Center forScience andInternational Affairs(Harvard)

May 2017 This paper examines attacks on core internetinfrastructure through a lens of nationalsecurity and nation state conflict. Mostanalyses have focused on the ability of non-state actors to use these tools to exact

ransom or commit mischief. While these arereal concerns, an examination of theseattacks' applicability in nation state conflicthas been missing. (54 pages)

Cyber Compellence: Applying Coercion inthe Information Age

Marine CorpsUniversity andNortheasternUniversity,presented at theAnnual InternationalStudies AssociationMeeting, Baltimore,Maryland

April 25,2017

The paper reviews how state actors appliedcyber instruments to coerce adversariesbetween 2000 to 2014 differentiatingbetween cyber disruption, espionage, anddegradation. Cyber disruption and espionagemethods seem to achieve their goals ofgathering intelligence and signaling throughharassment, but do not result in anobservable behavioral change in the target inthe near-term. Only on limited occasion,usually associated with US activity incyberspace, does cyber coercion, often in theform of degradation, result in concessions.The idea of quick victory in the cyberdomain remains elusive. (27 pages)

Bad Bots: The Weaponization of SocialMedia

College of Williamand Mary; Projecton InternationalPeace and Security

April 2017 In the next several years, hostile states ornon-state actors will accelerate their use ofsocial media bots to undermine democracy,recruit terrorists, disrupt markets, and stymieopen-source intelligence collection. Thisreport conducts an alternative futuresanalysis in order to help policymakersidentify options to mitigate the threats ofsocial media bots. In the worst-case andmost-likely scenario, a technologicalstalemate between bots and bot-detectionleads to a false sense of confidence in socialmedia information, which allows forbreakthroughs in bot technology to createdisruptions until bot-detection technologyadvances. (23 pages)

Strategic Aspects of Cyberattack,Attribution, and Blame

Proceedings of theNational Academyof Sciences

March 14,2017

Attribution of cyberattacks has strategic andtechnical components. A formal modelincorporates both elements and shows theconditions under which it is rational totolerate an attack and when it is better toassign blame publicly. The model applies toa wide range of conflicts and providesguidance to policymakers about whichparameters must be estimated to make asound decision about attribution and blame.It also draws some surprising conclusionsabout the risks of asymmetric technicalattribution capabilities. (12 pages)

Zero Days, Thousands of Nights: The Lifeand Times of Zero-Day Vulnerabilities andTheir Exploits

RAND March 13,2017

The report provides findings from real-worldzero-day vulnerability and exploit data thatcould augment conventional proxy examplesand expert opinion, complement currentefforts to create a framework for decidingwhether to disclose or retain a cache of zero-day vulnerabilities and exploits, informongoing policy debates regarding stockpilingand vulnerability disclosure, and add extracontext for those examining the implications

and resulting liability of attacks and databreaches for U.S. consumers, companies,insurers, and for the civil justice systembroadly. (133 pages)

Snapshot: Turning Back DDoS Attacks DHS Science andTechnology,Homeland SecurityAdvanced ResearchProjects Agency'sCyber SecurityDivision (CSD)

February 16,2017

CSD's Distributed Denial of Service Defense(DDoSD) project is spearheading a three-pronged approach to shift the advantage tonetwork infrastructure defenders. Theproject's two primary focuses are onincreasing deployment of best practices toslow attack scale growth and defendingnetworks against one Tbps attack throughdevelopment of collaboration tools that canbe used by medium-size organizations. Athird part of the project addresses other typesof denial of service attacks, such as thoseagainst 911 and Next Generation 911emergency management systems.

Task Force on Cyber Deterrence Defense ScienceBoard

February2017

The U.S. military lacks the cyber capabilitiesto defend against potential attacks againstfinancial systems, telecommunicationssystems, and other elements of criticalinfrastructure launched by Russia or China.Furthermore, the U.S. military's dependenceon IT makes it vulnerable to attacks thatcould diminish its capabilities to respond tosuch attacks. The task force recommendsthat the Pentagon develop a second-strikecapability that is cyber-resilient. (44 pages)

The Enemy Has a Voice: UnderstandingThreats to Inform Smart Investment inCyber Defense

New America February2017

The report discusses the general concept ofcyber threat intelligence (CTI) and how thispowerful concept can reduce "offensivedominant" nature of cybersecurity anddescribe various types of such information.The report outlines challenges with cyberthreat intelligence going forward andproposes policy ideas that can help lead toimproved access to such information acrossa variety of organizations. (16 pages)

Cyber Prep 2.0: Motivating OrganizationalCyber Strategies in Terms of ThreatPreparedness

MITRE Corp. February2017

Cyber Prep 2.0 focuses on advanced threatsand corresponding elements oforganizational strategy and includes materialrelated to conventional cyber threats. CyberPrep 2.0 can be used in standalone fashion,or it can be used to complement and extendthe use of other, more detailed frameworks(e.g., the NIST [National Institute ofStandards and Technology] CybersecurityFramework) and threat models.

The U.S. Government and Zero-DayVulnerabilities: from Pre-Heartbleed toShadow Brokers

Columbia Univ.Journal ofInternational Affairs

November2016

Government agencies currently submit zerodays they discover to an interagencyVulnerability Equities Process headed by theNational Security Council. The reviewexamines questions such as how likelycriminals and foreign adversaries are todiscover the vulnerability and how much

damage they could do if they did discover it,balancing that with what value thevulnerability might provide to U.S.intelligence agencies. (22 pages)

Department Releases Intake and ChargingPolicy for Computer Crime Matters

Department ofJustice

October 25,2016

"In the course of recent litigation, thedepartment yesterday shared the policyunder which we choose whether to bringcharges under the Computer Fraud andAbuse Act. As set forth in the memorandum,prosecutors must consider a number offactors in order to ensure that charges arebrought only in cases that serve a substantialfederal interest."

Into the Gray Zone: The Private Sector andActive Defense Against Cyber Threats(Project Report)

GWU Center forCyber & HomelandSecurity

October2016

The report places the current cyber threat inits larger strategic context and then assessesthe role of private-sector active defense inaddressing such threats. With this in mind,the report proposes a framework that definesthe most prevalent active defense measuresand places them along a spectrum of relativerisk and impact, indicating where closecoordination with the government becomesnecessary for responsible private action. (86pages)

Brief History of Law Enforcement Hackingin the United States

New AmericaFoundation

September2016

Understanding the history of governmenthacking is important in order to engage morepeople in the ongoing policy discussion. Thepaper focuses on a selection of illustrativehistorical cases, with the understanding thatdue to the secret nature of governmentinvestigations, only a fraction of the hackingthat has taken place is known. This overviewhighlights major trends in investigativehacking and will hopefully foster moreinquiries into these practices bypolicymakers and the public. (20 pages)

Predicting Cyber Attacks: A Study of theSuccesses and Failures of the IntelligenceCommunity

Small Wars Journal July 7, 2016 The article focuses on identifying the majorsuccesses and failures of analysis from theIntelligence Community (IC) to predictcyberattacks against the United States. Theresearch goal is to break down thecomponents of a good cyber defensive forceinto variables to clearly identify thosefailures and successes and their effects onthe operational ability of the IC incyberspace. (11 pages)

Tech for Jihad: Dissecting Jihadist's DigitalToolbox

Flashpoint July 2016 The report attempts to catalog the 36 mostnoteworthy digital tools in common use byjihadists, and when they started using them.(13 pages)

Cyber Conflict: Prevention, Stability andControl

Carnegie CyberPolicy Initiative

July 2016 Only a few years ago, there were almost nonorms globally accepted by governments oncybersecurity or cyber conflict. Even theUnited States, which had long pushed such

norms, had publicly announced very few.The United States and a few other alliesconfirmed that laws of armed conflict(otherwise known as InternationalHumanitarian Law or the "GenevaConvention") applied to cyberspace.Recently, this has changed with tremendousprogress, so much so that 2015 was calledthe Year of Global Cyber Norms. (10 pages)

Combatting the Ransomware Blitzkrieg:The Only Defense is a Layered Defense,Layer One: Endpoint Security

The Institute forCriticalInfrastructureTechnology

April, 2016 The brief contains an analysis of the need forendpoint security; vulnerable endpoints(users, personal computers, servers, mobiledevices, specialize hardware, and cloudservices); potentially vulnerable endpoints(SCADA/ICS, IoT devices, cars); endpointsecurity; and selecting an endpoint securitystrategy. (27 pages)

Know Your Enemies 2.0: The Encyclopediaof the Most Prominent Hactivists, NationState, and Mercenary Hackers

Information forCriticalInfrastructureTechnologies (ICIT)

February2016

The report covers threat groups not by use ofa particular ranking system, but by thedominant players categorized by geography.Zero days, malware, tool kits, exploittechniques, digital foot prints, and targets arecovered in this encyclopedia. (81 pages)

Operationalizing Cybersecurity DueDiligence: A Transatlantic ComparativeCase Study

South Carolina LawReview

January 12,2016

"Although much work has been done onapplying the law of warfare to cyberattacks,far less attention has been paid to defining alaw of cyber peace applicable below thearmed attack threshold. Among the mostimportant unanswered questions is whatexactly nations' due diligence obligations areto one another and to the private sector, aswell as how these obligations should betranslated into policy. In this article, weanalyze how both the United States and theEuropean Union are operationalizing theconcept of cybersecurity due diligence, andthen move on to investigate a menu ofoptions presented to the EuropeanParliament in November 2015 by the authorsto further refine and apply this concept." (28pages)

ISIS's OPSEC Manual Reveals How ItHandles Cybersecurity

Wired November19, 2015

From the article, "So what exactly are ISISattackers doing for OPSEC? It turns out ISIShas a 34-page guide to operational security,which offers some clues. [R]esearchers withthe Combating Terrorism Center at WestPoint's military academy uncovered themanual and other related documents fromISIS forums and chat rooms."

2015 Annual Report to Congress U.S.-ChinaEconomicCommission

November17, 2015

Reportedly China causes increasing harm tothe U.S. economy and security through twodeliberate policies targeting the UnitedStates: (1) coordinated, government-backedtheft of information from a wide variety ofU.S.-based commercial enterprises and (2)widespread restrictions on content,

standards, and commercial opportunities forU.S. businesses. Hackers working for theChinese government—or with thegovernment's support and encouragement—have infiltrated the computer networks ofU.S. government agencies, contractors, andprivate companies, and stolen personalinformation and trade secrets. (See Chapter1, Section 4: Commercial Cyber Espionageand Barriers to Digital Trade in China.) (631pages)

Cyber Defense: An International View U.S. Army WarCollege StrategicStudies Institute

September2015

The paper provides an overview of fourdifferent national approaches to cyberdefense: those of Norway, Estonia,Germany, and Sweden. It also provides aguide for engaging with the relevantgovernmental and other organizations ineach of these countries and compares andcontrasts the advantages and drawbacks ofeach national approach. (65 pages)

Deep Web and the Darknet: A Look Insidethe Internet's Massive Black Box

Woodrow WilsonInternational Centerfor Scholars

August 1,2015

"This policy brief outlines what the DeepWeb and Darknet are, how they areaccessed, and why we should care aboutthem. For policymakers, the continuinggrowth of the Deep Web in general and theaccelerated expansion of the Darknet inparticular pose new policy challenges. Theresponse to these challenges may haveprofound implications for civil liberties,national security, and the global economy."(20 pages)

Cyber-Enabled Economic Warfare: AnEvolving Challenge

Hudson Institute August 2015 This monograph is divided into six chapters:one dissecting the U.S.'s use of cyber-enabled economic warfare; two providinganalyses of cyber-enabled economic warfarethreats posed to the United States by stateand non-state actors; two offering casestudies of emerging cyber-enabled economicwarfare in two key sectors, financial servicesand critical infrastructure; and a concludingchapter that reviews key takeaways and nextsteps. (174 pages)

Russian Underground 2.0 Trend Micro(Forward LookingThreat Team)

July 28, 2015 The Russian underground is a matureecosystem that covers all aspects ofcybercriminal business activities and offersan increasingly professional undergroundinfrastructure for the sale of malicious goodsand services. There is increasingprofessionalization of the crime businessthat allows cheaper prices to dominate salesand thereby make it easy and very affordablefor anyone without significant skill to buywhatever is needed to conduct criminaldealings. (41 pages)

Below the Surface: Exploring the DeepWeb

Trend Micro June 22,2015

The research paper offers a look into theduality of the Deep Web—how its ability to

protect anonymity can be used tocommunicate freely, away from censorshipand law enforcement, or be used to expeditedubious or criminal pursuits. It also brieflytouches on the Deep Web's impact, andoffers a forecast on how it could evolve overthe next few years. (48 pages)

Cybersecurity: Jihadism and the Internet European ParliamentThink Tank

May 18,2015

"Since the beginning of the conflict in Syriain March 2011, the numbers of Europeancitizens supporting or joining the ranks ofISIL/Da'esh have been growing steadily, andmay now be as high as 4,000 individuals. Atthe same time, the possible avenues forradicalisation are multiplying and the risksof domestic terrorism increasing. Theproliferation of global jihadi messagingonline and their reliance on social networkssuggest that the Internet is increasingly atool for promoting jihadist ideology,collecting funds, and mobilizing theirranks." (2 pages)

APT30 and the Mechanics of a Long-Running Cyber-Espionage Operation: Howa Cyber Threat Group ExploitedGovernments and Commercial EntitiesAcross Southeast Asia and India for Over aDecade

FireEye April 2015 Reportedly a Chinese government hackingteam has used the same basic set of tools tospy on Southeast Asian and Indiandignitaries for a decade, demonstrating thelow level of cyber defenses protectinggovernment information across broad swathsof the world. According to Fireeye, the factthis group, APT30, has been able to use thesame basic set of malware tools againstgovernment networks since at least 2005suggests its targets remained unaware formore than a decade they were being spied onor were incapable of countering the threat.(70 pages)

Worldwide Threat Assessment of the U.S.Intelligence Community

Director of NationalIntelligence

February 26,2015

Cybersecurity is the first threat listed in thisannual review of worldwide threats to theUnited States. Despite ever-improvingnetwork defenses, the diverse possibilitiesfor remote hacking intrusions, supply chainoperations to insert compromised hardwareor software, and malevolent activities byhuman insiders will hold nearly all ICTsystems at risk for years to come. Moreover,the risk calculus employed by some private-sector entities reportedly does notadequately account for foreign cyber threatsor the systemic interdependencies betweendifferent critical infrastructure sectors. (29pages)

The Impact of the Dark Web on InternetGovernance and Cyber Security

Global Commissionon InternetGovernance

February2015

The dark Web is a part of the deep Web thathas been intentionally hidden and isinaccessible through standard web browsers.The deep Web has the potential to host anincreasingly high number of maliciousservices and activities. To formulatecomprehensive strategies and policies forgoverning the Internet, it is important to

consider insights on its farthest reaches—thedeep Web and, more importantly, the darkWeb. The paper attempts to provide abroader understanding of the dark Web andits impact on people's lives. (18 pages)

Attributing Cyber Attacks Thomas Rid andBen Buchanan,Journal of StrategicStudies

December23, 2014

The authors introduce the Q Model;designed to explain, guide, and improve themaking of attribution. Matching an offenderto an offence is an exercise in minimizinguncertainty on three levels: (1) tactically,attribution is an art as well as a science; (2)operationally, attribution is a nuancedprocess, not a black-and-white problem; and(3) strategically, attribution is a function ofwhat is at stake politically. Successfulattribution requires a range of skills on alllevels, careful management, time,leadership, stress-testing, prudentcommunication, and recognizing limitationsand challenges. (36 pages)

Operation Cleaver Cylance December 2,2014

A sophisticated hacking group with ties toIran has probed and infiltrated targets acrossthe United States and 15 other nationsduring the past two years in a series ofcyberattacks dubbed "Operation Cleaver."The Cleaver group has evolved faster thanany previous Iranian campaign, according tothe report, which calls Iran "the new China"and expresses concern that the group'ssurveillance operations could evolve intosophisticated, destructive attacks. (86 pages)

Legal Issues Related to Cyber NATO Legal Gazette December2014

The NATO Legal Gazette containsthematically organized articles usuallywritten by military or civilian legalpersonnel working at NATO or in thegovernments of NATO and partner nations.Its purpose is to share articles of significancefor the large NATO legal community andconnect legal professionals of the Alliance.It is not a formal NATO document. (74pages)

The National Intelligence Strategy of theUnited States of America 2014

Office of theDirector of NationalIntelligence

September18, 2014

Cyber intelligence is one of four "primarytopical missions" the intelligencecommunity must accomplish. Both state andnonstate actors use digital technologies toachieve goals, such as fomenting instabilityor achieving economic and militaryadvantages. They do so "often faster thanour ability to understand the securityimplications and mitigate potential risks."To become more effective in the cyberarena, the intelligence community reportedlymust improve its ability to correctly attributeattacks. (24 pages)

Today's Rising Terrorist Threat and theDanger to the United States: Reflections on

The AnnenbergPublic Policy Center

July 22, 2014 Members of the panel that studied the 2001attacks urge Congress to enact cybersecurity

the Tenth Anniversary of the 9/11Commission Report

and the BipartisanPolicy Center

legislation, the White House to communicatethe consequences of potential cyberattacksto Americans, and leaders to work withallies to define what constitutes an onlineattack on another country. (48 pages)

Surviving on a Diet of Poisoned Fruit:Reducing the National Security Risks ofAmerica's Cyber Dependencies

Center for a NewAmerican Security

July 2014 The report examines existing information ontechnology security weaknesses andprovides nine specific recommendations forthe U.S. government and others to cope withthese insecurities. (64 pages)

M Trends: Beyond the Breach: 2014 ThreatReport

Mandiant April 2014 Cyber-threat actors are expanding the usesof computer network exploitation to fulfillan array of objectives, from the economic tothe political. Threat actors are not onlyinterested in seizing the corporate "crownjewels" but are also looking for ways topublicize their views, cause physicaldestruction, and influence globaldecisionmakers. Private organizations haveincreasingly become collateral damage inpolitical conflicts. Reportedly with nodiplomatic solution in sight, the ability todetect and respond to attacks has never beenmore important. (28 pages)

Emerging Cyber Threats Report 2014 Georgia Institute ofTechnology

January 2014 Brief compilation of academic research onlosing control of cloud data, insecure butconnected devices, attackers adapting tomobile ecosystems, the high costs ofdefending against cyberattacks, andadvances in information manipulation. (16pages)

Cybersecurity and Cyberwar: WhatEveryone Needs to Know

BrookingsInstitution

January 2014 Authors Peter W. Singer and AllanFriedman look at cybersecurity issues facedby the military, government, businesses, andindividuals and examine what happens whenthese entities try to balance security withfreedom of speech and the ideals of an openInternet. (306 pages)

W32.Duqu: The Precursor to the NextStuxnet

Symantec November14, 2013

On October 14, 2011, a research lab withstrong international connections alertedSymantec to a sample that appeared to bevery similar to Stuxnet, the malware thatwreaked havoc in Iran's nuclear centrifugefarms. The lab named the threat Duqubecause it creates files with the file nameprefix DQ. The research lab providedSymantec with samples recovered fromcomputer systems located in Europe as wellas a detailed report with initial findings,including analysis comparing the threatto Stuxnet.

To Kill a Centrifuge: A Technical Analysisof What Stuxnet's Creators Tried to Achieve

The Langner Group November2013

The report summarizes the mostcomprehensive research on the Stuxnetmalware so far. It combines results from

reverse engineering the attack code withintelligence on the design of the attackedplant and background information on theattacked uranium enrichment process. Itlooks at the attack vectors of the twodifferent payloads contained in the malwareand provides an analysis of the bigger andmuch more complex payload that wasdesigned to damage centrifuge rotors byoverpressure. (36 pages)

Strategies for Resolving the CyberAttribution Challenge

Air University,Maxwell Air ForceBase

May 2013 Private-sector reports have proven that it ispossible to determine the geographicreference of threat actors to varying degrees.Based on these assumptions, nation-states,rather than individuals, should be heldculpable for the malicious actions and othercyber threats that originate in or transitinformation systems within their borders orthat are owned by their registered corporateentities. The work builds on other appealingarguments for state responsibility incyberspace. (109 pages)

Role of Counterterrorism Law in Shaping'ad Bellum' Norms for Cyber Warfare

International LawStudies (U.S. NavalWar College)

April 1, 2013 "To date there has been little attention givento the possibility that international lawgenerally and counterterrorism law inparticular could and should develop a subsetof cyber-counterterrorism law to respond tothe inevitability of cyberattacks by terroristsand the use of cyber weapons bygovernments against terrorists, and tosupplement existing international lawgoverning cyber war where the intrusions donot meet the traditional kinetic thresholds."(42 pages)

The Tallinn Manual on the InternationalLaw Applicable to Cyber Warfare

CambridgeUniversity Press/NATO CooperativeCyber DefenceCenter of Excellence

March 5,2013

The Tallinn Manual identifies theinternational law applicable to cyber warfareand sets out 95 "black-letter rules"governing such conflicts. An extensivecommentary accompanies each rule, whichsets forth the rule's basis in treaty andcustomary law, explains how the group ofexperts interpreted applicable norms in thecyber context, and outlines anydisagreements within the group as to therule's application. (Note: The manual is notan official NATO publication but rather anexpression of opinions of a group ofindependent experts acting solely in theirpersonal capacities.) (302 pages)

Cyberterrorism: A Survey of Researchers Swansea University March 2013 The report provides an overview of findingsfrom a project designed to capture currentunderstandings of cyberterrorism within theresearch community. The project ranbetween June 2012 and November 2012, andit employed a questionnaire that wasdistributed to more than 600 researchers,authors, and other experts. A total of 118responses were received from individuals

working in 24 countries across sixcontinents. (21 pages)

National Level Exercise 2012: Quick LookReport

Federal EmergencyManagementAgency (FEMA)

March 2013 National Level Exercise (NLE) 2012 was aseries of exercise events that examined theability of the United States to execute acoordinated response to a series ofsignificant cyber incidents. The NLE 2012series focused on examining four majorthemes: planning and implementation of thedraft National Cyber Incident Response Plan(NCIRP), coordination among governmentalentities, information sharing, and decisionmaking. (22 pages)

Responding to Cyber Attacks and theApplicability of Existing International Law

Army War College January 2013 The paper identifies how the United Statesshould respond to the threat of cyberoperations against essential government andprivate networks. First, it examines theapplicability of established international lawto cyber operations. Next, it proposes amethod for categorizing cyber operationsacross a spectrum synchronized withestablished international law. Then, itdiscusses actions already taken by theUnited States to protect critical governmentand private networks and concludes withadditional steps the United States shouldtake to respond to the threat of cyberoperations. (34 pages)

Crisis and Escalation in Cyberspace RAND Corporation December2012

The report considers how the Air Forceshould integrate kinetic and nonkineticoperations. Central to this process wascareful consideration of how escalationoptions and risks should be treated, which,in turn, demanded a broader considerationacross the entire crisis-managementspectrum. Such crises can be managed bytaking steps to reduce the incentives forother states to step into crisis, controlling thenarrative, understanding the stabilityparameters of the crises, and trying tomanage escalation if conflicts arise fromcrises. (200 pages)

Cyberattacks Among Rivals: 2001-2011(from the article, "The Fog of Cyberwar" byBrandon Variano and Ryan Maness

Foreign Affairs November21, 2012

A chart showing cyberattacks by initiatorand victim, 2001-2011. (Subscriptionrequired.)

Proactive Defense for Evolving CyberThreats

Sandia NationalLabs

November2012

The project applied rigorous predictability-based analytics to two central andcomplementary aspects of the networkdefense problem—attack strategies of theadversaries and vulnerabilities of thedefenders' systems—and used the results todevelop a scientifically grounded, practicallyimplementable methodology for designingproactive cyber defense systems. (98 pages)

Safeguarding Cyber-Security, Fighting inCyberspace

InternationalRelations andSecurity Network(ISN)

October 22,2012

Looks at the militarization of cybersecurityas a source of global tension and makes thecase that cyber warfare is already anessential feature of many leading states'strategic calculations, followed by itsopposite (i.e., the case that the threat posedby cyber warfare capabilities is woefullyoverstated).

Before We Knew It: An Empirical Study ofZero-Day Attacks In The Real World

Symantec ResearchLabs

October 16,2012

The paper describes a method forautomatically identifying zero-day attacksfrom field-gathered data that records whenbenign and malicious binaries aredownloaded on 11 million real hosts aroundthe world. Searching this data set formalicious files that exploit knownvulnerabilities indicates which files appearedon the Internet before the correspondingvulnerabilities were disclosed. (12 pages)

Federal Support for and Involvement inState and Local Fusion Centers

Senate PermanentSubcommittee onInvestigations

October 3,2012

A two-year bipartisan investigation foundthat U.S. Department of Homeland Securityefforts to engage state and local intelligence"fusion centers" have not yielded significantuseful information to support federalcounterterrorism intelligence efforts. InSection VI, "Fusion Centers Have BeenUnable to Meaningfully Contribute toFederal Counterterrorism Efforts," Part G,"Fusion Centers May Have Hindered, NotAided, Federal Counterterrorism Efforts,"the report discusses the November 10, 2011Russian "cyberattack" in Illinois. (141pages)

Putting the "war" in cyberwar: Metaphor,analogy, and cybersecurity discourse in theUnited States

First Monday July 2, 2012 The essay argues that current contradictorytendencies within U.S. cyber war discourseare unproductive and even potentiallydangerous. It argues that the war metaphorand nuclear deterrence analogy are neithernatural nor inevitable and that abandoningthem would open up new possibilities forthinking more productively about the fullspectrum of cybersecurity challenges,including the as-yet unrealized possibility ofcyberwar.

Nodes and Codes: The Reality of CyberWarfare

U.S. Army Schoolof AdvancedMilitary Studies,Command andGeneral Staff

May 17,2012

Explores the reality of cyber warfare throughthe story of Stuxnet. Three case studiesevaluate cyber policy, discourse, andprocurement in the United States, Russia,and China before and after Stuxnet toillustrate their similar, yet unique, realities ofcyber warfare. (62 pages)

United States Counter Terrorism Cyber Lawand Policy, Enabling or Disabling?

Triangle Institute forSecurity Studies

March 2012 The incongruence between nationalcounterterrorism (CT) cyber policy, law, andstrategy degrades the abilities of federal CTprofessionals to interdict transnationalterrorists from within cyberspace. Tooptimize national CT assets and to stymie

the growing threat posed by terrorists' ever-expanding use of cyberspace, nationaldecision-makers should modify currentpolicies to efficiently execute national CTstrategies, albeit within the framework ofexisting CT cyber-related statutes. (34pages)

A Cyberworm that Knows No Boundaries RAND Corporation December21, 2011

Stuxnet-like worms pose a serious threateven to infrastructure and computer systemsthat are not connected to the Internet.Defending against such attacks is anincreasingly complex prospect. (55 pages)

Department of Defense Cyberspace PolicyReport: A Report to Congress Pursuant tothe National Defense Authorization Act forFiscal Year 2011, Section 934

DOD November

2011

"When warranted, we will respond to hostileattacks in cyberspace as we would to anyother threat to our country. We reserve theright to use all necessary means - diplomatic,informational, military< and economic - todefend our nation, our allies, our partnersand our interests." (14 pages)

Cyber War Will Not Take Place Journal of StrategicStudies

October 5,2011

The paper argues that cyber warfare hasnever taken place, is not currently takingplace, and is unlikely to take place inthe future. (29 pages)

Foreign Spies Stealing U.S. EconomicSecrets in Cyberspace: Report to Congresson Foreign Economic Collection andIndustrial Espionage, 2009-2011

Office of theNationalCounterintelligenceExecutive

October2011

Because the United States is a leader in thedevelopment of new technologies and acentral player in global financial and tradenetworks, foreign attempts to collect U.S.technological and economic information willcontinue at a high level and will represent agrowing and persistent threat to U.S.economic security. The nature of the cyberthreat will evolve with continuingtechnological advances in the globalinformation environment. (31 pages)

A Four-Day Dive Into Stuxnet's Heart Threat Level Blog(Wired)

December27, 2010

"It is a mark of the extreme oddity of theStuxnet computer worm that Microsoft'sWindows vulnerability team learned of itfirst from an obscure Belarusian securitycompany that even they had never heard of."

Did Stuxnet Take Out 1,000 Centrifuges atthe Natanz Enrichment Plant? APreliminary Assessment

Institute for Scienceand InternationalSecurity

December22, 2010

The report indicates that commands in theStuxnet code intended to increase thefrequency of devices targeted by themalware exactly match several frequenciesat which rotors in centrifuges at Iran'sNatanz enrichment plant are designed tooperate optimally or are at risk of breakingdown and flying apart. (10 pages)

Stuxnet Analysis European Networkand InformationSecurity Agency

October 7,2010

A European Union cybersecurity agencywarns that the Stuxnet malware is a gamechanger for critical informationinfrastructure protection. Computer systemsthat monitor supervisory-controlled and dataacquisition systems infected with the worm

might be programmed to establishdestructive over or under pressure conditionsby running industrial pumps at differentfrequencies.

Proceedings of a Workshop on DeterringCyberattacks: Informing Strategies andDeveloping Options for U.S. Policy

National ResearchCouncil

October 5,2010

Per request of the Office of the Director ofNational Intelligence, the National ResearchCouncil undertook a two-phase projectaimed to foster a broad, multidisciplinaryexamination of strategies for deterringcyberattacks on the United States and of thepossible utility of these strategies for theU.S. government. (400 pages)

Cyber Warfare: Armageddon in a Teacup? Army Commandand General Staff,Fort Leavenworth

December11, 2009

This study examines cyber warfareconducted against Estonia in 2007, Georgiain 2008, and Israel in 2008. According to thereport, "In all three cases cyber warfare didnot achieve strategic political objectives onits own. Cyber warfare employed in thethree cases consisted mainly of Denial ofService attacks and website defacement.These attacks were a significantinconvenience to the affected nations, butthe attacks were not of sufficient scope,sophistication, or duration to force aconcession from the targeted nation. Cyberwarfare offensive capability does notoutmatch defensive capability to the extentthat would allow the achievement of astrategic political objective through cyberwarfare alone. The possibility of strategic-level cyber warfare remains great, but thecapability has not been demonstrated at thistime." (106 pages)

Source: Highlights compiled by CRS from the reports.

Notes: Page counts are for documents; other cited resources are webpages.

Table 3. Cloud Computing,2 "The Internet of Things,"3 Smart Cities, and FedRAMP4

Title Source Date Notes

About FedRAMP FedRAMP.gov ContinuouslyUpdated

The Federal Risk and AuthorizationManagement Program (FedRAMP) isa government-wide program thatprovides a standardized approach tosecurity assessment, authorization,and continuous monitoring for cloudproducts and services.

Internet of Things Consortium Internet of ThingsConsortium

ContinuouslyUpdated

IoTC is comprised of hardware,software and analytics companies, inareas including home automation,wearables, connected cars, smartcities, 3D printing, andvirtual/augmented reality. On behalfof its members, the IoTC is dedicatedto the growth of the internet of thingsmarketplace and the development of

sustainable business models. TheIoTC educates technology firms,retailers, insurance companies,marketers, media companies and thewider business community about thevalue of IoT.

Cyber-Physical Systems National ScienceFoundation (NSF)

ContinuouslyUpdated

Cyber-physical systems (CPS)integrate sensing, computation,control, and networking into physicalobjects and infrastructure, connectingthem to the Internet and to eachother.

Cyber-Physical Systems Office of Science andTechnology Policy(OSTP), Networkingand InformationTechnology Researchand Development(NITRD) Program)

ContinuouslyUpdated

The CPS Senior Steering Group(SSG) is to coordinate programs,budgets, and policyrecommendations for CPS researchand development (R&D), whichincludes identifying and integratingrequirements, conducting jointprogram planning, and developingjoint strategies.

Cyber-Physical Systems University ofCalifornia, Berkeley

ContinuouslyUpdated

"CPS are integrations ofcomputation, networking, andphysical processes. Embeddedcomputers and networks monitor andcontrol the physical processes, withfeedback loops where physicalprocesses affect computations andvice versa."

Internet of Things Consortium Technology hardware,software and analyticscompanies

ContinuouslyUpdated

IoTC is composed of hardware,software and analytics companies, inareas including home automation,wearables, connected cars, smartcities, 3D printing, andvirtual/augmented reality. On behalfof its members, the IoTC is dedicatedto the growth of the Internet of thingsmarketplace and the development ofsustainable business models. TheIoTC educates technology firms,retailers, insurance companies,marketers, media companies, and thewider business community about thevalue of IoT.

Newly Launched 'Trusted IoTAlliance' Unites the Industry toFurther a Blockchain-based Internet ofThings

Medium September 19,2017

The mission of the Trusted IoTAlliance is to bring companiestogether to develop and set thestandard for an open sourceblockchain protocol to support IoTtechnology in major industriesworldwide. The Alliance plans tofund small grants to support opensource development and is reviewingproposals from IoT and blockchaintechnologists.

Internet of Things: EnhancedAssessments and Guidance AreNeeded to Address Security Risks inDOD

GAO July 27, 2017 Congress included provisions inreports associated with two separatestatutes for GAO to assess the IoT-associated security challenges facedby DOD. This report (1) addressesthe extent to which DOD hasidentified and assessed security risksrelated to IoT devices, (2) assessesthe extent to which DOD hasdeveloped policies and guidancerelated to IoT devices, and (3)describes other actions DOD hastaken to address security risks relatedto IoT devices.(46 pages)

Internet of Things: CommunitiesDeploy Projects by CombiningFederal Support with Other Funds andExpertise

GAO July 26, 2017 All four of the communities thatGAO reviewed are using federalfunds in combination with otherresources, both financial and non-financial, to plan and deploy IoTprojects. For example, onecommunity used the $40 millionDOT award to leverage, fromcommunity partners, more than $100million in additional direct and in-kind contributions, such as researchor equipment contributions.Communities discussed four mainchallenges to deploying IoT,including community sectors (e.g.,transportation, energy, and publicsafety) that are siloed and proprietarysystems that are not interoperablewith one another. (45 pages)

The Internet of Things ConnectivityBinge: What Are the Implications?

Pew Research Center June 6, 2017 As automobiles, medical devices,smart TVs, manufacturing equipmentand other tools and infrastructure arenetworked, is it likely that attacks,hacks or ransomware concerns in thenext decade will cause significantnumbers of people to decide todisconnect, or will the trend towardgreater connectivity of objects andpeople continue unabated? Some1,201 responded to this nonscientificcanvassing: 15% of these particularrespondents said significant numberswould disconnect and 85% chose theoption that most people will movemore deeply into connected life. (94pages)

Technology Assessment: Internet ofThings: Status and implications of anincreasingly connected world

GAO May 15, 2017 GAO reviewed key reports andscientific literature; convened twoexpert meetings with the assistanceof the National Academies; andinterviewed officials from twoagencies to obtain their views onspecific implications of the IoT. (78pages)

IoT, Automation, Autonomy, andMegacities in 2025

Center for Strategic &International Studies

April 26, 2017 Engineers designing andimplementing internet-connectedIOT devices face daunting challengesthat is creating a discomfort withwhat they see evolving in theirinfrastructures. This paper bringstheir concerns to life by extrapolatingfrom present trends to describeplausible (likely?) future crisesplaying out in multiple global citieswithin 10 years. Much of whatoccurs in the scenarios is fullypossible today. This paper attemptsto reveal what is possible when thesetechnologies are applied to criticalinfrastructure applications en massewithout adequate security in denselypopulated cities of the near futurethat are less resilient than otherenvironments. (16 pages)

The Cyber Shield Act: Is theLegislative Community FinallyListening to Cybersecurity Experts?

Institute for CriticalInfrastructureTechnology

April 2017 There are three main criteria toensure a Cyber Shield programworks. First, officials must ensureindustry leaders are involved indeveloping the ratings but notleading the team. Second, theprogram should include a substantialpublic education component aimed atmaking consumers care enough aboutcybersecurity that the rankingsactually change their buyingdecisions. Finally, the rankingsthemselves should go beyond a mereone-star to five-star ranking toincorporate more dynamic data. (8pages)

A 21st Century Cyber-PhysicalSystems Education

National Academy ofSciences ComputerScience andTelecommunicationsBoard

February 2017 The report describes the knowledgeand skills required to engineerincreasingly capable, adaptable, andtrustworthy systems that integrate thecyber and physical worlds andrecommends paths for creating thecourses and programs needed toeducate the engineering workforcethat builds them. (107 pages)

A Data Privacy Playbook Berkman Klein Center(Harvard)

February 2017 Opening data has many importantbenefits, but sharing data comes withinherent risks to individual privacy:released data can reveal informationabout individuals that wouldotherwise not be public knowledge.The document is takes a first steptoward codifying responsibleprivacy-protective approaches andprocesses that could be adopted bycities and other groups that arepublicly releasing data. (111 pages)

Cross-Device Tracking: An FTC Staff FTC January 23, The report describes the technology

Report 2017 used to track consumers acrossmultiple Internet-connected devices,the benefits and challengesassociated with it, and industryefforts to address those challenges.The report concludes by makingrecommendations to industry abouthow to apply traditional principleslike transparency, choice, andsecurity to this relatively newpractice. (23 pages)

Rise of the Machines: the Dyn AttackWas Just a Practice Run

Institute for CriticalInfrastructureTechnology

December2016

The Mirai IoT botnet has inspired arenaissance in adversarial interest inDDoS botnet innovation based on thelack of fundamental security-by-design in the Internet and in IoTdevices... The report provides acomprehensive and detailed analysisof this threat which has forcedstakeholders to recognize the lack ofsecurity by design and the prevalenceof vulnerabilities inherent in thefoundational design of IoT devices.(62 pages)

Internet of Things will demand a step-change in search solutions

IEEE IntelligentSystems

November 23,2016

With more and more IoT devicesbeing connected to the Internet, andsmart city data projects starting to beimplemented, there is an urgent needto develop new search solutions thatwill allow information from IoTsources to be found and extracted.Although existing search engineshave ever more sophisticated andeffective ways of crawling throughweb pages and searching for textualdata, the article argues that they willnot be effective in accessing the typeof numerical and sensory data thatIoT devices will need to gather. (5pages)

Internet of Things (IoT) Security andPrivacy Recommendations

Broadband InternetTechnical AdvisoryGroup (BITAG)

November 22,2017

BITAG believes therecommendations outlined in thisreport may help to dramaticallyimprove the security and privacy ofIoT devices and minimize the costsassociated with collateral damage. Inaddition, unless the IoT device sector—the sector of the industry thatmanufactures and distributes thesedevices—improves device securityand privacy, consumer backlash mayimpede the growth of the IoTmarketplace and ultimately limit thepromise that IoT holds. (43 pages)

Strategic Principles for Securing theInternet of Things

DHS November 15,2016

The document explains IoT risks andprovides a set of non-bindingprinciples and suggested bestpractices to build toward a

responsible level of security for thedevices and systems businessesdesign, manufacture, own, andoperate. (17 pages)

Systems Security Engineering:Considerations for a MultidisciplinaryApproach in the Engineering ofTrustworthy Secure Systems

NIST November2016

NIST formally unveiled theirguidelines for increasing the securityof Internet-connected devices. Theguide provides security guidelines for30 different processes involved withmanaging Internet-connecteddevices, from the supply phase totesting. (257 pages)

Building Smart Communities for theFuture: Proceedings of a Workshop

National AcademiesPress

October 2016 Summary of presentations at June21-22, 2016, Government-University-Industry ResearchRoundtable (GUIRR) meeting toexplore the role of connectedness andsustainability in developing smartcommunities; the challenges andopportunities associated with the roll-out of intelligent systems; and thepartnerships among governments,universities, and industry that areintegral to these advances. (8 pages)

Announcing Over $80 million in NewFederal Investment and a a Doublingof Participating Communities in theWhite House Smart Cities Initiative

White House September 26,2016

In September 2015, the White Houselaunched the Smart Cities Initiativeto make it easier for cities, federalagencies, universities, and the privatesector to work together to research,develop, deploy, and testbed newtechnologies that can help make ourcities more inhabitable, cleaner, andmore equitable. This year, to kick offSmart Cities Week, theAdministration is expanding thisinitiative, with over $80 million innew federal investments and adoubling of the number ofparticipating cities and communities,exceeding 70 in total.

Demystifying the Internet of Things (InformationTechnologyLaboratory) ITLBulletin

September2016

NIST SP800-183 offers anunderlying and foundational sciencefor IoT—based technologies on therealization that IoT involves sensing,computing, communication, andactuation. It presents a commonvocabulary to foster a betterunderstanding of IoT and bettercommunication between those partiesdiscussing IoT. (4 pages)

Increasing the Potential of IoTthrough Security and Transparency

NTIA August 2,2016

NTIA is planning to launch a newmultistakeholder process to supportbetter consumer understanding of IoTproducts that support securityupgrades. They have used thisapproach to help make progress on

issues such as cybersecurityvulnerability disclosure and toprovide more transparency about datacollected by mobile apps. Given theburgeoning consumer adoption ofIoT, the time seems ripe to bringstakeholders together to help drivesome guidelines to encourage thegrowth of IoT.

Network of 'Things' NIST July 28, 2016 The publication provides a basicmodel aimed at helping researchersbetter understand IoT and its securitychallenges. (30 pages)

How Is the Federal Government Usingthe Internet of Things?

Center for DataInnovation

July 25, 2016 The federal government faces anumber of challenges that haveslowed the adoption of IoT in thepublic sector. First, there is a lack ofstrategic leadership at the federallevel about how to make use of IoT.Second, federal agencies do notalways have workers with thenecessary technical skills toeffectively use data generated by IoT.Third, federal agencies do not havesufficient funding to modernize theirIT infrastructure and beginimplementing IoT pilot projects.Fourth, even when funding exists,federal procurement policies oftenmake it difficult for agencies toquickly and easily adopt thetechnology. Finally, risks anduncertainty—about privacy, security,interoperability, and return oninvestment—delay federal adoptionas potential federal users wait for thetechnology to mature and others toadopt first. (30 pages)

The Benefits, Challenges, andPotential Roles for the Government inFostering the Advancement of theInternet of Things

FTC Bureau ofConsumer Protectionand Office of PolicyPlanning

June 2, 2016 FTC staff comment on NTIA'sRequest for Comment on the Internetof Things. The comment highlightslessons learned from the FTC's lawenforcement, consumer and businesseducation, and policy activitiesrelating to these issues. It thenaddresses the benefits and risks ofIoT, highlights some best practicerecommendations for industry,discusses the role of government infostering innovation in IoT productsand services, and sets forth someconsiderations for NTIA in settingstandards and promotinginteroperability. (17 pages)

Cloud Computing: Agencies Need toIncorporate Key Practices to EnsureEffective Performance

GAO April 7, 2016 GAO was asked to examine federalagencies' use of Service LevelAgreements (SLAs). GAO'sobjectives were to (1) identify key

practices in cloud computing SLAsand (2) determine the extent to whichfederal agencies have incorporatedsuch practices into their SLAs. GAOanalyzed research, studies, andguidance developed by federal andprivate entities to establish a list ofkey practices to be included in SLAs.GAO validated its list with theentities, including OMB, andanalyzed 21 cloud service contractsand related documents of fiveagencies (with the largest fiscal year2015 IT budgets) against the keypractices to identify any variances,their causes, and impacts. (46 pages)

The Benefits, Challenges, andPotential Roles for the Government inFostering the Advancement of theInternet of Things

NationalTelecommunicationsand InformationAdministration (NTIA)

April 6, 2016 NTIA is initiating an inquiryregarding the Internet of Things(IoT) to review the currenttechnological and policy landscape.Through this notice, NTIA seeksbroad input from all interestedstakeholders—including the privateindustry, researchers, academia, andcivil society—on the potentialbenefits and challenges of thesetechnologies and what role, if any,the U.S. government should play inthis area. After analyzing thecomments, the department intends toissue a "green paper" that identifieskey issues impacting deployment ofthese technologies, highlightspotential benefits and challenges, andidentifies possible roles for thefederal government in fostering theadvancement of IoT technologies inpartnership with the private sector. (5pages)

Product Testing and Validation UnderwritersLaboratories

April 4, 2016 The UL Cybersecurity AssuranceProgram (CAP) certification verifiesthat a product offers a reasonablelevel of protection against threats thatmay result in unintended orunauthorized access, change ordisruption.... The [UL 2900]Standard contains requirements forthe vendor to design the securitycontrols in such a way that theydemonstrably satisfy the securityneeds of the product. The Standardalso describes testing and verificationrequirements aimed at collectingevidence that the designed securitycontrols are implemented.

Alternative perspectives on theInternet of Things

Brookings Institution March 25,2016

Brookings scholars contribute theirindividual perspectives on the policychallenges and opportunitiesassociated with IoT.

Emerging Cyber Threats Report 2016 Georgia Institute ofTechnologyCybersecurity Summit2015

November2015

"The intersection of the physical anddigital world continued to deepen in2015. The adoption of network-connected devices and sensors—theInternet of Things—accelerated andwas expected to reach nearly 5billion devices by the end of theyear." (20 pages)

Interim Report on 21st CenturyCyber-Physical Systems Education

NSF July 2015 "CPS [also known as The Internet ofThings] are increasingly relied on toprovide the functionality and value toproducts, systems, and infrastructurein sectors including transportation,health care, manufacturing, andelectrical power generation anddistribution. CPS are smart,networked systems with embeddedsensors, computer processors, andactuators that sense and interact withthe physical world; support real-time,guaranteed performance; and areoften found in critical applications."(48 pages)

Internet of Things: Mapping the ValueBeyond the Hype

McKinsey GlobalInstitute

June 2015 The paper is based upon a study ofmore than 100 use cases of theInternet of Things' (IoT's) potentialeconomic impact within next 10years. It outlines who will benefitand by how much. It also covers thefactors—both enablers and barriers—that organizations face as theydevelop their IoT solutions. (144pages)

Cloud Computing: Should CompaniesDo Most of Their Computing in theCloud?

The Economist May 26, 2015 Big companies have embraced thecloud more slowly than expected.Some are holding back because ofcosts and others are wary ofentrusting sensitive data to anotherfirm's servers. Should companies bedoing most of their computing in thecloud? Representing the "Yes"viewpoint is Simon Crosby, co-founder and chief technology officer(CTO) of Bromium Inc.Representing the "No" viewpoint isBruce Schneier, CTO at ResilientSystems.

Formation of the Office ofTechnology Research andInvestigation (OTRI)

Federal TradeCommission (FTC)

March 23,2015

The OTRI will provide expertresearch, investigative techniques,and further insights to the agency ontechnology issues involving all facetsof the FTC's consumer protectionmission, including privacy, datasecurity, connected cars, smarthomes, algorithmic transparency,emerging payment methods, big data,and IoT. Like the former MobileTechnology Unit (MTU), the new

office will be housed in the Bureauof Consumer Protection and is theagency's latest effort to ensure that itscore consumer protection missionkeeps pace with the rapidly evolvingdigital economy. Kristin Cohen, thecurrent chief of the MTU, will leadthe work of the OTRI.

Insecurity in the Internet of Things(IoT)

Symantec March 12,2015

Symantec analyzed 50 smart homedevices available today and foundthat none of them enforced strongpasswords, used mutualauthentication, or protected accountsagainst brute-force attacks. Of themobile apps used to control the testedIoT devices, almost two out of 10 didnot use Secure Sockets Layer (SSL)to encrypt communications to thecloud. The tested IoT technology alsocontained many commonvulnerabilities. (20 pages)

FedRAMP High Baseline General ServicesAdministration (GSA)

February 3,2015

GSA released a draft of security-control requirements for cloud-computer systems purchased byfederal agencies for "high-impact"uses. High-impact data will likelyconsist of health and law-enforcement data, but not classifiedinformation. Currently, cloudcomputing vendors seeking to sell tofederal agencies must obtain securityaccreditation through FedRAMP. Todate, FedRAMP has offeredaccreditations up to the moderate-impact level. About 80% of federalIT systems are low- and moderate-impacts.

What is The Internet of Things? O'Reilly Media January 2015 Ubiquitous connectivity is meetingthe era of data. Since working withlarge quantities of data becamedramatically cheaper and easier a fewyears ago, everything that touchessoftware has become instrumentedand optimized. Finance, advertising,retail, logistics, academia, andpractically every other discipline hassought to measure, model, and tweakits way to efficiency. Software caningest data from many inputs,interpret it, and then issue commandsin real time. (Free registrationrequired.) (32 pages)

FedRAMP Forward: 2 Year Priorities General ServicesAdministration (GSA)

December 17,2014

The report addresses how theprogram will develop over the nexttwo years. GSA is focusing on threegoals for FedRAMP:

increased compliance and

agency participation,improved efficiencies, andcontinued adaptation. (14pages)

The Internet of Things: 2014 OECDTech Insight Forum

Organisation forEconomic Co-operation andDevelopment (OECD)

December 11,2014

The IoT extends Internet connectivitybeyond traditional machines such ascomputers, smartphones, and tabletsto a diverse range of every-daydevices that use embeddedtechnology to interact with theenvironment, all via the Internet.How can this collected data be used?What new opportunities will thiscreate for employment and economicgrowth? How can societies benefitfrom technical developments tohealth, transport, safety and security,business, and public services? TheOECD Technology Foresight Forumfacilitated discussion on whatpolicies and practices will enable orinhibit the ability of economies toseize the benefits of IoT.

DOD Cloud Computing StrategyNeeds Implementation Plan andDetailed Waiver Process

Department of Defense(DOD) InspectorGeneral

December 4,2014

Report states that the DOD chiefinformation officer "did not developan implementation plan that assignedroles and responsibilities as well asassociated tasks, resources andmilestones," despite promises that animplementation plan would directlyfollow the cloud strategy's release.(40 pages)

NSTAC Report to the President on theInternet of Things

President's NationalSecurityTelecommunicationsAdvisory Committee

November 18,2014

The NSTAC unanimously approveda recommendation that governmentalInternet traffic could get prioritytransmission during emergencies.The government already getsemergency priority in moretraditional communications networkslike the phone system throughprograms such as the GovernmentEmergency TelecommunicationsService (GETS). NSTAC now isproposing a GETS for the Internet.(56 pages)

The Department of Energy'sManagement of Cloud ComputingActivities: Audit Report

Department of Energy(DOE) InspectorGeneral

September 1,2014

According to the inspector general,DOE should do a better job buying,implementing, and managing itscloud computing services. Programsand sites department-wide haveindependently spent more than $30million on cloud services, but thechief information officer's officecould not accurately account for themoney. (20 pages)

Cloud Computing: The Concept, Organization for August 19, The report gives an overview of

Impacts, and the Role of GovernmentPolicy

Economic Co-operation andDevelopment (OECD)

2014 cloud computing, it

presents the concept, theservices it provides, anddeployment models;discusses how cloudcomputing changes the waycomputing is carried out;evaluates the impacts of cloudcomputing (including itsbenefits and challenges as wellas its economic andenvironmental impacts); anddiscusses the policy issuesraised by cloud computing andthe roles of governments andother stakeholders inaddressing these issues. (240pages)

Internet of Things: the Influence ofM2M Data on the Energy Industry

GigaOm Research March 4, 2014 The report examines the drivers ofmachine-2-machine (M2M)-dataexploitation in the smart-grid sectorand the oil and gas sector, as well asthe risks and opportunities for buyersand suppliers of the related coretechnologies and services. (21 pages)

Software Defined Perimeter Cloud SecurityAlliance

December 1,2013

Cloud Security Alliance's softwaredefined perimeter (SDP) initiativeaims to make "invisible networks"accessible to a wider range ofgovernment agencies andcorporations. The initiative willfoster the development ofarchitecture for securing the IoTusing the cloud to create highlysecure end-to-end networks betweenIP-addressable entities. (13 pages)

Delivering on the Promise of Big Dataand the Cloud

Booz Allen Hamilton January 9,2013

Reference architecture does awaywith conventional data and analyticssilos, consolidating all informationinto a single medium designed tofoster connections called a 'data lake,'which reduces complexity andcreates efficiencies that improve datavisualization to allow for easierinsights by analysts. (7 pages)

Cloud Computing: An Overview ofthe Technology and the Issues FacingAmerican Innovators

House JudiciaryCommittee,Subcommittee onIntellectual Property,Competition, and theInternet

July 25, 2012 Overview and discussion of cloudcomputing issues. (156 pages)

Information Technology Reform:Progress Made but Future CloudComputing Efforts Should be BetterPlanned

GovernmentAccountability Office(GAO)

July 11, 2012 GAO recommends that theSecretaries of Agriculture, Healthand Human Services, HomelandSecurity, State, and the Treasury, and

the Administrators of the GeneralServices Administration, and SmallBusiness Administration shoulddirect their respective chiefinformation officers to establishestimated costs, performance goals,and plans to retire associated legacysystems for each cloud-based service,as applicable. (43 pages)

Cloud Computing Strategy DOD ChiefInformation Officer

July 2012 The DOD Cloud Computing Strategyintroduces an approach to move thedepartment from the current state of aduplicative, cumbersome, and costlyset of application silos to an end statethat is agile, secure, and cost-effective and to a serviceenvironment that can rapidly respondto changing mission needs. (44pages)

A Global Reality: GovernmentalAccess to Data in the Cloud—AComparative Analysis of TenInternational Jurisdictions

Hogan Lovells May 23, 2012 The white paper compares the natureand extent of governmental access todata in the cloud in manyjurisdictions around the world. (13pages)

Policy Challenges of Cross-BorderCloud Computing

U.S. InternationalTrade Commission

May 2012 The report examines the main policychallenges associated with cross-border cloud computing—dataprivacy, security, and ensuring thefree flow of information—and theways countries are addressing themthrough domestic policymaking,international agreements, and othercooperative arrangements. (38 pages)

Cloud Computing Synopsis andRecommendations (SP 800-146)

National Institute ofStandards andTechnology (NIST)

May 2012 NIST's guide explains cloudtechnologies in plain terms to federalagencies and providesrecommendations for ITdecisionmakers. (81 pages)

Global Cloud Computing Scorecard aBlueprint for Economic Opportunity

Business SoftwareAlliance

February 2,2012

The report notes that although manydeveloped countries have adjustedtheir laws and regulations to addresscloud computing, the widedifferences in those rules make itdifficult for companies to invest inthe technology. (24 pages)

Concept of Operations: FedRAMP General ServicesAdministration (GSA)

February 7,2012

FedRAMP is implemented in phases.The document describes all theservices that were available at the2012 initial operating capability. Theconcept of operations is updated asthe program evolves towardsustained operations. (47 pages)

Federal Risk and Authorization Federal Chief January 4, FedRAMP provides a standard

Management Program (FedRAMP) Information OfficersCouncil

2012 approach to assessing andauthorizing (A&A) cloud computingservices and products.

Security Authorization of InformationSystems in Cloud ComputingEnvironments (FedRAMP)

White House/Office ofManagement andBudget (OMB)

December 8,2011

FedRAMP is now required for allagencies purchasing storage,applications, and other remoteservices from vendors. TheAdministration promotes cloudcomputing as a means to save moneyand accelerate the government'sadoption of new technologies. (7pages)

U.S. Government Cloud ComputingTechnology Roadmap, Volume I,Release 1.0 (Draft). High-PriorityRequirements to Further USG AgencyCloud Computing Adoption (SP 500-293)

National Institute ofStandards andTechnology (NIST)

December 1,2011

Volume I is aimed at interestedparties that wish to gain a generalunderstanding and overview of thebackground, purpose, context, work,results, and next steps of the U.S.Government Cloud ComputingTechnology Roadmap initiative. (32pages)

U.S. Government Cloud ComputingTechnology Roadmap, Volume II,Release 1.0 (Draft), UsefulInformation for Cloud Adopters (SP500-293)

National Institute ofStandards andTechnology (NIST)

December 1,2011

Volume II is designed as a technicalreference for those actively workingon strategic and tactical cloudcomputing initiatives including, butnot limited to, U.S. governmentcloud adopters. This volumeintegrates and summarizes the workcompleted as of 2011 and explainshow these findings support theroadmap introduced in Volume I. (85pages)

Information Security: AdditionalGuidance Needed to Address CloudComputing Concerns

GAO October 6,2011

Twenty-two of 24 major federalagencies reported that they wereeither concerned or very concernedabout the potential informationsecurity risks associated with cloudcomputing. GAO recommended thatthe NIST issue guidance specific tocloud computing security. (17 pages)

Cloud Computing ReferenceArchitecture (SP 500-292)

NIST September 1,2011

The special publication, which is notan official U.S. government standard,is designed to provide guidance tospecific communities of practitionersand researchers. (35 pages)

Federal Cloud Computing Strategy White House February 8,2011

The strategy outlines how the federalgovernment can accelerate the safe,secure adoption of cloud computing,and provides agencies with aframework for migrating to thecloud. It also examines how agenciescan address challenges related to theadoption of cloud computing, such asprivacy, procurement, standards, andgovernance. (43 pages)

25-Point Implementation Plan toReform Federal InformationTechnology Management

White House December 9,2010

The plan's goals are to reduce thenumber of federally run data centersfrom 2,100 to approximately 1,300,rectify or cancel one-third of troubledIT projects, and require federalagencies to adopt a "cloud first"strategy in which they will move atleast one system to a hostedenvironment within a year. (40pages)

Federal Guidance Needed to AddressControl Issues With ImplementingCloud Computing

GAO July 1, 2010 The report suggests that the OMBdirector should establish milestonesfor completing a strategy forimplementing the federal cloudcomputing initiative to assist federalagencies in identifying uses for andinformation security measures to usein implementing cloud computing.(53 pages)

Source: Highlights compiled by CRS from the reports.

Notes: Page counts are for documents; other cited resources are webpages.

Author Contact Information

Rita Tehan, Information Research Specialist (rtehan@crs.loc.gov, 7-6739)

Footnotes1.

"A breach constitutes a 'major incident' when it involves[personally identifiable information] that, if exfiltrated, modified,deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, foreign relations,or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people,"the [OMB] memo states. "An unauthorized modification of, unauthorized deletion of, unauthorized exfiltration of, orunauthorized access to 100,000 or more individuals' PII constitutes a 'major incident.'" Source: Fiscal Year 2016-2017 onFederal Information Security and Privacy Management Requirements, November 4, 2016.

2.Cloud computing is a web-based service that allows users to access anything from email to social media on a third-partycomputer. For example, Gmail and Yahoo are cloud-based email services that allow users to access and store emails that aresaved on each respective service's computer, rather than on the individual's computer.

3.The "Internet of Things" (IoT) refers to networks of objects that communicate with other objects and with computers throughthe Internet. "Things" may include virtually any object for which remote communication, data collection, or control might beuseful, such as vehicles, appliances, medical devices, electric grids, transportation infrastructure, manufacturing equipment, orbuilding systems. See also CRS Report R44227, The Internet of Things: Frequently Asked Questions, by Eric A. Fischer.

4.The Federal Risk and Authorization Management Program (FedRAMP) was established in December 2011 to provide agovernment-wide standard, centralized approach to assessing and authorizing cloud computing services and products. Itreached initial operational capabilities in June 2012 and became fully operational during FY2014. See also CRS ReportR42887, Overview and Issues for Implementation of the Federal Cloud Computing Initiative: Implications for FederalInformation Technology Reform Management, by Patricia Moloney Figliola and Eric A. Fischer.

CRS Reports & Analysis

Cybersecurity: Federal Government Authoritative Reports and ResourcesNovember 13, 2017 (R44427) Jump to Main Text of ReportRita Tehan, Senior Research Librarian (rtehan@crs.loc.gov, 7-6739)

Related Author

Rita Tehan

ContentsIntroduction

TablesTable 1. Federal Government: Overview Reports and ResourcesTable 2. Federal Acquisitions Rules and Federal ContractorsTable 3. Agency Audits and EvaluationsTable 4. Federal WorkforceTable 5. White House and Office of Management and BudgetTable 6. Cybersecurity Framework (NIST) and Information SharingTable 7. Department of Homeland Security (DHS)Table 8. Department of Defense (DOD)Table 9. National Institute of Standards and Technology (NIST)

Summary

This report serves as a starting point for congressional staff assigned to cover cybersecurity issues related to federal and militarygovernment activities. Much is written by and about the federal government's efforts to address cybersecurity policy challenges, and thisCRS report directs the reader to authoritative sources that address many of the most prominent issues. The annotated descriptions of thesesources are listed in reverse chronological order with an emphasis on material published in the past several years. This report includesresources and studies from government agencies (federal, state, local, and international), think tanks, academic institutions, newsorganizations, and other sources related to

Table 1, overview reports;Table 2, federal acquisitions rules and federal contractors;Table 3, federal agency audits and evaluations, including Government Accountability Office (GAO);Table 4, federal workforce;Table 5, White House and Office of Management and Budget (OMB);Table 6, cybersecurity framework and information sharing;Table 7, Department of Homeland Security (DHS);Table 8, Department of Defense (DOD); andTable 9, National Institute of Standards and Technology (NIST).

The following CRS reports comprise a series that compiles authoritative reports and resources on these additional cybersecurity topics:

CRS Report R44405, Cybersecurity: Overview Reports and Links to Government, News, and Related Resources, by Rita TehanCRS Report R44406, Cybersecurity: Education, Training, and R&D Authoritative Reports and Resources, by Rita TehanCRS Report R44408, Cybersecurity: Cybercrime and National Security Authoritative Reports and Resources, by Rita TehanCRS Report R44410, Cybersecurity: Critical Infrastructure Authoritative Reports and Resources, by Rita TehanCRS Report R44417, Cybersecurity: State, Local, and International Authoritative Reports and Resources, by Rita TehanCRS Report R43310, Cybersecurity: Data, Statistics, and Glossaries, by Rita TehanCRS Report R43317, Cybersecurity: Legislation, Hearings, and Executive Branch Documents, by Rita Tehan

Introduction

This report serves as a starting point for congressional staff assigned to cover cybersecurity issues related to federal and military agencyactivities. Much is written by and about the federal government's efforts to address cybersecurity policy and practical challenges, and this

CRS report directs the reader to authoritative sources that address many of the most prominent issues. The annotated descriptions of thesesources are listed in reverse chronological order with an emphasis on material published in the past several years. This report includesresources and studies from government agencies (federal, state, local, and international), think tanks, academic institutions, newsorganizations, and other sources related to

Table 1, overview reports;Table 2, federal acquisitions rules and federal contractors;Table 3, federal agency audits and evaluations, including Government Accountability Office (GAO);Table 4, federal Workforce;Table 5, White House and Office of Management and Budget (OMB);Table 6, cybersecurity framework and information sharing;Table 7, Department of Homeland Security (DHS);Table 8, Department of Defense (DOD); andTable 9, National Institute of Standards and Technology (NIST).

Table 1. Federal Government: Overview Reports and Resources

Title Source Date Notes

GAO reports on Cybersecurity GAO ContinuouslyUpdated

A list of five "Key Reports," and dozens of othercybersecurity reports by GAO.

National Strategy for TrustedIdentities in Cyberspace (NSTIC)

National Institute ofStandards andTechnology (NIST)

ContinuouslyUpdated

The NSTIC pilot projects seek to catalyze amarketplace of online identity solutions thatensures the envisioned Identity Ecosystem istrustworthy and reliable. Using privacy-enhancing architectures in real-worldenvironments, the pilots are testing new methodsfor online identification for consumers thatincrease usability, security, and interoperabilityto safeguard online transactions.

Federal cybersecurity initiativestimeline - Draft 1.b

Center for Strategicand InternationalStudies (CSIS)

ContinuouslyUpdated

A timeline of presidential and congressionalcybersecurity initiatives from 1998 to thepresent.

State of (US) Federal InformationTechnology Report

US CIO Council January 19,2017

The publication provides an overview of thegovernment's path to the current state ofinformation technology and 11 recommendationsfor the future of government informationtechnology. (155 pages)

Cyber-Related SanctionsRegulations

Office of ForeignAssets Control of theU.S. Department ofthe Treasury (OFAC)

December 31,2015

OFAC is issuing regulations to implementExecutive Order 13694, "Blocking the Propertyof Certain Persons Engaging in SignificantMalicious Cyber-Enabled Activities," April 1,2015. OFAC intends to supplement this part 578with a more comprehensive set of regulations,which may include additional interpretive anddefinitional guidance and additional generallicenses and statements of licensing policy. (8pages)

Comments on StakeholderEngagement on Cybersecurity inthe Digital Ecosystem

NationalTelecommunicationsand InformationAdministration(NTIA)

June 1, 2015 Public comments to the NTIA regarding its newvoluntary cybersecurity project three main areasof industry and researcher concern: (1) theInternet of Things, (2) vulnerability disclosure,and (3) malware.

2016 Internet Security ThreatReport | Government

Symantec April 13, 2016 Public-sector data breaches exposed some 28million identities in 2015, but hackers wereresponsible for only one-third of thosecompromises, according to new research.

Negligence was behind nearly two-thirds of theexposed identities through government agencies.In total, the report suggests 21 million identitieswere compromised accidentally, compared with6 million by hackers.

Formation of the Office ofTechnology Research andInvestigation (OTRI)

Federal TradeCommission

(FTC)

March 23,2015

The OTRI will provide expert research,investigative techniques, and further insights tothe agency on technology issues involving allfacets of the FTC's consumer protection mission,including privacy, data security, connected cars,smart homes, algorithmic transparency, emergingpayment methods, big data, and the Internet ofThings.

Stakeholder Engagement onCybersecurity in the DigitalEcosystem

NTIA March 19,2015

"The Internet Policy Task Force (IPTF) isrequesting comment to identify substantivecybersecurity issues that affect the digitalecosystem and digital economic growth wherebroad consensus, coordinated action, and thedevelopment of best practices could substantiallyimprove security for organizations andconsumers. The IPTF invites public comment onthese issues from all stakeholders with an interestin cybersecurity, including the commercial,academic, and civil society sectors, and fromrelevant federal, state, local, and tribal entities."(4 pages)

Federal Incident ReportingGuidelines

United StatesComputer EmergencyReadiness Team (US-CERT)

October 1,2014

The guidance instructs federal agencies toclassify incidents according to their impactsrather than by categories of attack methods. Itmodifies a 2007 requirement for agencies toreport to US-CERT within an hour any incidentinvolving the loss of personally identifiableinformation (PII). Rather, agencies should notifyUS-CERT of a confirmed cyber incident withinone hour of it reaching the attention of anagency's security operations center or ITdepartment. The Office of Management andBudget (OMB) said in a concurrently releasedmemo that nonelectronic losses of PII must alsobe reported within an hour of a confirmed breachbut should be reported to the agency privacyoffice rather than US-CERT. (10 pages)

Measuring What Matters: ReducingRisks by Rethinking How WeEvaluate Cybersecurity

National Academy ofPublic Administrationand Safegov.org

March 2013 Federal agencies and their inspectors generalshould keep running scorecards of "cyber riskindicators" based on continual informationgovernance assessments of a their organization'scyber vulnerabilities, rather than periodicallyauditing whether an agency's systems meet thestandards enumerated in the Federal InformationSecurity Management Act (FISMA) at a staticmoment in time. (39 pages)

Source: Highlights compiled by CRS from the reports.

Note: Page counts are documents; other cited resources ae web pages.

Table 2. Federal Acquisitions Rules and Federal Contractors

(including regulations, guidance documents, and audit reports)

Title Source Date Notes

Report to the President on Federal ITModernization - Request for Comment

AmericanTechnologyCouncil

August 30, 2017 The ATC's plan first calls for the technical standardsagency NIST to send OMB instructions for how toprotect these high-value assets. Next, it directs OMBand the Department of Homeland Security (DHS) toproduce a report about common vulnerabilities inthese systems. Agencies with serious vulnerabilitieswould then have to submit a "remediation plan." (52pages)

Information Technology: Opportunitiesfor Improving Acquisitions andOperations

GAO April 11, 2017 GAO assembled a panel of information technology(IT) experts on September 14, 2016, to elicitadditional ideas to further improve delivery andoperations of IT. Forum participants discussed thechallenges and opportunities for chief informationofficers (CIO) to improve IT acquisitions andoperations—with the goal of better informingpolicymakers and government leadership. Theyidentified key actions related to the following topics:strengthening the Federal Information TechnologyAcquisition Reform Act (FITARA), improving CIOauthorities, budget formulation, governance,workforce, operations, and transition planning. (32pages)

Cybersecurity Services General ServicesAdministration(GSA)

April 11, 2016 GSA's Federal Acquisition Service (FAS) Office ofIntegrated Technology Services (ITS) is conductingbusiness channel research to gain an enhancedunderstanding of what agencies' needs are, whatsolutions currently exist, and what role GSA canplay in improving the ability of agencies to procurethe suite of cybersecurity services. This informationwill help GSA identify current offerings available,improve the visibility of those offerings, anddetermine gaps that need to be filled.

Fiscal Year 2015 Top ManagementChallenges

Office ofPersonnelManagement(OPM), Officeof InspectorGeneral (OIG)

October 30, 2015 See Internal Challenges section (pp. 10-19) for adiscussion of challenges related to informationtechnology, improper payments, the retirementclaims process, and the procurement process.Officials in OPM's Office of ProcurementOperations violated the Federal AcquisitionRegulation and the agency's own policies inawarding a $20.7 million contract to provide creditmonitoring and ID theft services. Investigatorsturned up "significant deficiencies" in the process ofawarding the contract to Winvale Group and itssubcontractor CSID. (22 pages)

Improving Cybersecurity Protections inFederal Acquisitions Public CommentSpace

Office ofManagementand Budget(OMB)

August 10, 2015 OMB proposed that agencies make private-sectoradherence to cybersecurity controls a contractualrequirement. It is also proposed that contractorsoperating systems on behalf of federal agencies earnan official approval known as an "Authority toOperate," and that vendors implement a program ofcontinuous monitoring. Also, under an existingpolicy, security controls for the private sectorhandling of "controlled unclassified information"will become mandatory for civilian agencycontractors in 2016.

Request for Comments on ImprovingCybersecurity Protections in FederalAcquisitions

OMB July 30, 2015 OMB's Office of E-Government & InformationTechnology (E-Gov) is seeking public comment ondraft guidance to improve cybersecurity protectionsin federal acquisitions. The increase in threats facing

federal information systems demand that certainissues regarding security of information on thesesystems is clearly, effectively, and consistentlyaddressed in federal contracts. (1 page)

Information Security: Agencies Need toImprove Oversight of Contractor Controls

GovernmentAccountabilityOffice (GAO)

September 8, 2014 Although the six federal agencies—the Departmentsof Energy, Homeland Security, State, andTransportation; the Environmental ProtectionAgency; and the Office of Personnel Management—that GAO reviewed generally established securityand privacy requirements and planned effectivenessassessments of contractor implementation ofcontrols, five of the six agencies were inconsistent inoverseeing the execution and review of thoseassessments, resulting in security lapses. Forexample, in one agency, testing did not discover thatbackground checks of contractor employees werenot conducted. (43 pages)

Cybersecurity for GovernmentContractors

Robert Nicholset al., WestBriefing Papers

April 2014 The briefing paper presents a summary of the keylegal issues and evolving compliance obligationsthat contractors now face in the federal cybersecuritylandscape. It provides an overview of the mostprevalent types of cyberattacks and targets and thefederal cybersecurity budget; outlines the currentfederal cybersecurity legal requirements applicableto government contractors, including statutory andregulatory requirements, the President's 2013cybersecurity executive order, the resulting"cybersecurity framework" issued by NIST inFebruary 2014; highlights further expecteddevelopments; and identifies and discusses the real-world legal risks that contractors face whenconfronting cyberattacks and addresses theavailability of possible liability backstops in the faceof such attacks. (28 pages)

Improving Cybersecurity and Resiliencethrough Acquisition

Department ofDefense (DOD)and the GSA

January 23, 2014 DOD and GSA jointly released a report announcingsix planned reforms to improve the cybersecurityand resilience of the Federal Acquisition System.The report provides a path forward to aligningfederal cybersecurity risk management andacquisition processes. It provides strategicrecommendations for addressing relevant issues,suggests how challenges might be resolved, andidentifies important considerations for theimplementation of the recommendations. (24 pages)

Defense Federal Acquisition RegulationSupplement: Safeguarding UnclassifiedControlled Technical Information

DOD November 18, 2013 The regulation imposed two new requirements: (1)an obligation on contractors to provide adequatesecurity to safeguard unclassified controlledtechnical information (UCTI) and (2) contractors'obligation to report cyber incidents that affect UCTIto contracting officers. In both obligations, UCTI isdefined as "technical information with military orspace application that is subject to controls onaccess, use, reproduction, modification,performance, display, release, disclosure, ordissemination." This is the first time DOD hasimposed specific requirements for cybersecurity thatare generally applicable to all contractors. (10 pages)

Joint Working Group on ImprovingCybersecurity and Resilience ThroughAcquisition, Notice of Request forInformation

GSA May 13, 2013 Among other things, Presidential Policy Directive-21requires GSA, in consultation with DOD andDHS, to jointly provide and support government-wide contracts for critical infrastructure systems and

ensure that such contracts include audit rights for thesecurity and resilience of critical infrastructure. (3pages)

Basic Safeguarding of ContractorInformation Systems (Proposed Rule)

DOD, GSA, andNationalAeronautics andSpaceAdministration(NASA)

August 24, 2012 This regulation, authored by DOD, GSA, andNASA, "would add a contract clause to addressrequirements for the basic safeguarding of contractorinformation systems that contain or processinformation provided by or generated for thegovernment (other than public information)." (4pages)

Source: Highlights compiled by CRS from the reports.

Note: Page counts are documents; other cited resources are web pages.

Table 3. Agency Audits and Evaluations

(reports evaluating agency cybersecurity programs, excluding DHS and DOD, see Tables 7 and 8 below)

Title Source Date Notes

GAO reports on cybersecurity GAO ContinuouslyUpdated

A list of five"Key Reports," and dozens ofother cybersecurity reports by GAO.

Pulse: How Federal Government Domains areMeeting Best Practices on the Web

General ServicesAdministration(GSA)

ContinuouslyUpdated

Pulse.cio.gov is a public dashboard thatdisplays how well all federal domains areperforming in accordance with government-wide web policy requirements and bestpractices. The first release of Pulse covers twoareas of federal web policy—Secure HypertextTransfer Protocol (HTTPS) and the DigitalAnalytics Program (DAP).

Database of Unclassified Federal Cyber Spending Taxpayers forCommon Sense

ContinuouslyUpdated

The database presents information onunclassified federal cyber spending fromFY2007 to FY2016. Dollar figures are actualnumbers through 2015. FY2016 numbers areestimates included with President Obama'sFY2017 budget request.

Oversight.gov Council of theInspectors Generalon Integrity andEfficiency(CIGIE)

ContinuouslyUpdated

The site includes a publicly accessible, textsearchable repository of reports published byparticipating federal inspectors general (IGs).The reports appearing on Oversight.gov, aswell as the data associated with them, havebeen posted directly to the site by the IG thatissued it.

Information Security: OPM Has ImprovedControls, but Further Efforts Are Needed

GAO August 3,2017

GAO evaluated OPM's (1) actions since the2015 reported data breaches to prevent,mitigate, and respond to data breachesinvolving sensitive personnel records andinformation; (2) information security policiesand practices for implementing selectedgovernment-wide initiatives and requirements;and (3) procedures for overseeing the securityof OPM information maintained bycontractors providing IT services. (42 pages)

State Department Telecommunications:Information on Vendors and Cyber-Threat Nations

GAO July 27, 2017 Federal telecommunications systems caninclude a variety of equipment, products, and

services that may be produced by foreignmanufacturers—and may potentially bevulnerable to manipulation by a cyber-threatnation like China, Iran, North Korea, orRussia. GAO examined foreign manufacturersof the State Department's criticaltelecommunications equipment and services toidentify those that might be closely linked tothese nations. GAO did not identify anyreported close link but did identify somemanufacturers, software developers, andcontractors that had suppliers that were basedin one of these nations. (15 pages)

Information Security: Control DeficienciesContinue to Limit IRS's Effectiveness inProtecting Sensitive Financial and Taxpayer Data

GAO July 26, 2017 During FY2016, IRS made improvements inaccess controls over a number of systemadministrator accounts and updated certainsoftware to prevent exposure to knownvulnerabilities. However, the agency did notalways (1) limit or prevent unnecessary accessto systems, (2) monitor system activities toreasonably assure compliance with securitypolicies, (3) reasonably assure that softwarewas vendor supported and updated to protectagainst known vulnerabilities, (4) segregateincompatible duties, and (5) update systemcontingency plans to reflect changes to theoperating environment. (42 pages)

Department of Veterans Affairs FederalInformation Security Management Act (FISMA)Audit for FY 2016

Veterans AffairsInspector General

June 21,2017

The audit, noting some improvements,identified continuing significant deficienciesrelated to access controls, configurationmanagement controls, continuous monitoringcontrols, and service continuity practicesdesigned to protect mission-critical systems.Further, VA has not remediated approximately7,200 outstanding system security risks in itscorresponding Plans of Action and Milestonesto improve its information security posture.(67 pages)

Semiannual Report to Congress, October 1, 2016to March

Health and HumanServices Dept.Inspector General

June 2, 2017 The amount and complexity of HHS datamakes it difficult for the department toadequately protect that data from hackers andfrom improper access by employees andcontractors. The report states that thedepartment is conducting penetration testingof HHS networks and applications todetermine whether security safeguards arestrong enough. The tests also aim to determinehow sophisticated an attacker would have tobe to gain access to data and how likely thedepartment is to spot the penetration. (77pages)

Homeland Security: Progress Made to ImplementIT Reform, but Additional Chief InformationOfficer Involvement Needed

GAO May 18,2017

GAO analyzed DHS's efforts to implement asample of 31 of 109 action plans that DHS hadreported as complete and that described later-stage implementation steps. To determinechallenges, GAO analyzed and comparedDHS documentation, including a randomsample of IT-related contracts and agreements,to selected FITARA provisions to identifygaps between what was required by FITARAand what DHS had implemented. (58 pages)

Cybersecurity: Actions Needed to Strengthen U.S.Capabilities.

GAO February 14,2017

The statement (1) provides an overview ofGAO's work related to cybersecurity of thefederal government and the nation's criticalinfrastructure and (2) identifies areas ofconsistency between GAO recommendationsand those recently made by the CybersecurityCommission and CSIS. Over the past severalyears, GAO has made about 2,500recommendations to federal agencies toenhance their information security programsand controls. As of February 2017, about1,000 recommendations had not beenimplemented. (25 pages)

Industrial Control System Security WithinNASA's Critical and Supporting Infrastructure

NASA Office ofInspector General

February 8,2017

The report examined "whether NASA hasimplemented effective policies, procedures,and controls to protect the systems it uses tooperate its critical infrastructure." The reportfound that that agency "has not adequatelydefined OT, developed a centralized inventoryof OT systems, or established a standardprotocol to protect systems that contain OTcomponents." Problems arise due to thecomplications inherent in combining manualoperational technology systems with moresophisticated IT systems. For example, usingIT security practices to address issues in ITsystems can cause malfunctions. (30 pages)

Review of the Department of Health and HumanServices' Compliance with the Federal InformationSecurity Modernization Act of 2014 for FiscalYear 2016

HHS Office ofInspector General

February2017

HHS is making progress in improving itsinformation security practices, but it still hasgaps that put sensitive data and systems at riskof compromise. The OIG report notes thatoverall, in comparison to its FISMA review ofHHS a year ago, the agency has madeimprovements, with the number of negativefindings declining. (69 pages)

Fifth Generation Wireless Network and DeviceSecurity

FCC January 23,2017

The FCCommission seeks comment on newsecurity issues that implementation of the fifthgeneration (5G) wireless network and devicesecurity presents to the general public, and onthe current state of planning to address theseissues. The inquiry, focusing on cybersecurityfor 5G, raises fundamental questions aboutscope and responsibilities for such security.The proceeding's goal is to begin aconversation on the state of 5G wirelessnetwork and device security and to foster adialogue on the best methods for ensuring thatthe 5G wireless networks and devices used byservice providers in their operations are securefrom the beginning. (6 pages)

Cybersecurity Risk Reduction FCC January 18,2017

The white paper describes the risk reductionportfolio of the current FCC and suggestsactions to affirmatively reduce cyberrisk in amanner that incents competition, protectsconsumers, and reduces significant nationalsecurity risks. The document presents astrategy to promote an acceptable balancebetween corporate and consumer interests incyber risk management when elements ofmarket failure are at work. It acknowledgesthat the commission's preference is to workcollaboratively with industry using private and

public partnerships. However, if market forcesdo not result in a tolerable risk outcome, thecommission has tools available to makeadjustments to restore the balance. (56 pages)

Designation of Election Infrastructure as a CriticalInfrastructure Subsector

DHS January 6,2017

DHS has added the U.S. election infrastructureto the list of protected critical infrastructuresectors of the economy. This designationmeans that election infrastructure becomes apriority within the National InfrastructureProtection Plan. It also enables DHS toprioritize its cybersecurity assistance to stateand local election officials, but only for thosewho request it.

Postmarket Management of Cybersecurity inMedical Devices: Guidance for Industry and FDAStaff

FDA December28, 2016

The guidance informs industry and FDA staffof the agency's recommendations formanaging postmarket cybersecurityvulnerabilities for marketed and distributedmedical devices. In addition to the specificrecommendations contained in the guidance,manufacturers are encouraged to addresscybersecurity throughout the product lifecycle,including during the design, development,production, distribution, deployment andmaintenance of the device. (30 pages)

Cybersecurity Considerations for Benefit Plans 2016 ERISAAdvisory Council(Department ofLabor)

November10, 2016

The ERISA Advisory Council offered its finalsuggestions on cybersecurity protections forretirement plans to the Department of Labor.The council boiled its recommendations downto two: make its report publicly available assoon as administratively feasible and provideinformation to the employee benefit plancommunity to educate them on cybersecurityrisks and potential approaches for managingthose risks. (33 pages)

Federal Information Security Modernization ActAudit FY 2016

OPM InspectorGeneral

November 9,2016

OPM still suffers from extensive cyberweaknesses, including inadequate scanning forcomputer vulnerabilities and extremely highturnover among staffers responsible forinformation security. The turnover alsocontributed to a "significant regression" inOPM compliance with FISMA. (94 pages)

Cybersecurity Incident Handling Is Ineffective andIncomplete

DOT InspectorGeneral

October 13,2016

The audit assessed DOT's policies andprocedures for (1) monitoring, detecting, anderadicating cyber incidents, and (2) reportingincidents and their resolutions to appropriateauthorities. DOT's Office of Chief InformationOfficer (OCIO) has not ensured that theDepartment's Security Operations Center hasaccess to all departmental systems or requiredthe center to consider incident risk, thuslimiting the center's ability to effectivelymonitor, detect, and eradicate cyber incidents.(18 pages)

Commodity Futures Trading Commission'sPolicies and Procedures For ReviewingRegistrants' Cybersecurity Policies

CFTC InspectorGeneral

October 11,2016

The audit found that the CFTC, in conductingcyber security examinations of the firms, didnot employ a "risk-based approach" to"independently test results of the cybersecurityassessments" it prepared. The finding sparkedsharp disagreement with the CFTC, which in a

response to the audit defended its exams anddisputed the way the watchdog characterizedthem. (49 pages)

Department of Energy's UnclassifiedCybersecurity Program 2016

DOE InspectorGeneral

October 2016 DOE has made progress shoring upvulnerabilities previously identified by itsinspector general in unclassified IT systems,but significant flaws persist. The auditindicates "issues related to vulnerabilitymanagement, system integrity of webapplications, access controls and segregationof duties, and configuration management,continue to exist." The audit goes on to listseveral issues that call into question DOE'svulnerability management program. (25 pages)

Critical Infrastructure Threat Information SharingFramework: A Reference Guide for the CriticalInfrastructure Community

DHS October 2016 The framework is a resource to help criticalinfrastructure owners and operators, and otherprivate sector, federal, and state, local, tribal,and territorial (SLTT) government partnersthat share threat information, learn where theycan turn, and in what circumstances, to bothreceive and report threat information. Threatinformation in the framework is limited toinformation sharing pertaining to man-madethreats, including both cyber and physicalthreats, to critical infrastructure. Thedocument is not new policy, but describes thevarious processes and mechanisms currentlyused to share threat information and theexisting array of threat information-sharingentities involved in those processes. (110pages)

FDA Needs to Rectify Control Weaknesses ThatPlace Industry and Public Health Data at Risk

GAO September29, 2016

The FDA did not fully or consistentlyimplement access controls, which are intendedto prevent, limit, and detect unauthorizedaccess to computing resources. Specifically,FDA did not always (1) adequately protect theboundaries of its network, (2) consistentlyidentify and authenticate system users, (3)limit users' access to only what was requiredto perform their duties, (4) encrypt sensitivedata, (5) consistently audit and monitor systemactivity, and (6) conduct physical securityreviews of its facilities. (59 pages)

Federal Information Security: Actions Needed toAddress Challenges

GAO September19, 2016

Cyber incidents affecting federal agencieshave continued to grow, increasing about1,300% from FY2006 to FY2015. Severallaws and policies establish a framework forthe federal government's information securityand assign implementation and oversightresponsibilities to key federal entities,including the Office of Management andBudget (OMB), executive branch agencies,and the Department of Homeland Security(DHS). However, implementation of thisframework has been inconsistent, andadditional actions are needed. (17 pages)

Cybersecurity Act of 2015 Report: EPA's Policiesand Procedures to Protect Systems WithPersonally Identifiable Information

EPA Office ofInspector General

August 11,2016

OIG conducted an audit to determine to whatextent the EPA implemented informationsystem security policies and procedures toprotect agency systems that provide access tonational security or Personally Identifiable

Information (PII), as outlined in Section 406of the Cybersecurity Act of 2015. The reportaddresses EPA's goal or cross-agency strategy:Embracing EPA as a high-performingorganization. (The full report is not public.) (1page)

U.S. General Services AdministrationCybersecurity Act Assessment

GSA Office ofInspector General

August 10,2016

GSA policies and procedures regarding accesscontrols are generally consistent withsignificant government-wide policies andprocedures, including relevant standardsestablished by NIST and OMB, according toGSA's Office of Inspector General. (9 pages)

Inspection of Federal Computer Security at theU.S. Department of the Interior

Dept. of InteriorOffice ofInspector General

August 9,2016

DOI has implemented measures, such asmultifactor authentication and softwareinventory management, to reduce the risk ofunauthorized access to its computer systemsand prevent spending public funds on unusedsoftware. DOI, however, needs to update itslogical access controls to meet currentstandards, ensure that its mobile computingdevices are encrypted and securely configured,and obtain the ability to inspect encryptedtraffic for malicious content. (21 pages)

Review of IT Security Policies, Procedures,Practices, and Capabilities in Accordance with theCybersecurity Act of 2015

Department ofCommerce

August 4,2016

Commerce's logical access policies generallyfollowed appropriate standards and specificoperating units told OIG they had such accesscontrols in most systems. All nine operatingunits OIG examined have "externalmonitoring, security operations centers,intrusion detection systems/intrusionprevention systems, and event correlationtools." (18 pages)

HHS Needs to Strengthen Security and PrivacyGuidance and Oversight

GAO August 1,2016

In 2015, 113 million electronic health recordswere breached, a major leap over the 12.5million the year before. In 2009, the numberwas less than 135,000. The number of reportedhacks and breaches affecting records of atleast 500 individuals rose from none in 2009to 56 last year, almost double from 2014.

Cybersecurity Act of 2015 Report: CSB's Policiesand Procedures to Protect Systems WithPersonally Identifiable Information

EPA InspectorGeneral

August 1,2016

The U.S. Chemical Safety Board (CSB)maintains one computer system that containssensitive PII, according to the EnvironmentalProtection Agency's inspector general. Theaudit, required under the Cybersecurity Act of2015, includes a one-page summary of thefindings "due to the sensitive nature of theinformation identified." The summary did notsay if the audit had flagged security problemsat CSB. The EPA inspector general hasoversight of CSB, an independent agency. Theinspector general's office examined eight areasof the system, including how CSB controlsaccess to the system and looks for signs ofexternal intrusions. (1 pages)

Report on the Department of Justice'sCybersecurity Logical Access Controls and DataSecurity Management Practices Pursuant to theCybersecurity Act of 2015, Section 406, FederalComputer Security

DOJ Office ofInspector General

August 1,2016

KPMG found that DOJ has developed policiesand procedures to implement the controlsaddressed in Section 406 to establish aninformation security program compliant withNIST. For Logical Access Policies and Multi-

factor Authentication, KPMG found that DOJis making progress in implementing personalidentity verification (PIV) logical access forprivileged and unprivileged users across theorganization, but significant work still needsto occur related to the PIV multi-factorimplementation. (18 pages)

Work Plan: Status of Audit and EvaluationProjects

Federal ReserveOffice ofInspector General

July 8, 2016 The growing sophistication and volume ofcybersecurity threats presents a serious risk toall financial institutions. The report reviewshow the Federal Reserve System'sexamination process has evolved and whetherit is providing adequate oversight of financialinstitutions' information security controls andcybersecurity threats. The Fed has alreadydeveloped guidance for banks "to defineexpectations for information security and databreach management." Now the watchdogagency will review how—and if—banks arecomplying with that guidance. (43 pages; seepp. 4-5)

FDIC Implemented Controls over FinancialSystems, but Further Improvements are Needed

GAO June 29,2016

As part of its audit of the 2015 financialstatements of the Deposit Insurance Fund andthe Federal Savings and Loan InsuranceCorporation Resolution Fund administered byFDIC, GAO assessed the effectiveness of thecorporation's controls in protecting theconfidentiality, integrity, and availability of itsfinancial systems and information. To do so,GAO examined security policies, procedures,reports, and other documents; tested controlsover key financial applications; andinterviewed FDIC personnel. (29 pages)

Agencies Need to Improve Controls over SelectedHigh-Impact Systems

GAO June 21,2016

Federal systems categorized as high impact—those that hold sensitive information, the lossof which could cause individuals, thegovernment, or the nation catastrophic harm—warrant increased security to protect them. Inthis report, GAO (1) describes the extent towhich agencies have identified cyber threatsand have reported incidents involving high-impact systems, (2) identifies government-wide guidance and efforts to protect thesesystems, and (3) assesses the effectiveness ofcontrols to protect selected high-impactsystems at federal agencies. To do this, GAOsurveyed 24 federal agencies; examinedfederal policies, standards, guidelines andreports; and interviewed agency officials (94pages)

Management Report: Areas for Improvement inthe Federal Reserve Banks' Information SystemsControls

GAO June 6, 2016 The report presents the deficiencies identifiedduring GAO's FY2015 testing of informationsystems controls over key financial systemsmaintained and operated by Federal ReserveBanks on behalf of Treasury that are relevantto the Schedule of Federal Debt. The reportalso includes the results of GAO's FY2015follow-up on the status of FRBs' correctiveactions to address information systemscontrol-related deficiencies and associatedrecommendations contained in GAO's prioryears' reports that were open as of September

30, 2014. (9 pages)

Federal Agencies Need to Address Aging LegacySystems

GAO May 26,2016

GAO is making 16 recommendations, one ofwhich is for OMB to develop a goal for itsspending measure and finalize draft guidanceto identify and prioritize legacy IT needing tobe modernized or replaced. GAO is alsorecommending that selected agencies addressat-risk and obsolete legacy O&M investments.(87 pages)

Second Interim Status Report on the U.S. Officeof Personnel Management's (OPM) InfrastructureImprovement Project – Major IT Business Case

OPM May 18,2016

The report finds that funding for the troubledIT security upgrades project remains an issuein part because of poor planning by theagency. The inspector general finds that theagency still lacks a "realistic budget" for themassive upgrade. (12 pages)

Polar Weather Satellites: NOAA Is Working toEnsure Continuity but Needs to Quickly AddressInformation Security Weaknesses and FutureProgram Uncertainties

GAO May 17,2016

Although the National Oceanic andAtmospheric Administration (NOAA)established information security policies inkey areas recommended by the NationalInstitute of Standards and Technology, theJoint Polar Satellite System (JPSS) programhas not yet fully implemented them.Specifically, the program categorized the JPSSground system as a high-impact system andselected and implemented multiple relevantsecurity controls. However, the program hasnot yet fully implemented almost half of therecommended security controls, did not haveall of the information it needed when assessingsecurity controls, and has not addressed keyvulnerabilities in a timely manner. UntilNOAA addresses these weaknesses, the JPSSground system remains at high risk ofcompromise. (70 pages)

Management Alert Report: GSA Data Breach General ServicesAdministrationOffice ofInspector General

May 12,2016

The inspector general of the General ServicesAdministration said the 18F tech squad shouldstop using Slack after the group messagingapp was linked to an internal data breach. Aspart of an audit report, the IG found that 18F'sconfiguration of Slack had allowed access tomore than 100 Google Drive accounts insidethe agency, resulting in a data breach thatpotentially exposed "sensitive content" likepersonal information. According to the report,a supervisor said the issue has been fixed, butthe IG said 18F "should cease using Slack"until it's approved as a "standard product"under agency rules. (4 pages)

Information Security: Opportunities Exist for SECto Improve Its Controls over Financial Systemsand Data

GAO April 28,2016

The report details weaknesses GAO identifiedin the information security program at SECduring its audit of the commission's FY2015and FY2014 financial statements. GAO'sobjective was to determine the effectiveness ofinformation security controls for protecting theconfidentiality, integrity, and availability ofSEC's key financial systems and information.To do this, GAO examined informationsecurity policies, plans, and procedures; testedcontrols over key financial applications;interviewed agency officials; and assessedcorrective actions taken to address previously

reported weaknesses. (26 pages)

Final Memorandum, Review of NASA'sInformation Security Program

NationalAeronautics andSpaceAdministration

April 14,2016

Although NASA has made progress inmeeting requirements in support of an agency-wide information security program, it has notfully implemented key management controlsessential to managing that program.Specifically, NASA lacks an agency-wide riskmanagement framework for informationsecurity and information security architecture.(17 pages)

Information Security: IRS Needs to FurtherEnhance Controls over Taxpayer and FinancialData

GAO April 14,2016

The statement discusses (1) IRS's informationsecurity controls over tax processing andfinancial systems and (2) roles that federalagencies with government-wide informationsecurity responsibilities play in providingguidance and oversight to agencies. Thestatement is based on previously publishedGAO work and a review of federal guidance.(22 pages)

Vehicle Cybersecurity: DOT and Industry HaveEfforts Under Way, but DOT Needs to Define ItsRole in Responding to a Real-world Attack

GAO March 24,2016

The report addresses, among other things, (1)available information about the keycybersecurity vulnerabilities in modernvehicles that could impact passenger safety;(2) key practices and technologies, if any,available to mitigate vehicle cybersecurityvulnerabilities and the impacts of potentialattacks; (3) views of selected stakeholders onchallenges they face related to vehiclecybersecurity and industry-led efforts toaddress vehicle cybersecurity; and (4) DOTefforts to address vehicle cybersecurity. (61pages)

Healthcare.gov: Actions Needed to EnhanceInformation Security and Privacy Controls

GAO March 23,2016

GAO was asked to review security issuesrelated to the data hub, and CMS oversight ofstate-based marketplaces. Its objectives wereto (1) describe security and privacy incidentsreported for Healthcare.gov and relatedsystems, (2) assess the effectiveness ofsecurity controls for the data hub, and (3)assess CMS oversight of state-basedmarketplaces and the security of selectedstate-based marketplaces. GAO reviewedincident data, analyzed networks and controls,reviewed policies and procedures, andinterviewed CMS and marketplace officials.(55 pages)

Audit of the EPA's compliance with the mandated"Inspector General Report or PersonallyIdentifiable Information

EPA March 14,2016

EPA's inspector general's office said it will"determine to what extent the EPAimplemented information system securitypolicies and procedures to protect agencysystems" under cybersecurity provisionscontained in the 2015 omnibus spendingpackage (P.L. 114-113). The IG will examinethe Office of Administrative ServicesInformation System, which contains a wealthof employee personal information to facilitateagency administration, and the Superfund CostRecovery Package Imaging Online System,which is used to detail government andcontractor expenses related to Superfundcleanup. (8 pages)

Assessing the FDA's Cybersecurity Guidelines forMedical Device Manufacturers: Why Subtle"Suggestions" May Not Be Enough

Institute forCriticalInfrastructureTechnology

February 15,2016

The guidance advises medical devicemanufacturers to address cybersecurity"throughout a product's lifecycle" and is thelatest action by the FDA that underscores itsposition that medical device cybersecurity is apriority for the health sector. However, despitethe implied sense of urgency, the FDA haschosen not to implement enforceableregulations over medical devicemanufacturers. This examination of the FDA's'suggestions' provides a concise summary ofthe draft guidance as well as recommendationsfor the healthcare community. (9 pages)

FY2015 Federal Information SecurityModernization Act Report: Status of CSB'sInformation Security Program

EPA Office ofInspector General

January 27,2016

The Chemical Safety Board, the governmentboard that investigates industrial chemicalaccidents, does not keep track of computersystems it has outsourced to contractors,which could jeopardize informationconfidentiality. The audit criticizes the boardfor lacking a complete catalog of contractor-run systems, as well as databases maintainedby other federal agencies. Data applicationsrunning in the cloud also have not beeninventoried. (30 pages)

The Way Forward for Federal BackgroundInvestigations

FBI January 22,2016

The Obama Administration is creating a neworganization within the Office of PersonnelManagement to handle backgroundinvestigations, in its latest response to lastyear's revelations that hackers had pilferedhighly sensitive documents on 22 millionAmericans. The new organization, theNational Background Investigations Bureau,will be headed by a presidential appointee andwill have a "considerable amount ofoperational autonomy." The technologysystems will be "designed, built, secured, andoperated" by the Defense Department.

Audit of NRC's Network Security OperationsCenter

NuclearRegulatoryCommission(NRC), Office ofthe InspectorGeneral

January 11,2016

According to the audit, security contractsrelated to unclassified nuclear computersystems do not specify who is responsible forprotecting them from attacks. The NRC'sSecurity Operations Center (SOC) is not"optimized to protect the agency's network inthe current cyber treat environment." Thereport did not examine classified NRCnetworks. (18 pages)

DOT&E FY2015 Annual Report (Cybersecurityexcerpt; click here for full report)

DOD Office of theDirector,Operational Testand Evaluation

January 2016 Despite some key improvements from theprevious fiscal year, Defense Departmentmissions and systems remain vulnerable tohacking. Cyber testing teams deployed onDOD networks were "frequently in a positionto deliver cyber effects that could degrade theperformance of operational missions." (8pages)

Critical Infrastructure Protection: MeasuresNeeded to Assess Agencies' Promotion of theCybersecurity Framework

GAO December17, 2015

The Cybersecurity Enhancement Act of 2014included provisions for GAO to reviewaspects of the cybersecurity standards andprocedures developed by the NationalInformation Standards and Technology

(NIST). The report determines the extent towhich (1) NIST facilitated the development ofvoluntary cybersecurity standards andprocedures and (2) federal agencies promotedthese standards and procedures. GAOexamined NIST's efforts to develop standards,surveyed a non-generalizable sample ofcritical infrastructure stakeholders, reviewedagency documentation, and interviewedrelevant officials. (48 pages)

Semiannual Report to the Congress: April 1, 2015to September 30, 2015

Department ofState, Office ofInspector General(OIG)

December 9,2015

Between April and September 2015, a numberof cybersecurity incidents illustrateddeficiencies in the way State departmentpersonnel went about protecting networks.Malicious actors exploited vulnerabilities,compromised sensitive information, andcaused significant downtime to normalbusiness operations. (99 pages)

Department of Education and Other FederalAgencies Need to Better Implement Controls

GAO November17, 2015

Since 1997, GAO has identified federalinformation security as a government-widehigh-risk area, and in February 2015,expanded this to include protecting the privacyof personally identifiable information (PII).This statement provides information on cyberthreats facing federal systems and informationsecurity weaknesses identified at federalagencies, including the Department ofEducation. (27 pages)

Federal Agencies Need to Better Protect SensitiveData

GAO November17, 2015

Over the past six years, GAO has made about2,000 recommendations to improveinformation security programs and associatedsecurity controls. Agencies have implementedabout 58% of these recommendations. Further,agency inspectors general have made amultitude of recommendations to assist theiragencies. (22 pages)

Implementation of Reform Legislation Needed toImprove Acquisitions and Operations

GAO November 4,2015

The law commonly known as the FederalInformation Technology Acquisition ReformAct (FITARA) was enacted in December 2014and aims to improve federal informationtechnology (IT) acquisition and operations. AsGAO previously reported, underperformanceof federal IT projects can be traced to a lack ofdisciplined and effective management andinadequate executive-level oversight. Lastyear, GAO added improving the managementof IT acquisitions and operations to its high-risk list—a list of agencies and program areasthat are high risk due to their vulnerabilities tofraud, waste, abuse, and mismanagement, orare most in need of transformation. (21 pages)

Inspector General's Statement Summarizing theMajor Management and Performance ChallengesFacing the U.S. Department of the Interior

Department of theInterior (DOI),OIG

November2015

Networks at the Department of the Interior(DOI) were breached (nearly 20 times) overthe past several years. An OIG report states,"hackers and foreign intelligence serviceshave compromised DOI's computer networksby exploiting vulnerabilities in publiclyaccessible systems ... result[ing] in the loss ofsensitive data and disruption of bureauoperations." (Discussion of breaches starts onpage 23.) (72 pages)

High-Risk Security Vulnerabilities IdentifiedDuring Reviews of Information System GeneralControls at Three California Managed-CareOrganizations Raise Concerns About the Integrityof Systems Used To Process Medicaid Claims

Health and HumanServices (HHS),OIG

November2015

Federal auditors found 74 high-risk securityvulnerabilities in the IT systems of threeCalifornia Medicaid-managed careorganizations. The OIG found that most ofthese security vulnerabilities were "significantand pervasive" and potentially put Medicaidclaims data at risk. The report raised concernsabout the integrity of the systems used toprocess Medicaid-managed care claims.(19pages)

Fiscal Year 2015 Top Management Challenges Office ofPersonnelManagement(OPM), OIG

October 30,2015

See Internal Challenges section (pp. 10-19) fora discussion of challenges related toinformation technology, improper payments,the retirement claims process, and theprocurement process. Officials in OPM'sOffice of Procurement Operations violated theFederal Acquisition Regulation and theagency's own policies in awarding a $20.7million contract to provide credit monitoringand ID theft services. Investigators turned up"significant deficiencies" in the process ofawarding the contract to Winvale Group andits subcontractor CSID. (22 pages)

Critical Infrastructure Protection: Cybersecurity ofthe Nation's Electricity Grid Requires ContinuedAttention

GAO October 21,2015

In a 2011 report, GAO recommended that (1)NIST improve its cybersecurity standards, (2)the Federal Energy Regulatory Commission(FERC) assess whether challenges identifiedby GAO should be addressed in ongoingcybersecurity efforts, and (3) FERCcoordinate with other regulators to identifystrategies for monitoring compliance withvoluntary standards. The agencies agreed withthe recommendations, but FERC has not takensteps to monitor compliance with voluntarystandards. (18 pages)

Agencies Need to Correct Weaknesses and FullyImplement Security Programs

GAO September29, 2015

Persistent weaknesses at 24 federal agenciesillustrate the challenges they face ineffectively applying information securitypolicies and practices. The deficiencies placecritical information and information systemsused to support the operations, assets, andfederal personnel at risk, and can impairagencies' efforts to fully implement effectiveinformation security programs. In priorreports, GAO and inspectors general havemade hundreds of recommendations toagencies addressing deficiencies in theirinformation security controls and weaknessesin their programs, but many of theserecommendations remain unimplemented. (71pages)

Defense Cybersecurity: Opportunities Exist forDOD to Share Cybersecurity Resources withSmall Businesses

GAO September24, 2015

DOD's Office of Small Business Programs(OSBP) has explored some options, such asonline training videos, to integratecybersecurity into its existing efforts;however, as of July 2015, the office had notidentified and disseminated cybersecurityresources in its outreach and education effortsto defense small businesses. Although DODOSBP is not required to educate smallbusinesses on cybersecurity, its officials

acknowledged that cybersecurity is animportant and timely issue for smallbusinesses. (32 pages)

Records: Energy Department Struck by CyberAttacks

USA TodayReview ofDepartment ofEnergy Records

September11, 2015

According to information obtained by USAToday through a Freedom of Information Act(FOIA) request, the Department of Energy'scomputer systems were breached by attackersmore than 150 times between 2010 and 2014.Although there were many failed attempts tobreak into the systems, the success rate wasroughly 15%.

The Centers for Medicare & Medicaid Services'Implementation of Security Controls Over theMultidimensional Insurance Data AnalyticsSystem Needs Improvement

HHS, OIG September2015

HealthCare.gov relies on a $110 milliondigital repository called MIDAS to store theinformation it collects. While MIDAS doesnot handle medical records, it does storenames, Social Security numbers, addresses,passport numbers, and financial andemployment information for exchangecustomers. In addition to poor securitypolicies, the HHS audit found 135 databasevulnerabilities—such as software bugs—22 ofwhich were classified as "high risk." (7 pages)

Information Security Concerns Department ofLabor (DOL),OIG

July 31, 2015 Report asserts that DOL only recently turnedits attention to implementing two-factorauthentication agency-wide in response to databreaches at OPM. It also detailed lingeringproblems with former employees andcontractors having privileged access togovernment systems. (16 pages)

Defense Infrastructure: Improvements in DODReporting and Cybersecurity ImplementationNeeded to Enhance Utility Resilience Planning

GAO July 23, 2015 The report addresses (1) whether threats andhazards have caused utility disruptions onDOD installations and, if so, what impactsthey have had; (2) the extent to which DOD'scollection and reporting on utility disruptionsis comprehensive and accurate; and (3) theextent to which DOD has taken actions anddeveloped and implemented guidance tomitigate risks to operations at its installationsin the event of utility disruptions. (72 pages)

U.S. Postal Service Cybersecurity Functions U.S. PostalService (USPS),OIG

July 17, 2015 The report found that Postal Serviceleadership had not fostered a culture ofeffective cybersecurity across the enterprise.Staffing and resources for cybersecurityfunctions focused heavily on complying withspecific legal and industry requirements,leaving limited resources for systems that arenot subject to these requirements. In addition,management had not integrated cybersecurityrisks into a comprehensive cybersecuritystrategy. (41 pages)

Cyberthreats and Data Breaches Illustrate Need forStronger Controls across Federal Agencies

GAO July 8, 2015 This statement summarizes (1) cyberthreats tofederal systems, (2) challenges facing federalagencies in securing their systems andinformation, and (3) government-wideinitiatives aimed at improving cybersecurity.In preparing this statement, GAO relied on itspreviously published and ongoing work in thisarea. In previous work, GAO and agency IGshave made hundreds of recommendations to

assist agencies in addressing cybersecuritychallenges. GAO has also maderecommendations to improve government-wide initiatives. (25 pages)

Audit of the Federal Bureau of Investigation'sImplementation of Its Next Generation CyberInitiative

Federal Bureau ofInvestigation(FBI)

July 2015 Following the Office of the InspectorGeneral's (OIG) April 2011 report on the FBI'sability to address the national cyber intrusionthreat, in October 2012 the FBI launched itsNext Generation Cyber (Next Gen Cyber)Initiative to enhance its ability to addresscybersecurity threats to the United States. Theobjective of this audit was to evaluate theFBI's implementation of its Next Gen CyberInitiative. (40 pages)

Recent Data Breaches Illustrate Need for StrongControls across Federal Agencies

GAO June 24,2015

This statement summarizes (1) challengesfacing federal agencies in securing theirsystems and information and (2) government-wide initiatives, including those led by DHS,aimed at improving cybersecurity. Inpreparing this statement, GAO relied on itspreviously published and ongoing work in thisarea. (17 pages)

Insider Threats: DOD Should StrengthenManagement and Guidance to Protect ClassifiedInformation and Systems

GAO June 2, 2015 DOD components have identified technicaland policy changes to help protect classifiedinformation and systems from insider threats,but DOD is not consistently collecting thisinformation to support management andoversight responsibilities. According to Officeof the Under Secretary of Defense forIntelligence officials, they do not consistentlycollect this information because DOD has notidentified a program office that is focused onoverseeing the insider-threat program. Withoutan identified program office dedicated tooversight of insider-threat programs, DODmay not be able to ensure the collection of allneeded information and could face challengesin establishing goals and in recommendingresources and improvements to address insiderthreats. This is an unclassified version of aclassified report GAO issued in April 2015.(55 pages)

Cybersecurity: Actions Needed to AddressChallenges Facing Federal Systems

GAO April 22,2015

Because of the risk posed by certaincyberthreats, it is crucial that the federalgovernment take appropriate steps to secure itsinformation and information systems. Untilagencies take actions to address thesechallenges—including the hundreds ofrecommendations GAO and inspectors generalmade—their systems and information will beat increased risk of compromise from cyber-based attacks and other threats. (21 pages)

Air Traffic Control: FAA Needs a MoreComprehensive Approach to AddressCybersecurity As Agency Transitions to NextGen

GAO April 14,2015

GAO reviewed the Federal AviationAdministration's (FAA's) cybersecurityefforts. The report (1) identifies thecybersecurity challenges facing FAA as itshifts to the Next Generation AirTransportation System (NextGen) and howFAA has begun addressing those challenges,and (2) assesses the extent to which FAA andits contractors, in the acquisition of NextGen

programs, have followed federal guidelines forincorporating cybersecurity controls. (56pages)

FDIC Implemented Many Controls over FinancialSystems, but Opportunities for ImprovementRemain

GAO April 9, 2015 The Federal Deposit Insurance Corporation(FDIC) has implemented numerousinformation security controls intended toprotect its key financial systems; nevertheless,weaknesses remain that place theconfidentiality, integrity, and availability offinancial systems and information at risk. In2014, the corporation implemented 27 of the36 GAO recommendations pertaining topreviously reported security weaknesses thatwere unaddressed as of December 31, 2013;actions to implement the remaining 9recommendations are in progress. (28 pages)

Review of Medicare Contractor InformationSecurity Program Evaluations for Fiscal Year2013

HHS, OIG April 2015 The Centers for Medicare & MedicaidServices (CMS) contracted withPricewaterhouseCoopers (PwC) to evaluateinformation security programs at the Medicareadministrative contractors (MACs), fiscalintermediaries, and carriers using a set ofagreed-upon procedures. Some MACs havemade improvements in their informationsecurity programs, but most still have a way togo in closing a number of key gaps. Amongthe concerns cited in the report are a lack ofpolicies and procedures to reduce risk, failureto conduct periodic testing of informationsecurity controls, and insufficient incidentdetection reporting and response. (19 pages)

The FBI: Protecting the Homeland in the 21st

Century9/11 ReviewCommission

March 26,2015

The 9/11 Review Commission found in itsreport on the FBI and its modern nationalsecurity mission that while the FBI and DHS'relationship has improved in the past fewyears, especially on counterterrorism, thatimprovement has lagged in the area ofcybersecurity. "The challenge for both DHSand the FBI in coordinating cyberrelationships is due in large part to the lack ofclarity at the national level on cyber roles andresponsibilities," the commissioners wrote."While Washington tries to coordinate theoverlapping responsibilities of various federalagencies, the private sector is left in the dark.… The FBI is limited in its cyber efforts bythe muddled national cyber architecture thatwill continue to affect the relationship withDHS. This issue … is beyond the FBI's abilityto address in isolation." (128 pages)

Information Security: IRS Needs to ContinueImproving Controls over Financial and TaxpayerData

GAO March 19,2015

Until the Internal Revenue Service (IRS) takesadditional steps to (1) address unresolved andnewly identified control deficiencies and (2)effectively implement elements of itsinformation security program, includingupdating policies, test and evaluationprocedures, and remedial action procedures,its financial and taxpayer data will remainunnecessarily vulnerable to inappropriate andundetected use, modification, or disclosure.GAO recommends that IRS take fiveadditional actions to more effectively

implement elements of its information securityprogram. In a separate report with limiteddistribution, GAO recommends 14 actions thatIRS can take to address newly identifiedcontrol weaknesses. (30 pages)

Healthcare.gov: CMS Has Taken Steps to AddressProblems, but Needs to Further ImplementSystems Development Best Practices

GAO March 4,2015

GAO reviewed CMS's management of thedevelopment of IT systems supporting thefederal marketplace. Its objectives were to (1)describe problems encountered in developingand deploying systems supportingHealthcare.gov and determine the status ofefforts to address deficiencies and (2)determine the extent to which CMS applieddisciplined practices for managing andoverseeing the development effort, and theextent to which HHS and OMB providedoversight. GAO recommended that CMS takeseven actions to implement improvements inits requirements management, system testing,and project oversight, and that HHS improveits oversight of the Healthcare.gov effort. (86pages)

High Risk List: Ensuring the Security of FederalInformation Systems and Cyber CriticalInfrastructure and Protecting the Privacy ofPersonally Identifiable Information

GAO February 11,2015

If cyber assets are not adequately protected, it"could lead to serious consequences and resultin substantial harm to individuals and to thefederal government." The government stillfaces challenges in achieving that goal,however, in several areas, includingestablishing risk-based cybersecurity programsat federal agencies, securing the global ITsupply chain, securing critical infrastructure,overseeing IT contractors, improving incidentresponse, and putting security programs inplace at small agencies.

DOT&E FY 2014 Annual Report (Director OfOperational Test & Evaluation)

DOD Office of theDirector,Operational Testand Evaluation(OT&E)

January 2015 A series of live fire tests of the military'scomputer networks security in 2015 foundmany combatant commands could becompromised by low-to-middling skilledhackers and might not be able to "fightthrough" in the face of enemy cyberattacks.The assessment echoes previous OT&E annualassessments, which routinely found thatmilitary services and combatant commandsdid not have a sufficiently robust securityposture or training to repel sustainedcyberattacks during battle. (91 pages)

A Review of the U.S. Navy Cyber DefenseCapabilities: Abbreviated Version of a ClassifiedReport

National ResearchCouncil (NRC)

January 2015 The NRC appointed an expert committee toreview the U.S. Navy's cyber defensecapabilities. The Department of the Navydetermined that the committee's final report isclassified in its entirety under Executive Order13526 and therefore cannot be made availableto the public. A Review of U.S. Navy CyberDefense Capabilities, the abbreviated report,provides background information on the fullreport and the committee that prepared it. (13pages)

Final Audit Report: Federal Information SecurityManagement Act Audit FY 2014

Office ofPersonnelManagement(OPM)

November12, 2014

OPM's OIG reported that the agency "does notmaintain a comprehensive inventory ofservers, databases, and network devices." Thereport also noted that eleven "major systems"

were operating without the agency certifyingthey met security standards. (66 pages)

FFIEC Cybersecurity Assessment: GeneralObservations

Federal FinancialInstitutionsExaminationCouncil (FFIEC)

November 3,2014

Companies are critically dependent on IT.Financial companies should routinely scan ITnetworks for vulnerabilities and anomalousactivities and test systems for potentialexposure to cyberattacks. The studyrecommends sharing threat data through suchavenues as the Financial Services InformationSharing and Analysis Center.

Healthcare.gov: Information Security and PrivacyControls Should Be Enhanced to AddressWeaknesses

GAO September18, 2014

The specific objectives of this work were to(1) describe the planned exchanges ofinformation between the Healthcare.govwebsite and other organizations and (2) assessthe effectiveness of programs and controlsCMS implemented to protect the security andprivacy of the information and IT systemssupporting Healthcare.gov. Although CMShas security and privacy protections in placefor Healthcare.gov and related systems,weaknesses exist that put these systems andthe sensitive personal information they containat risk. (17 pages)

FDIC Made Progress in Securing Key FinancialSystems, but Weaknesses Remain

GAO July 17, 2014 FDIC has implemented numerous informationsecurity controls intended to protect its keyfinancial systems; nevertheless, weaknessesplace the confidentiality, integrity, andavailability of financial systems andinformation at unnecessary risk. In 2013, thecorporation implemented 28 of the 39 openGAO recommendations pertaining topreviously reported security weaknesses thatwere unaddressed as of December 31, 2012.(30 pages)

Maritime Critical Infrastructure Protection: DHSNeeds to Better Address Port Cybersecurity

GAO June 5, 2014 GAO's objective was to identify the extent towhich DHS and other stakeholders have takensteps to address cybersecurity in the maritimeport environment. GAO examined relevantlaws and regulations, analyzed federalcybersecurity-related policies and plans,observed operations at three U.S. portsselected based on being a high-risk port and aleader in calls by vessel type (e.g., container),and interviewed federal and nonfederalofficials. (54 pages)

HHS Activities to Enhance Cybersecurity HHS May 12,2014

Additional oversight on cybersecurity issuesfrom outside of HHS is not necessary,according to an HHS report on its existingcyber regulatory policies. "All of theregulatory programs identified [in the HHSSection 10(a) analysis] operate withinparticular segments of the [Healthcare andPublic Health] Sector. Expanding any or eachof these authorities solely to addresscybersecurity issues would not be appropriateor recommended."

Inadequate Practice and Management HinderDepartment's Incident Detection and Response

Department ofCommerce (DOC)OIG

April 24,2014

Auditors sent a prolonged stream ofdeliberately suspicious network traffic to fivepublic-facing websites at the DOC to assess

incident-detection capabilities. Only onebureau—auditors do not say which—successfully moved to block the suspicioustraffic. Responses at the other bureaus rangedfrom no action to ineffective action, even forthose that paid for special security servicesfrom vendors. (15 pages)

IRS Needs to Address Control Weaknesses ThatPlace Financial and Taxpayer Data at Risk

GAO April 8, 2014 "Until the Internal Revenue Service (IRS)takes additional steps to (1) more effectivelyimplement its testing and monitoringcapabilities, (2) ensure that policies andprocedures are updated, and (3) addressunresolved and newly identified controldeficiencies, its financial and taxpayer datawill remain vulnerable to inappropriate andundetected use, modification, or disclosure.These deficiencies, including shortcomings inthe information security program, indicate thatIRS had a significant deficiency in its internalcontrol over its financial reporting systems forFY2013." (29 pages)

High-Risk Security Vulnerabilities IdentifiedDuring Reviews of Information TechnologyGeneral Controls at State Medicaid Agencies

HHS OIG March 2014 The report says dozens of high-risk securityvulnerabilities found in information systems at10 state Medicaid agencies should serve as awarning to other states about the need to takeaction to prevent fraud.

Agency Responses to Breaches of PersonallyIdentifiable Information Need to Be MoreConsistent

GAO December 9,2013

GAO recommends that "to improve theconsistency and effectiveness ofgovernmentwide data breach responseprograms, the Director of OMB should updateits guidance on federal agencies' responses to aPII-related data breach to include (1) guidanceon notifying affected individuals based on adetermination of the level of risk; (2) criteriafor determining whether to offer assistancesuch as credit monitoring to affectedindividuals; and (3) revised reportingrequirements for PII-related breaches to US-CERT [Computer Emergency ResponseTeam], including time frames that betterreflect the needs of individual agencies and thegovernment as a whole and consolidatedreporting of incidents that pose limited risk."(67 pages)

The Department of Energy's July 2013 CyberSecurity Breach

DOE OIG December2013

Nearly eight times as many current and formerDOE staff members were affected by a July2013 computer hack than was previouslyestimated, according to the agency's inspectorgeneral. In August, DOE estimated that thehack affected roughly 14,000 current andformer staff, leaking personally identifiableinformation, such as Social Security numbers,birthdays, and banking information, but thebreach apparently affected more than 104,000people. (28 pages)

GPS Disruptions: Efforts to Assess Risks toCritical Infrastructure and Coordinate AgencyActions Should Be Enhanced

GAO November 6,2013

GAO was reviewed the effects of globalpositioning system (GPS) disruptions on thenation's critical infrastructure. GAO examined(1) the extent to which DHS has assessed therisks and potential effects of GPS disruptionson critical infrastructure; (2) the extent to

which the Department of Transportation(DOT) and DHS have developed backupstrategies to mitigate GPS disruptions; and (3)what strategies, if any, selected criticalinfrastructure sectors employ to mitigate GPSdisruptions and any remaining challenges. (58pages)

Federal Energy Regulatory Commission'sUnclassified Cyber Security Program - 2013

DOE OIG October 2013 To help protect against continuingcybersecurity threats, the commissionestimated that it would spend approximately$5.8 million during FY2013 to secure itsinformation technology assets, a 9% increasecompared with FY2012.... As directed byFISMA, the OIG conducted an independentevaluation of the commission's unclassifiedcybersecurity program to determine whether itadequately protected data and informationsystems. The report presents the results of theevaluation for FY2013. (13 pages)

DHS Is Generally Filling Mission-CriticalPositions, but Could Better Track Costs ofCoordinated Recruiting Efforts

GAO September17, 2013

Within DHS, one in five jobs at a keycybersecurity component is vacant, in largepart due to steep competition in recruiting andhiring qualified personnel. National Protectionand Programs Directorate (NPPD) officialscited challenges in recruiting cyberprofessionals because of the length of timetaken to conduct security checks to grant top-secret security clearances as well as low pay incomparison with the private sector. (47 pages)

Offensive Cyber Capabilities at the OperationalLevel: The Way Ahead

Center forStrategic andInternationalStudies (CSIS)

September16, 2013

The report examines whether DOD shouldmake a more deliberate effort to explore thepotential of offensive cyber tools at levelsbelow that of a combatant command. (20pages)

An Assessment of the Department of DefenseStrategy for Operating in Cyberspace

U.S. Army WarCollege

September2013

This monograph is organized in three mainparts. The first part explores the evolution ofcyberspace strategy through a series ofgovernment publications leading up to theDoD Strategy for Operating in Cyberspace.The second part elaborates on and critiqueseach strategic initiative in terms ofsignificance, novelty, and practicality. Thethird part critiques DOD's strategy as a whole.(60 pages)

Joint Professional Military Education Institutionsin an Age of Cyber Threat

FrancescaSpidalieri (PellCenter Fellow)

August 7,2013

The report found that the Joint ProfessionalMilitary Education at the six U.S. militarygraduate schools—a requirement forbecoming a joint staff officer and forpromotion to the senior ranks—has noteffectively incorporated cybersecurity intospecific courses, conferences, war-gamingexercises, or other forms of training formilitary officers. Although these graduateprograms are more advanced on cybersecuritythan most American civilian universities, apreparation gap still exists. (18 pages)

Telecommunications Networks: AddressingPotential Security Risks of Foreign-ManufacturedEquipment

GAO May 21,2013

The federal government began efforts toaddress supply chain security for commercialnetworks. A variety of other approaches exist

for addressing the potential risks posed byforeign-manufactured equipment incommercial communications networks,including those taken by foreign governments.Although these approaches are intended toimprove supply chain security ofcommunications networks, they may alsocreate the potential for trade barriers,additional costs, and constraints oncompetition, which the federal governmentwould have to take into account if it choosesto pursue such approaches. (52 pages)

Outcome-Based Measures Would Assist DHS inAssessing Effectiveness of Cybersecurity Efforts

GAO April 11,2013

Until DHS and its sector partners developappropriate outcome-oriented metrics, it willbe difficult to gauge the effectiveness ofefforts to protect the nation's core and accesscommunications networks and critical supportcomponents of the Internet from cyberincidents. Although no cyber incidentsaffecting the nation's core and access networkshave been reported, communications networksoperators can use FCC's and DHS's reportingmechanisms to share information on outagesand incidents. (45 pages)

Information Sharing: Agencies Could BetterCoordinate to Reduce Overlap in Field-BasedActivities

GAO April 4, 2013 Agencies have neither held entitiesaccountable for coordinating nor assessedopportunities for further enhancingcoordination to help reduce the potential foroverlap and achieve efficiencies. TheDepartment of Justice (DOJ), DHS, and theOffice of National Drug Control Policy(ONDCP)—the federal agencies that overseeor provide support to the five types of field-based entities—acknowledged that it isimportant for entities to work together andshare information, but these agencies do nothold the entities accountable for suchcoordination. (72 pages)

Cybersecurity: A Better Defined and ImplementedNational Strategy Is Needed to Address PersistentChallenges

GAO March 7,2013

"[A]lthough federal law assigns the Office ofManagement and Budget (OMB)responsibility for oversight of federalgovernment information security, OMBrecently transferred several of theseresponsibilities to Department of HomelandSecurity (DHS).... [I]t remains unclear howOMB and Department of Homeland Securityare to share oversight of individualdepartments and agencies. Additionallegislation could clarify these responsibilities."(36 pages)

Cybersecurity: National Strategy, Roles, andResponsibilities Need to Be Better Defined andMore Effectively Implemented

GAO February 14,2013

GAO recommends that the White Housecybersecurity coordinator develop anoverarching federal cybersecurity strategy thatincludes all key elements of the desirablecharacteristics of a national strategy. Such astrategy would provide a more effectiveframework for implementing cybersecurityactivities and better ensure that such activitieswill lead to progress in cybersecurity. (112pages)

Information Security: Federal Communications GAO January 25, The Federal Communications Commission

Commission Needs to Strengthen Controls overEnhanced Secured Network Project

2013 (FCC) did not effectively implementappropriate information security controls inthe initial components of the EnhancedSecured Network (ESN) project. Weaknessesidentified in the commission's deployment ofESN's project components as of August 2012resulted in unnecessary risk that sensitiveinformation could be disclosed, modified, orobtained without authorization. GAO is madeseven recommendations to the FCC toimplement management controls to helpensure that ESN meets its objective ofsecuring FCC's systems and information. (35pages)

Follow-up Audit of the Department's CyberSecurity Incident Management Program

DOE OIG December2012

In 2008, the DOE's Cyber Security IncidentManagement Program (DOE/IG-0787,January 2008) reported the Department andNational Nuclear Security Administration(NNSA) had established and maintained anumber of independent, at least partiallyduplicative, cybersecurity incidentmanagement capabilities. Several issues wereidentified that limited the efficiency andeffectiveness of the department's cybersecurityprogram and adversely affected the ability oflaw enforcement to investigate incidents. Inresponse to the findings, managementconcurred with the recommendations andindicated that it had initiated actions to addressthe issues. (25 pages)

Information Technology Reform: Progress Madebut Future Cloud Computing Efforts Should beBetter Planned

GAO July 11, 2012 GAO recommended that the Secretaries ofAgriculture, Health and Human Services,Homeland Security, State, and the Treasury,and the Administrators of the General ServicesAdministration (GSA) and Small BusinessAdministration (SBA) should direct theirrespective chief information officers toestablish estimated costs, performance goals,and plans to retire associated legacy systemsfor each cloud-based service discussed thereport, as applicable. (43 pages)

Electronic Warfare: DOD Actions Needed toStrengthen Management and Oversight

GAO July 9, 2012 DOD's oversight of electronic warfarecapabilities may be further complicated by itsevolving relationship with computer networkoperations, which is also an informationoperations-related capability. Without clearlydefined roles and responsibilities and updatedguidance regarding oversight responsibilities,DOD does not have reasonable assurance thatits management structures will provideeffective department-wide leadership forelectronic warfare activities and capabilitiesdevelopment and ensure effective and efficientuse of its resources. (46 pages)

Information Security: Cyber Threats FacilitateAbility to Commit Economic Espionage

GAO June 28,2012

The statement discusses (1) cyber threatsfacing the nation's systems, (2) reported cyberincidents and their impacts, (3) securitycontrols and other techniques available forreducing risk, and (4) the responsibilities ofkey federal entities in support of protectingInternet protocol. (20 pages)

Cyber Sentries: Preparing Defenders to Win in aContested Domain

Army WarCollege

February 7,2012

The paper examines the current impedimentsto effective cybersecurity workforcepreparation and offers new concepts to createCyber Sentries through realistic training,network authorities tied to certification, andethical training. These actions present anopportunity to significantly enhanceworkforce quality and allow DOD to operateeffectively in the contested cyber domain inaccordance with the vision established in itsStrategy for Cyberspace Operations. (38pages)

The Department's Management of the Smart GridInvestment Grant Program

DOE OIG January 20,2012

According to the DOE' inspector general, thedepartment's rush to award stimulus grants forprojects under the next generation of thepower grid, known as the Smart Grid, resultedin some firms receiving funds withoutsubmitting complete plans for how tosafeguard the grid from cyberattacks. (21pages)

Cybersecurity Human Capital: Initiatives NeedBetter Planning and Coordination

GAO November29, 2011

To ensure that government-wide cybersecurityworkforce initiatives are better coordinatedand planned, and to better assist federalagencies in defining roles, responsibilities,skills, and competencies for their workforce,the DOC Secretary, OMB Director, OPM, andDHS Secretary should collaborate through theNational Initiative for CybersecurityEducation (NICE) initiative to develop andfinalize detailed plans allowing agencyaccountability, measurement of progress, anddetermination of resources to accomplishagreed-upon activities. (86 pages)

Federal Chief Information Officers: OpportunitiesExist to Improve Role in Information TechnologyManagement

GAO October 17,2011

GAO recommended that the OMB update itsguidance to establish measures ofaccountability for ensuring that chiefinformation officers' responsibilities are fullyimplemented and to require agencies toestablish internal processes for documentinglessons learned. (72 pages)

Information Security: Additional GuidanceNeeded to Address Cloud Computing Concerns

GAO October 6,2011

Twenty-two of 24 major federal agenciesreported that they were either concerned orvery concerned about the potential informationsecurity risks associated with cloudcomputing. GAO recommended that the NISTissue guidance specific to cloud computingsecurity. (17 pages)

Information Security: Weaknesses Continue AmidNew Federal Efforts to Implement Requirements

GAO October 3,2011

Weaknesses in information security policiesand practices at 24 major federal agenciescontinue to place the confidentiality, integrity,and availability of sensitive information andinformation systems at risk. Consistent withthis risk, reports of security incidents fromfederal agencies are on the rise, increasing bymore than 650% over the past five years. Eachof the 24 agencies reviewed had weaknesses ininformation security controls. (49 pages)

Defense Department Cyber Efforts: Definitions,Focal Point, and Methodology Needed for DOD to

GAO July 29, 2011 The letter discusses DOD's cyber andinformation assurance budget for FY2012 and

Develop Full-Spectrum Cyberspace BudgetEstimates

future years' defense spending. The objectivesof the review were to (1) assess the extent towhich DOD prepared an overarching budgetestimate for full-spectrum cyberspaceoperations across the department and (2)identify the challenges DOD faced inproviding such estimates. (33 pages)

Defense Department Cyber Efforts: DOD FacesChallenges in Its Cyber Activities

GAO July 25, 2011 GAO recommended that DOD evaluate how itis organized to address cybersecurity threats;assess the extent to which it developed jointdoctrine that addresses cyberspace operations;examine how it assigns command and controlresponsibilities; and determine how itidentifies and acts to mitigate key capabilitygaps involving cyberspace operations. (79pages)

Information Security: [Department of] State HasTaken Steps to Implement a ContinuousMonitoring Application, but Key ChallengesRemain

GAO July 8, 2011 The Department of State implemented acustom application called iPost and a risk-scoring program that aimed to providecontinuous monitoring capabilities ofinformation security risk to elements of thedepartment's IT infrastructure. To improveimplementation of iPost at State, the Secretaryof State directed the chief information officerto develop, document, and maintain an iPostconfiguration management and test process.(63 pages)

USCYBERCOM [U.S. Cyber Command] andCyber Security: Is a Comprehensive StrategyPossible?

Army WarCollege

May 12,2011

Examines five aspects of USCYBERCOM: (1)organization, (2) command and control, (3)computer network operations, (4)synchronization, and (5) resourcing. Identifiesareas that currently present significant risk toUSCYBERCOM's ability to create a strategythat can achieve success in its cyberspaceoperations and recommends potentialsolutions that can increase the effectiveness ofthe USCYBERCOM strategy. (32 pages)

Cybersecurity: Continued Attention Is Needed toProtect Federal Information Systems fromEvolving Threats

GAO March 16,2011

The White House, OMB, and certain federalagencies have undertaken several government-wide initiatives intended to enhanceinformation security at federal agencies.Although progress has been made on theseinitiatives, they all face challenges that requiresustained attention, and GAO has madeseveral recommendations for improving theimplementation and effectiveness of theseinitiatives. (15 pages)

Federal Energy Regulatory Commission'sMonitoring of Power Grid Cyber Security

DOE OIG January 26,2011

The Nuclear Energy Regulatory Commission(NERC) developed Critical InfrastructureProtection (CIP) cybersecurity reliabilitystandards, which were approved by theFederal Energy Regulatory Commission(FERC) in January 2008. Although thecommission had taken steps to ensure CIPcybersecurity standards were developed andapproved, NERC's testing revealed that suchstandards did not always include controlscommonly recommended for protectingcritical information systems. In addition, theCIP standards implementation approach andschedule approved by the commission were

not adequate to ensure that systems-relatedrisks to the nation's power grid were mitigatedor addressed in a timely manner. (30 pages)

Information Security: Federal Agencies HaveTaken Steps to Secure Wireless Networks, butFurther Actions Can Mitigate Risk

GAO November30, 2010

Existing government-wide guidelines andoversight efforts do not fully address agencyimplementation of leading wireless securitypractices. Until agencies take steps to betterimplement these leading practices and OMBtakes steps to improve government-wideoversight, wireless networks will remain at anincreased vulnerability to attacks. (50 pages)

DHS Efforts to Assess and Promote ResiliencyAre Evolving but Program Management Could BeStrengthened

GAO September23, 2010

DHS has not developed an effective way toensure that critical national infrastructure,such as electrical grids andtelecommunications networks, can bounceback from a disaster. DHS has conductedsurveys and vulnerability assessments ofcritical infrastructure to identify gaps, but hasnot developed a way to measure whetherowners and operators of that infrastructureadopt measures to reduce risks. (46 pages)

Information Security: Progress Made onHarmonizing Policies and Guidance for NationalSecurity and Non-National Security Systems

GAO September15, 2010

OMB and NIST established policies andguidance for civilian non-national securitysystems, and other organizations, including theCommittee on National Security Systems(CNSS), DOD, and the U.S. intelligencecommunity, and have developed policies andguidance for national security systems. GAOassessed the progress of federal efforts toharmonize policies and guidance for these twotypes of systems. (38 pages)

Continued Attention Is Needed to Protect FederalInformation Systems from Evolving Threats

GAO June 16,2010

GAO and agency IGs have made hundreds ofrecommendations over the past several years,many of which agencies are implementing. Inaddition, the White House, OMB, and certainfederal agencies have undertaken severalgovernment-wide initiatives intended toenhance information security at federalagencies. Progress has been made on theseinitiatives, but they all face challenges thatrequire sustained attention. GAO made severalrecommendations for improving theimplementation and effectiveness of theseexisting initiatives. (15 pages)

NSTB Assessments Summary Report: CommonIndustrial Control System Cyber SecurityWeaknesses

DOE, IdahoNationalLaboratory

May 2010 The National SCADA Test Bed (NSTB)program reported that computer networkscontrolling the electric grid are plagued withsecurity holes that could allow intruders toredirect power delivery and steal data. Manyof the security vulnerabilities are strikinglybasic and fixable problems. (123 pages)

Information Security: Concerted Response Neededto Resolve Persistent Weaknesses

GAO March 24,2010

Without proper safeguards, federal computersystems are vulnerable to malicious intrudersseeking to obtain sensitive information. Theneed for a vigilant approach to informationsecurity is demonstrated by the pervasive andsustained cyberattacks against the UnitedStates; these attacks continue to pose apotentially devastating impact to systems and

the operations and critical infrastructures theysupport. (21 pages)

Cybersecurity: Progress Made But ChallengesRemain in Defining and Coordinating theComprehensive National Initiative

GAO March 5,2010

To address strategic challenges in areas thatare not the subject of the ComprehensiveNational Cybersecurity Initiative's existingprojects but remain key to achieving theinitiative's overall goal of securing federalinformation systems, GAO recommended thatOMB's director continue developing astrategic approach to identity management andauthentication and link it to the HomelandSecurity Presidential Directive 12. Thedirective was initially described in the ChiefInformation Officers Council's (CIOC's) planto implement federal identity, credential, andaccess management to provide greaterassurance that only authorized individuals andentities can gain access to federal informationsystems. (64 pages)

Continued Efforts Are Needed to ProtectInformation Systems from Evolving Threats

GAO November17, 2009

GAO identified weaknesses in all majorcategories of information security controls atfederal agencies. For example, in FY2008,weaknesses were reported in such controls at23 of 24 major agencies. Specifically,agencies did not consistently authenticateusers to prevent unauthorized access tosystems; apply encryption to protect sensitivedata; or log, audit, and monitor security-relevant events, among other actions. (24pages)

Efforts to Improve Information Sharing Need toBe Strengthened

GAO August 27,2003

Information on threats, methods, andtechniques of terrorists is not routinely shared,and the information that is shared is notperceived as timely, accurate, or relevant. (59pages)

Source: Highlights compiled by CRS from the reports.

Note: Page counts are documents; other cited resources are web pages.

Table 4. Federal Workforce

(includes evaluations, grants, job programs, surveys, and statistics on federal cybersecurity personnel)

Title Source Date Notes

Information Assurance ScholarshipProgram

DOD ContinuouslyUpdated

The Information Assurance ScholarshipProgram is designed to increase the number ofqualified personnel entering the informationassurance and technology fields within DOD.The scholarships also are an attempt toeffectively retain military and civiliancybersecurity and IT personnel.

PERSEREC (Personnel and SecurityResearch Center)

DOD ContinuouslyUpdated

The Pentagon is expected to create a databasefor investigating the trustworthiness ofpersonnel who could have access to federalfacilities and computer systems. The DefenseInformation System for Security, or DISS, willconsolidate two existing tools used for vettingemployees and job applicants.

CyberSeek Tool NIST ContinuouslyUpdated

CyberSeek is an interactive online tooldesigned to make it easier for cybersecurity jobseekers to find openings and for employers toidentify the skilled workers they need.

CyberCareers.gov OPM ContinuouslyUpdated

The website is aimed at reaching federalmanagers, current employees, job seekers, andacademic organizations and students. The siteis designed as a one-stop shop to better educatethose audiences about new federal cyberopportunities and provide resources to helpthem develop their careers in the field.

U.S. Digital Services White House ContinuouslyUpdated

The U.S. Digital Services (USDS) is a group ofabout 100 technologists on two- to four-yearfellowships that do some cybersecurity work.Cybersecurity is only a small portion of USDS'work, however, and the group is not yet spreadthroughout all agencies.

Strengthening the Cybersecurity ofFederal Networks and CriticalInfrastructure: WorkforceDevelopment

NIST July 12, 2017 NIST is seeking information on the scope andsufficiency of efforts to educate and train thenation's cybersecurity workforce andrecommendations for ways to support andimprove that workforce in both the public andprivate sectors. (3 pages)

Federal Efforts Are Under Way ThatMay Address Workforce Challenges

GAO April 4, 2017 This statement discusses challenges agenciesface in ensuring an effective cybersecurityworkforce, recent initiatives aimed atimproving the federal cyber workforce, andongoing activities that could assist in recruitingand retaining cybersecurity professionals. Inpreparing this statement. (21 pages)

Compensation Flexibilities toRecruit and Retain CybersecurityProfessionals

OPM November 29,2016

The guidance outlines the special rates underthe General Schedule that can be paid to ITmanagement and computer professionals, butalso outlines other incentive tools. Forexample, agency leaders can offer up to 25%of annual pay bonus for retaining an employeeand 10% for a group of employees. There arealso relocation incentives and student loanrepayment up to $60,000. (25 pages)

NICE Cybersecurity WorkforceFramework (NCWF)

NISZT November 2016 This publication serves as a fundamentalreference to support a workforce capable ofmeeting an organization's cybersecurity needs.It describes how the NCWF providesorganizations with a common, consistentlexicon to categorize and describecybersecurity work. The common lexiconprovided by the NCWF enables consistentorganization and communication aboutcybersecurity work. (130 pages)

Strengthening the FederalCybersecurity Workforce

White House July 12, 2016 The Strategy establishes four key initiatives:(1) Expand the Cybersecurity Workforcethrough Education and Training (2) Recruit theNation's Best Cyber Talent for Federal Service(3) Retain and Develop Highly Skilled Talent(4) Identify Cybersecurity Workforce Needs.

NIST 'RAMPS' Up CybersecurityEducation and WorkforceDevelopment With New Grants

NIST May 12, 2016 NIST is offering up to $1 million in grants toestablish up to eight Regional Alliances andMultistakeholder Partnerships to Stimulate(RAMPS) cybersecurity education andworkforce development. Applicants must benonprofit organizations, including institutionsof higher education, located in the UnitedStates or its territories. Applicants must alsodemonstrate through letters of interest that atleast one of each of the following types oforganizations is interested in being part of theproposed regional alliance: K-12 school orLocal Education Agency (LEA), institution ofhigher education or college/university system,and a local employer.

Closing Skills Gaps: Strategy,Reporting and Monitoring

OPM April 15, 2016 OPM "revalidated" the need to close skillsgaps in certain "high-risk mission criticaloccupations," including cybersecurity,acquisition, and STEM. Agency experts andchief human capital officers will work togetherto develop a governmentwide strategy "toaddress the root causes for why an occupationhas been deemed 'at risk.'" OPM tasked chiefhuman capital officers with identifying specificskills gaps in their agencies. The memo callson agencies to develop 4-year and 10-yearplans for closing gaps in those areas.

The Way Forward for FederalBackground Investigations

FBI January 22, 2016 The Obama Administration is creating a neworganization within the OPM to handlebackground investigations, in its latestresponse to last year's revelations that hackershad pilfered highly sensitive documents on 22million Americans. The new organization, theNational Background Investigations Bureau,will be headed by a presidential appointee, andwill have a "considerable amount ofoperational autonomy." The technologysystems will be "designed, built, secured, andoperated" by the Defense Department.

Guidance on recruitment, relocationand retention (3R) incentives

OPM January 15, 2016 OPM has enhanced the ability of federalhuman resources managers to use recruitment,relocation, and retention (3R) incentives toattract or hang onto cybersecurity workers. Themore flexible grants for exceptions to the 3Rspending limit "may assist agencies inrecruiting and retaining the most highlyqualified cybersecurity employees to meet thegovernment's important challenges ofstrengthening federal networks, systems anddata."

NIST to Support Cybersecurity Jobs"Heat Map" to Highlight EmployerNeeds and Worker Skills

NIST October 27,2015

NIST will fund a project developing avisualization tool to show the demand for andavailability of cybersecurity jobs across theUnited States. CompTIA, a non-profitinformation technology trade association, inpartnership with job market research andanalytics company Burning GlassTechnologies, received a three-year grant tocreate a "heat map" visualizing the need forand the supply of cybersecurity professionalsacross the country.

Workforce Shortfall Due to HiringDifficulties Despite Rising Salaries,Increased Budgets and High JobSatisfaction

(ISC)2 April 17, 2015 In 2014, the average annual salary of a federalcybersecurity worker was $110,500, withfederal contractors taking home $114,000. U.S.private-sector cyber professionals are expectedto bring in $118,000 in 2015. Analysts fromFrost & Sullivan forecast a shortfall of 1.5million cyber professionals by 2020. Thisnumber is compounded by 45% of hiringmanagers reporting that they are struggling tosupport additional hiring needs and 62% ofrespondents reporting that their organizationshave too few information securityprofessionals. (46 pages)

Tech Hire White House March 9, 2015 The White House has unveiled a multi-sectoreffort to empower Americans with technologyskills. Many jobs do not require a four-yearcomputer science degree. To kick offTechHire, 21 regions, with more than 120,000open technology jobs and more than 300employer partners in need of this workforce,are announcing plans to work together to findnew ways to recruit and place applicants basedon their actual skills and to create more fast-track tech training opportunities.

U.S. Dept. of Energy to Offer $25MGrant for Cybersecurity

Department ofEnergy (DOE)

January 15, 2015 DOE announced a $25 million cybersecurityeducation grant over five years to establish aCybersecurity Workforce Pipeline Consortiumwithin the DOE with funding from its MinorityServing Institutions Partnerships Programunder its National Nuclear SecurityAdministration. The participants arehistorically black colleges and universities,national labs, and K-12 school districts.

DHS Is Generally Filling Mission-Critical Positions, but Could BetterTrack Costs of CoordinatedRecruiting Efforts

GAO September 17,2013

Within DHS, one in five jobs at a keycybersecurity component is vacant, in largepart due to steep competition in recruiting andhiring qualified personnel. National Protectionand Programs Directorate officials citedchallenges in recruiting cyber professionalsbecause of the length of time taken to conductsecurity checks to grant top-secret securityclearances and low pay in comparison with theprivate sector. (47 pages)

Professionalizing the Nation'sCybersecurity Workforce?: Criteriafor Decision-Making

National AcademiesPress

September 16,2013

The report "examines workforce requirementsfor cybersecurity; the segments and jobfunctions in which professionalization is mostneeded; the role of assessment tools,certification, licensing, and other means forassessing and enhancing professionalization;and emerging approaches, such asperformance-based measures. It also examinesrequirements for the federal (military andcivilian) workforce, the private sector, andstate and local government." (66 pages)

Joint Professional MilitaryEducation Institutions in an Age ofCyber Threat

Francesca Spidalieri(Pell Center Fellow)

August 7, 2013 The report found that the Joint ProfessionalMilitary Education at the six U.S. militarygraduate schools—a requirement for becominga joint staff officer and for promotion to thesenior ranks—has not effectively incorporatedcybersecurity into specific courses,

conferences, war-gaming exercises, or otherforms of training for military officers.Although these graduate programs are moreadvanced on cybersecurity than mostAmerican civilian universities, a preparationgap still exists. (18 pages)

Special Cybersecurity WorkforceProject (Memo for Heads ofExecutive Departments andAgencies)

OPM July 8, 2013 OPM is collaborating with the White HouseOffice of Science and Technology Policy, theChief Human Capital Officers Council, and theChief Information Officers Council inimplementing a special workforce project thattasks federal agencies' cybersecurity,information technology, and human resourcescommunities to build a statistical data set ofexisting and future cybersecurity positions inthe OPM Enterprise Human ResourcesIntegration data warehouse.

Global Information SecurityWorkforce Study

(ISC)2 Foundationand Frost andSullivan

May 7, 2013 Federal cyber workers earn an average salaryof $106,430, less than the average private-sector salary of $111,376. The lag in federalsalaries is likely due to federal budgetrestraints. (28 pages)

2012 Information TechnologyWorkforce Assessment forCybersecurity

Department ofHomeland Security(DHS)

March 14, 2013 The report, which is based on an anonymoussurvey of nearly 23,000 cyber workers across52 departments and agencies, found that whilethe majority (49%) of cyber federal workershas more than 10 years of service until theyreach retirement eligibility, nearly 33% will beeligible to retire in the next three years. (131pages)

CyberSkills Task Force Report DHS October 2012 DHS's task force on CyberSkills proposes far-reaching improvements to enable thedepartment to recruit and retain thecybersecurity talent it needs. (41 pages)

Smart Grid Cybersecurity: JobPerformance Model Report

Pacific NorthwestNational Laboratory

August 2012 The report outlines the work done to develop aSmart-Grid cybersecurity certification. Theprimary purpose develops a measurementmodel used to guide curriculum, assessments,and other development of technical andoperational Smart-Grid cybersecurityknowledge, skills, and abilities. (178 pages)

Cybersecurity Human Capital:Initiatives Need Better Planning andCoordination

GAO November 29,2011

To ensure that government-wide cybersecurityworkforce initiatives are better coordinated andplanned, and to better assist federal agencies indefining roles, responsibilities, skills, andcompetencies for their workforce, theSecretaries of Commerce and HomelandSecurity and the Directors of OMB and OPMcollaborated through the National Initiative forCybersecurity Education (NICE) initiative todevelop and finalize detailed plans allowingagency accountability, measurement ofprogress, and determination of resources toaccomplish agreed-upon activities. (86 pages)

Cyber Operations Personnel Report DOD April 2011 The report focuses on FY2009 DOD CyberOperations personnel, with duties andresponsibilities as defined in Section 934 of the

FY2010 National Defense Authorization Act(NDAA). Its appendices include the following:

Appendix A—Cyber Operations-RelatedMilitary Occupations

Appendix B—Commercial CertificationsSupporting the DOD Information AssuranceWorkforce Improvement Program

Appendix C—Military Services Training andDevelopment

Appendix D—Geographic Location ofNational Centers of Academic Excellence inInformation Assurance (84 pages)

The Power of People: Building anIntegrated National SecurityProfessional System for the 21st

Century

Project on NationalSecurity Reform

November 2010 The study was conducted in fulfillment ofSection 1054 of the FY2010 NDAA, whichrequired the commissioning of a study by "anappropriate independent, nonprofitorganization, of a system for careerdevelopment and management of interagencynational security professionals." (326 pages)

Source: Highlights compiled by CRS from the reports.

Notes: Page counts are documents; other cited resources are web pages.

Table 5. White House and Office of Management and Budget

(reports by or about cybersecurity policies in the White House, OMB, or executive branch agencies)

Title Source Date Notes

Improving Cybersecurity OMB ContinuouslyUpdated

OMB is working with agencies, inspectorsgeneral, chief information officers, and senioragency officials in charge of privacy, as well asthe Government Accountability Office (GAO)and Congress, to strengthen the federalgovernment's IT security and privacy programs.The site provides information on Cross-AgencyPriority (CAP) goals, proposed cybersecuritylegislation, CyberStat, continuous monitoringand remediation, using SmartCards for identitymanagement, and standardizing securitythrough configuration settings.

Statement by President Donald J.Trump on the Elevation of CyberCommand

White House July 18, 2017 President Trump elevated U.S. CyberCommand to a full combatant command. Theelevation will help streamline command andcontrol of time-sensitive cyberspace operationsby consolidating them under a singlecommander with authorities commensuratewith the importance of such operations.Elevation will also ensure that criticalcyberspace operations are adequately funded.

Federal Information SecurityModernization Act of 2014: AnnualReport to Congress (FY 2016)

OMB March 10,2017

Federal agencies reported 30,899 "cyberincidents" in fiscal 2016 that led to the"compromise of information or systemfunctionality" to the Department of HomelandSecurity's U.S. Computer EmergencyReadiness Team. (121 pages)

President-Elect Trump AnnouncesFormer Mayor Rudolph Giuliani toLend Expertise to Cyber SecurityEfforts

White House January 12,2017

Former New York City Mayor Rudy Giuliani"will be sharing his expertise and insight as atrusted friend" on private-sector cyber securityproblems.

Report on Securing and Growingthe Digital Economy

Commission onEnhancing NationalCybersecurity

December2016

President Obama "directed the Commission toassess the state of our nation's cybersecurity,and he charged this group with developingactionable recommendations for securing thedigital economy. From these discussions, somefirm conclusions emerged. Partnerships-between countries, between the nationalgovernment and the states, betweengovernments at all levels and the private sector-are a powerful tool for encouraging thetechnology, policies, and practices we need tosecure and grow the digital economy. TheCommission asserts that the joint collaborationbetween the public and private sectors before,during, and after a cyber event must bestrengthened." (100 pages)

FACT SHEET: Announcing Over$80 million in New FederalInvestment and a Doubling ofParticipating Communities in theWhite House Smart Cities Initiative

White House September 26,2016

In September 2015, the White House launchedthe Smart Cities Initiative to make it easier forcities, federal agencies, universities, and theprivate sector to work together to research,develop, deploy, and testbed new technologiesthat can help make our cities more inhabitable,cleaner, and more equitable. This year, to kickoff Smart Cities Week, the Administration isexpanding this initiative, with more than $80million in new federal investments and adoubling of the number of participating citiesand communities, exceeding 70 in total.

Announcing the First Federal ChiefInformation Security Officer

White House September 8,2016

The Administration announced BrigadierGeneral (retired) Gregory J. Touhill as the firstFederal Chief Information Security Officer(CISO). A key feature of the CybersecurityNational Action Plan (CNAP) is the creation ofthe first CISO to drive cybersecurity policy,planning, and implementation across the federalgovernment.

Revision of OMB Circular No. A-130, "Managing Information as aStrategic Resource"

OMB July 28, 2016 OMB has revised Circular A-130, "ManagingInformation as a Strategic Resource," to reflectchanges in law and advances in technology.The revisions also ensure consistency withexecutive orders, presidential directives, recentOMB policy, and National Institute ofStandards and Technology standards andguidelines. The Circular establishes generalpolicy for information governance,acquisitions, records management, open data,workforce, security, and privacy. It alsoemphasizes the role of both privacy andsecurity in the Federal information life cycle.(30 pages)

Letter Sent to 27 Executive BranchOffices Regarding InformationSecurity Obligations Under theFederal Information SecurityManagement Act (FISMA)

House Oversight andGovernment ReformCommittee

July 26, 2016 The letter notes all agencies are required by lawto submit annual reports to the committee andOffice of Management and Budget—which is apart of EOP—and that the term "agency" wasintentionally defined broadly in the legislation,which specifically mentions EOP as anexample. Requests a copy of EOP's FISMA

report or, if it doesn't exist, an explanation ofwhy the office is exempt. (17 pages)

Category Management Policy 16-2:Providing Comprehensive IdentityProtection Services, IdentityMonitoring, and Data BreachResponse

OMB July 1, 2016 OMB issued a memorandum to all departmentheads outlining how agencies should go aboutcontracting for identity protection services.Going forward, all agencies offering identityprotection services to citizens or employeesmust contract through the General ServicesAdministration's Identity Monitoring DataBreach Response and Protection Services (IPS)blanket purchase agreement (BPA). (3 pages)

President Obama AppointsCommission on Enhancing NationalCybersecurity

White House April 13, 2016 President Barack Obama announced his intentto appoint individuals to the Commission onEnhancing National Cybersecurity.

Annual Report to Congress: FederalInformation Security ModernizationAct

OMB March 18,2016

In 2015, government agencies reported 77,183cybersecurity incidents, a 10% increase from69,851 incidents in 2014. These incidents werereported by government agencies to the UnitedStates Computer Emergency Readiness Team(US-CERT). Sixteen percent of these werecaused by "non-cyber" reasons, such asemployees losing data storage devices thatcontained personally identifiable information.[See p. 39 for agency scores]. (95 pages)

Cybersecurity National Action Plan White House February 9,2016

The White House proposed a CybersecurityNational Action Plan, which provides a 35%increase in federal funds for the next budgetyear to boost the nation's ability to safeguard itscomputer networks, both private and public,from attacks while preserving privacy.

Cybersecurity Strategy andImplementation Plan (CSIP) for theFederal Civilian Government

OMB October 30,2015

The document includes an update on thecomprehensive review of the federalgovernment's cyber policies, which took placeduring a 30-day "Cybersecurity Sprint" directedby the federal chief information officer in June2015. The plan identifies a number of actionitems that the federal government will take inthe coming year to improve the cybersecurity ofthe federal government networks. (21 pages)

Fiscal Year 2015-2016 Guidance onFederal Information Security andPrivacy Management Requirements

OMB October 30,2015

The White House is updating annualcybersecurity guidelines that provide adefinition for a "major" cyber incident. Thenew definition is mandated by a 2014 update tothe Federal Information Security ManagementAct (FISMA). Agencies can consult with theDepartment of Homeland Security aboutwhether an incident meets the major threshold,but ultimately it's up to the victim agency tomake the final call. (11 pages)

Appendix III to OMB Circular No.A-130: Responsibilities forProtecting Federal InformationResources

OMB October 21,2015

The policy lays out guidance for managing ITinvestments, improving information securitypractices, and streamlining the process foracquiring new technology.

Strengthening & Enhancing FederalCybersecurity for the 21st Century

OMB August 3,2015

In July 2015, OMB launched a 30-dayCybersecurity Sprint to assess and improve the

health of all federal assets and networks, bothcivilian and military. As part of the Sprint,OMB directed agencies to further protectfederal information, improve the resilience oftheir networks, and report on their successesand challenges. Agencies were instructed toimmediately patch critical vulnerabilities,review and tightly limit the number ofprivileged users with access to authorizedsystems, and dramatically accelerate the use ofstrong authentication, especially for privilegedusers.

Request for Comments onImproving CybersecurityProtections in Federal Acquisitions

OMB July 30, 2015 OMB's Office of E-Government & InformationTechnology (E-Gov) is seeking publiccomment on draft guidance to improvecybersecurity protections in federalacquisitions. Threats to federal informationsystems have increased as agencies providemore services online and the demand to secureinformation on these systems increase. (1 page)

FACT SHEET: AdministrationCybersecurity Efforts 2015

OMB July 9, 2015 The 30-day Cybersecurity Sprint, by the ObamaAdministration in the wake of the OPM breach,has resulted in a jump in the use of multi-factorID authentication and tens of thousands ofscans of federal networks for vulnerabilities.The White House released a fact sheet detailingwhat the Administration has done to improvecybersecurity. (9 pages)

FACT SHEET: Enhancing andStrengthening the FederalGovernment's Cybersecurity

OMB June 12, 2015 To further improve federal cybersecurity andprotect systems against these evolving threats,the U.S. chief information officer (CIO)launched a 30-day Cybersecurity Sprint. TheCIO instructed federal agencies to immediatelytake numerous steps to further protect federalinformation and assets and improve theresilience of federal networks. Agencies wereinstructed to immediately test networks forDHS-provided indicators, patch vulnerabilitiesflagged in weekly DHS scan reports, restrict thenumber of privileged user accounts and whatthey can do, and dramatically ramp up the useof multi-factor authentication, especially forsensitive users. On the latter threerequirements, agencies were to report back toOMB and DHS on their progress within amonth.

Management and Oversight ofInformation Technology Resources

OMB June 10, 2015 The guidance takes major steps towardensuring agency CIOs have significantinvolvement in procurement, workforce, andtechnology-related budget matters whilecontinuing a partnership with other seniorleaders. It also takes major steps towardpositioning CIOs so that they can reasonably beheld accountable for how effectively theiragencies use modern digital approaches toachieve the objectives of effective and efficientprograms and operations. (34 pages)

Policy to Require SecureConnections across FederalWebsites and Web Services

OMB June 8, 2015 In a memo to agency executives, federal CIOTony Scott detailed four requirements foragencies to meet, starting with using a risk-based approach for determining which websites

or web services to move to HTTPS first. Sitesdealing with personally identifiable information(PII), where the content is sensitive, or wherethe site receives a high level of traffic should bemigrated to HTTPS as soon as possible.Agencies have until Dec. 31, 2016, to move allpublic facing online services to the securitystandard. (5 pages)

White House Summit onCybersecurity and ConsumerProtection

White House February 13,2015

The Summit brought together leaders fromacross the country who have a stake in thisissue—industry, tech companies, lawenforcement, consumer and privacy advocates,law professors who specialize in this field, andstudents—to collaborate and explorepartnerships that will help develop the bestways to bolster U.S. cybersecurity. Topicsincluded Public-Private Collaboration onCybersecurity; Improving CybersecurityPractices at Consumer-Oriented Businesses andOrganizations; Promoting More SecurePayment Technologies; CybersecurityInformation Sharing; International LawEnforcement Cooperation on Cybersecurity;Improving Authentication: Moving Beyond thePassword; and Chief Security Officers'Perspectives: New Ideas on Technical Security.

Strengthening our Nation's CyberDefenses (Announcing Plans for aNew Cyber Threat IntelligenceIntegration Center)

White House February 11,2015

The White House will establish a new CyberThreat Intelligence Integration Center, orCTIIC, under the auspices of the Director ofNational Intelligence. Currently, no singlegovernment entity is responsible for producingcoordinated cyber threat assessments, andensuring that information is shared rapidlyamong existing cyber centers and otherelements within the government, andsupporting the work of operators andpolicymakers with timely intelligence about thelatest cyber threats and threat actors. TheCTIIC is intended to fill these gaps.

National Security Strategy White House February 6,2015

The document states the United States will"defend ourselves, consistent with U.S. andinternational law, against cyberattacks andimpose costs on malicious cyber actors,including through prosecution of illegal cyberactivity." The strategy praises the NISTframework for cybersecurity and promises towork with Congress to "pursue a legislativeframework that ensures high [cyber] standards"for critical infrastructure. The government willalso work to develop "global standards forcybersecurity and building internationalcapacity to disrupt and investigate cyberthreats." The document also promises to helpother nations improve the cybersecurity of theircritical infrastructure and develop laws thatpunish hackers. (32 pages)

Fiscal Year 2014-2015 Guidance onImproving Federal InformationSecurity and Privacy ManagementPractices

OMB October 3,2014

OMB is making updates to streamline agencyreporting of information security incidents toDHS's U.S. Computer Emergency ReadinessTeam (US-CERT) and to improve US-CERT'sability to respond effectively to informationsecurity incidents. Under the updates, losses of

PII caused by non-electronic means must bereported within one hour of a confirmed breachto the agency privacy office rather than to US-CERT. (17 pages)

Assessing CybersecurityRegulations

White House May 22, 2014 The White House directed federal agencies toexamine their regulatory authority over private-sector cybersecurity in the February 2013executive order that also created the NationalInstitute of Standards and Technology (NIST)cybersecurity framework. A review of agencyreports concluded that "existing regulatoryrequirements, when complemented with strongvoluntary partnerships, are capable ofmitigating cyber risks." No new federalregulations are needed for improving thecybersecurity of privately held Americancritical infrastructure.

Federal Information SecurityManagement Act, Annual Report toCongress

OMB May 1, 2014 The 24 largest federal departments andagencies spent $10.34 billion on cybersecurityin fiscal year 2014. The Chief FinancialOfficers Act agency with the greatestexpenditure was the DOD at $7.11 billion,followed by DHS at $1.11 billion. Federalagencies' collective request for cybersecurityspending during FY2015 amounts to about $13billion, federal CIO Steven VanRoekel toldreporters during the March rollout of the WhiteHouse spending proposal for the coming fiscalyear—making cybersecurity a rare area offederal information technology spendinggrowth. (80 pages)

Big Data: Seizing Opportunities,Preserving Values

White House May 2014 The findings outline a set of consumerprotection recommendations, including thatCongress should pass legislation on "singlenational data breach standard." (85 pages)

State and Local GovernmentCybersecurity

White House April 2, 2014 The White House in March 2014 convened anarray of stakeholders, including governmentrepresentatives, local-government-focusedassociations, private-sector technologycompanies, and partners from multiple federalagencies at the State and Local GovernmentCybersecurity Framework Kickoff Event.

Liberty and Security in a ChangingWorld: Report andRecommendations of ThePresident's Review Group onIntelligence and CommunicationsTechnologies

The President'sReview Group onIntelligence andCommunicationsTechnologies

December 12,2013

From the report, "The national security threatsfacing the United States and our allies arenumerous and significant, and they will remainso well into the future. These threats includeinternational terrorism, the proliferation ofweapons of mass destruction, and cyberespionage and warfare.... After carefulconsideration, we recommend a number ofchanges to our intelligence collection activitiesthat will protect [privacy and civil liberties]values without undermining what we need to doto keep our nation safe." (308 pages)

Immediate Opportunities forStrengthening the Nation'sCybersecurity

President's Councilof Advisors onScience andTechnology(PCAST)

November2013

The report recommends the government phaseout insecure, outdated operating systems, suchas Windows XP; implement better encryptiontechnology; and encourage automatic securityupdates, among other changes. PCAST also

recommends that the government help createcybersecurity best practices and audit theiradoption in regulated industries. Forindependent agencies, PCAST proposes writingnew rules that require businesses to report theircyber improvements. (31 pages)

Cross Agency Priority Goal:Cybersecurity, FY2013 Q3 StatusReport

Performance.gov October 2013 Executive branch departments and agenciesachieved 95% implementation of theAdministration's priority cybersecuritycapabilities by the end of FY2014. Thesecapabilities include strong authentication,Trusted Internet Connections (TIC), andcontinuous monitoring. (24 pages)

Incentives to Support Adoption ofthe Cybersecurity Framework

White House August 6,2013

From the report, "To promote cybersecuritypractices and develop these core capabilities,we are working with critical infrastructureowners and operators to create a CybersecurityFramework – a set of core practices to developcapabilities to manage cybersecurity risk....Over the next few months, agencies willexamine these options in detail to determinewhich ones to adopt and how, basedsubstantially on input from criticalinfrastructure stakeholders."

FY2012 Report to Congress on theImplementation of the FederalInformation Security ManagementAct of 2002

OMB March 2013 More government programs violated datasecurity law standards in 2012 than in theprevious year. At the same time, computersecurity costs have increased by more than $1billion. Inadequate training was a large part ofthe reason all-around scores for adherence tothe Federal Information Security ManagementAct of 2002 (FISMA) slipped from 75% in2011 to 74% in 2012. Agencies reported thatabout 88% of personnel with system accessprivileges received annual security awarenessinstruction, down from 99% in 2011.Meanwhile, personnel expenses accounted forthe vast majority—90%—of the $14.6 billiondepartments spent on information technologysecurity in 2012. (68 pages)

Administration Strategy forMitigating the Theft of U.S. TradeSecrets

Executive Office ofthe President

February 20,2013

From the report, "First, we will increase ourdiplomatic engagement.... Second, we willsupport industry-led efforts to develop bestpractices to protect trade secrets and encouragecompanies to share with each other bestpractices that can mitigate the risk of tradesecret theft.... Third, DOJ will continue to makethe investigation and prosecution of trade secrettheft by foreign competitors and foreigngovernments a top priority.... Fourth, PresidentObama recently signed two pieces of legislationthat will improve enforcement against tradesecret theft.... Lastly, we will increase publicawareness of the threats and risks to the U.S.economy posed by trade secret theft." (141pages)

National Strategy for InformationSharing and Safeguarding

White House December2012

Provides guidance for effective development,integration, and implementation of policies,processes, standards, and technologies topromote secure and responsible informationsharing. (24 pages)

Collaborative and Cross-CuttingApproaches to Cybersecurity

White House August 1,2012

Michael Daniel, White House cybersecuritycoordinator, highlights initiatives in whichvoluntary, cooperative actions helped toimprove the nation's overall cybersecurity.

Trustworthy Cyberspace: StrategicPlan for the Federal CybersecurityResearch and DevelopmentProgram

Executive Office ofthe President

December2011

As a research and development strategy, thisplan defines four strategic thrusts: (1) inducingchange, (2) developing scientific foundations,(3) maximizing research impact, and (4)accelerating transition to practice. (36 pages)

FY2012 Reporting Instructions forthe Federal Information SecurityManagement Act and AgencyPrivacy Management

OMB September 14,2011

Rather than enforcing a static, three-yearreauthorization process, agencies conductongoing authorizations of information systemsby implementing continuous monitoringprograms. These programs thus fulfill the three-year security reauthorization requirement, so aseparate reauthorization process is notnecessary. (29 pages)

Cybersecurity Legislative Proposal(Fact Sheet)

White House May 12, 2011 The Administration's proposal ensures theprotection of individuals' privacy and civilliberties through a framework designedexpressly to address the challenges ofcybersecurity. The Administration's legislativeproposal includes management, personnel,intrusion-prevention systems, and data centers.

International Strategy forCyberspace

White House May 2011 The strategy marks the first time anyAdministration has attempted to set forth in onedocument the U.S. government's vision forcyberspace, including goals for defense,diplomacy, and international development. (30pages)

National Strategy for TrustedIdentities in Cyberspace (NSTIC)

White House April 15, 2011 The NSTIC aims to make online transactionsmore trustworthy, thereby giving businessesand consumers more confidence in conductingbusiness online. (52 pages)

Federal Cloud Computing Strategy White House February 13,2011

The strategy outlines how the federalgovernment can accelerate the safe, secureadoption of cloud computing, and providesagencies with a framework for migrating to thecloud. It also examines how agencies canaddress challenges related to the adoption ofcloud computing, such as privacy, procurement,standards, and governance. (43 pages)

25 Point Implementation Plan toReform Federal InformationTechnology Management

White House December 9,2010

The plan aims to reduce the number offederally run data centers from 2,100 toapproximately 1,300, rectify or cancel one-thirdof troubled IT projects, and require federalagencies to adopt a "cloud first" strategy inwhich they will move at least one system to ahosted environment within a year. (40 pages)

Cyberspace Policy: ExecutiveBranch Is Making ProgressImplementing 2009 Policy ReviewRecommendations, but Sustained

GovernmentAccountabilityOffice (GAO)

October 6,2010

Of the 24 recommendations in the President'sMay 2009 cyber policy review report, 2 werefully implemented and 22 were partiallyimplemented. Although these efforts appeared

Leadership Is Needed to be steps forward, agencies were largely notable to provide milestones and plans thatshowed when and how implementation of therecommendations was to occur. (66 pages)

Comprehensive NationalCybersecurity Initiative (CNCI)

White House March 2, 2010 The CNCI establishes a multipronged approachthe federal government is to take in identifyingcurrent and emerging cyber threats, shoring upcurrent and future telecommunications andcyber vulnerabilities, and responding to orproactively addressing entities that wish to stealor manipulate protected data on secure federalsystems. (5 pages)

Cyberspace Policy Review:Assuring a Trusted and ResilientCommunications Infrastructure

White House May 29, 2009 The President directed a 60-day,comprehensive, "clean-slate" review to assessU.S. policies and structures for cybersecurity.The review team of government cybersecurityexperts engaged and received input from abroad cross-section of industry, academia, thecivil liberties and privacy communities, stategovernments, international partners, and thelegislative and executive branches. The papersummarizes the review team's conclusions andoutlines the beginning of the way forwardtoward a reliable, resilient, trustworthy digitalinfrastructure for the future. (76 pages)

Source: Highlights compiled by CRS from the White House reports.

Notes: Page counts are documents; other cited resources are web pages. For a list of White House executive orders, see CRSReport R43317, Cybersecurity: Legislation, Hearings, and Executive Branch Documents, by Rita Tehan.

Table 6. Cybersecurity Framework (NIST) and Information Sharing

(NIST's Feb. 12, 2014 Cybersecurity Framework, and proposals for cyberthreat information sharing among federal and privatestakeholders)

Title Source Date Notes

Information Sharing and AnalysisOrganizations (ISAOs)

DHS Continuouslyupdated

Many companies have found it challenging to developeffective information sharing organizations—orInformation Sharing and Analysis Organizations(ISAOs). In response, President Obama issued the 2015Executive Order 13691 directing DHS to encourage thedevelopment of ISAOs.

Cybersecurity Framework:Implementation Guidance forFederal Agencies, InteragencyReport 8170

NIST May 2017 The draft says federal agencies can use thecybersecurity framework to complement the existingsuite of NIST security and privacy risk managementstandards, guidelines, and practices developed inresponse to the Federal Information SecurityManagement Act. (41 pages)

Proposed Update to the Frameworkfor Improving CriticalInfrastructure Cybersecurity(Request for Comment)

NIST January 25,2017

NIST has developed a draft update of the framework(termed "Version 1.1" or "V1.1"), available athttp://www.nist.gov/cyberframework. The draft updateseeks to clarify, refine, and enhance the framework,and make it easier to use, while retaining its flexible,voluntary, and cost-effective nature. The update willalso be fully compatible with the February 2014version of the framework in that either version may beused by organizations without degradingcommunication or functionality. NIST is soliciting

public comments on this proposed update. Specifically,NIST is interested in comments that address updatedfeatures of the Framework. (2 pages)

ISAO Voluntary Guidelines ISAO StandardsOrganization

September2016

The ISAO SO has published initial voluntaryguidelines for emerging and established ISAOs. Thesepublications have been developed in response topresidential Executive Order 13691 to provideguidelines for robust and effective information sharingand analysis related to cybersecurity risks, incidents,and best practices.

The NIST CybersecurityFramework and the FTC

Federal TradeCommission

August 31,2016

From the perspective of the staff of the FTC, NIST'sCybersecurity Framework is consistent with theprocess-based approach that the FTC has followedsince the late 1990s, the 60+ law enforcement actionsthe FTC has brought to date, and the agency'seducational messages to companies.... The frameworkand the FTC's approach are fully consistent: The typesof things the framework calls for organizations toevaluate are the types of things the FTC has beenevaluating for years in its Section 5 enforcement todetermine whether a company's data security and itsprocesses are reasonable. By identifying different riskmanagement practices and defining different levels ofimplementation, the NIST framework takes a similarapproach to the FTC's long-standing Section 5enforcement.

Network of 'Things' NIST July 28, 2016 The publication provides a basic model aimed athelping researchers better understand the Internet ofThings (IoT) and its security challenges. The Networkof Things (NoT) model is based on four fundamentalsat the heart of IoT—sensing, computing,communication and actuation. The model's fivebuilding blocks, called "primitives," are corecomponents of distributed systems. They provide avocabulary to compare different NoTs that can be usedto aid understanding of IoTs. (Note: This documentwas initially released as a draft back in mid-February2016, it was under a different technical publicationseries called NIST Interagency Report (NISTIR) asDraft NISTIR 8063, Internet of Things. Afterconsiderable review, it was decided that when the draftbecomes approved as final, it will be placed into theSpecial Publication 800-series - SP 800-183, Networkof 'Things'. So this final Special Publication replacesthe draft NISTIR 8063). (30 pagesO

Revision of OMB Circular No. A-130, "Managing Information as aStrategic Resource"

OMB July 28, 2016 OMB has revised Circular A-130, "ManagingInformation as a Strategic Resource," to reflect changesin law and advances in technology. The circularestablishes general policy for information governance,acquisitions, records management, open data,workforce, security, and privacy. It also emphasizes therole of both privacy and security in the federalinformation life cycle. When implemented by agencies,these revisions to the circular will promote innovation,enable appropriate information sharing, and foster thewide-scale and rapid adoption of new technologieswhile strengthening protections for security andprivacy.

Cybersecurity FrameworkFeedback: What We Heard andNext Steps

NIST June 9, 2016 NIST is developing a minor update of its CybersecurityFramework based on feedback from its users. A draftof the update will be published for comment in early

2017. The rich body of stakeholder feedback called forother actions that NIST will undertake: Publish agovernance process that outlines the process offramework maintenance and evolution and defines therole of stakeholders and how they will continue towork together in the future; Remain as convener offramework stakeholders; and Continue frameworkoutreach and focus on international, small andmedium-sized businesses and regulators. (10 pages)

Information Sharing and AnalysisOrganization

DHS May 11, 2016 "This Notice announces a request for public commenton draft products produced by the Information Sharingand Analysis Organization (ISAO) StandardsOrganization (SO) in partnership with the sixestablished ISAO SO Standards Working Groups(SWG). This is the first iteration of draft products thatwill be used in the development of voluntary standardsfor Information Sharing and Analysis Organizations(ISAOs) as they relate to E.O. 13691." (2 pages)

NPPD Seeks Comments on CyberIncident Data Repository WhitePapers

DHS NationalProtection andProgramsDirectorate(NPPD)

March 28,2016

NPPD is seeking public comment on three whitepapers prepared by NPPD staff. Links to the whitepapers are posted on the cybersecurity insurancesection of DHS.gov: Comments will assist NPPD tofurther refine the content of the white papers to addressthe critical need for information sharing as a means tocreate a more robust cybersecurity insurancemarketplace and improve enterprise cyber hygienepractices across the public and private sectors. (2pages)

Multistakeholder Process ToPromote Collaboration onVulnerability Research Disclosure

NTIA March 28,2016

NTIA convened a meeting of a multistakeholderprocess concerning the collaboration between securityresearchers and software and system developers andowners to address security vulnerability disclosure.Stakeholders engaged in an open, transparent,consensus-driven process to develop voluntaryprinciples guiding the collaboration between vendorsand researchers about vulnerability information. (1page)

Cybersecurity Information SharingAct of 2015 Interim GuidanceDocuments-Notice of Availability

NPPD February 18,2016

DHS announced the availability of CybersecurityInformation Sharing Act of 2015 Interim GuidanceDocuments jointly issued with the Department ofJustice (DOJ) in compliance with the act (CISA),which authorizes the voluntary sharing and receiving ofcyber threat indicators and defensive measures forcybersecurity purposes, consistent with certainprotections, including privacy and civil libertyprotections. The CISA guidance documents may befound on http://www.us-cert.gov/ais. (1 page)

NIST Seeking Comments on theFramework for Improving CriticalInfrastructure Cybersecurity

NationalInstitute ofStandards andTechnology(NIST)

December 11,2015

NIST requested information about the variety of waysin which the Framework for Improving CriticalInfrastructure is being used to improve cybersecurityrisk management, how best practices using theframework are shared, the relative value of differentparts of the framework, the possible need for aframework update, and options for long-termgovernance of the Framework. (3 pages)

Notice of Public MeetingRegarding Standards forInformation Sharing and AnalysisOrganizations

DHS October 26,2015

In accordance with EO 13691, DHS has entered into acooperative agreement with a non-governmental ISAOStandards Organization led by the University of Texasat San Antonio with support from the Logistics

Management Institute (LMI) and the Retail CyberIntelligence Sharing Center (R-CISC). The noticeannounces the ISAO Standards Organization's initialpublic meeting on November 9, 2015, to discussStandards for the development of ISAOs. (2 pages)

Standards for Information Sharingand Analysis Organizations (ISAO)

DHS May 26, 2015 DHS posted a cooperative agreement funding noticefor the outfit that will set standards for ISAO. Thegrant will be worth up to $11 million over five years.The notice rules out Mitre as a possible bidder, becauseit excludes federally funded research and developmentcenters and laboratories. However, FFRDCs can behired by the standards organization for specificprojects.

Cybersecurity Risk Managementand Best Practices (WG4):Cybersecurity Framework for theCommunications Sector

FederalCommunicationsCommission

(FCC)

March 18,2015

The CSRIC is a federal advisory committee thatprovides recommendations to the FCC regarding bestpractices and actions the commission can take to helpensure security, reliability, and interoperability ofcommunications systems and infrastructure. TheCSRIC approved a report that identifies best practices,provides a variety of important tools and resources forcommunications companies of different sizes and typesto manage cybersecurity risks, and recommends a pathforward. (418 pages)

Update on the CybersecurityFramework

NIST December 5,2014

In a status update, NIST said there was widespreadagreement among stakeholders that it was too early toupdate the framework. NIST will consider producingadditional guidance for using the framework, includinghow to apply the little-understood four-tiered systemfor gauging organizational cybersecurity programsophistication. In general, information and trainingmaterials that advance framework use, includingillustrative examples, was to be an immediate priorityfor NIST. (8 pages)

Energy Sector CybersecurityFramework ImplementationGuidance - Draft For PublicComment and CommentSubmission Form

Department ofEnergy (DOE)Office ofElectricityDelivery andEnergyReliability

September 12,2014

Energy companies need not choose between the NISTcybersecurity framework and the DOE's CybersecurityCapability Maturity Model (C2M2). The NISTframework tells organizations to grade themselves on afour-tier scale based on their overall cybersecurityprogram sophistication. C2M2 instructs users to assesscybersecurity control implementation across 10domains of cybersecurity practices, such as situationalawareness, according to the users' specific "maturityindicator level."

Guidelines for Smart GridCybersecurity, Smart GridCybersecurity Strategy,Architecture, and High-LevelRequirements

NIST September2014

The three-volume report presents an analyticalframework that organizations can use to developeffective cybersecurity strategies tailored to theirparticular combinations of smart grid-relatedcharacteristics, risks, and vulnerabilities. Organizationsin the diverse community of smart grid stakeholders—from utilities to providers of energy managementservices to manufacturers of electric vehicles andcharging stations—can use the methods and supportinginformation in the report as guidance for assessing riskand identifying and applying appropriate securityrequirements. The approach recognizes that the electricgrid is changing from a relatively closed system to acomplex, highly interconnected environment. Eachorganization's cybersecurity requirements shouldevolve as technology advances and as threats to gridsecurity inevitably multiply and diversify. (668 pages)

How Do We Know WhatInformation Sharing Is ReallyWorth? Exploring Methodologiesto Measure the Value ofInformation Sharing and FusionEfforts

RANDCorporation

June 2014 Given resource constraints, there are concerns aboutthe effectiveness of information-sharing and fusionactivities and, therefore, their value relative to thepublic funds invested in them. Solid methods forevaluating these efforts are lacking, however, limitingthe ability to make informed policy decisions. Drawingon a substantial literature review and synthesis, thereport lays out the challenges of evaluatinginformation-sharing efforts that frequently seek toachieve multiple goals simultaneously; reviews pastevaluations of information-sharing programs; and laysout a path to improving the evaluation of such efforts.(33 pages)

Sharing Cyberthreat InformationUnder 18 USC § 2702(a)(3)

Department ofJustice (DOJ)

May 9, 2014 DOJ issued guidance for Internet service providers toassuage legal concerns about information sharing. Thewhite paper interprets the Stored Communications Act,which prohibits providers from voluntarily disclosingcustomer information to governmental entities. Thepaper says that the law does not prohibit companiesfrom divulging data in the aggregate, without anyspecific details about identifiable customers. (7 pages)

Antitrust Policy Statement onSharing of CybersecurityInformation

DOJ and FederalTradeCommission(FTC)

April 10, 2014 Information-sharing about cyber threats can be donelawfully as long as companies are not discussingcompetitive information such as pricing, the JusticeDepartment and Federal Trade Commission said in ajoint statement. "Companies have told us that concernsabout antitrust liability have been a barrier to beingable to openly share cyber threat information," saidDeputy Attorney General James Cole. "Antitrustconcerns should not get in the way of sharingcybersecurity information." (9 pages)

Framework for Improving CriticalInfrastructure Cybersecurity

NIST February 12,2014

The voluntary framework consists of cybersecuritystandards that can be customized to various sectors andadapted by both large and small organizations. DHSannounced the Critical Infrastructure CyberCommunity (C3)—or "C-cubed"—voluntary program.The C3 program gives state and local governments andcompanies that provide critical services, such as cellphones, email, banking, and energy, direct access toDHS cybersecurity experts who have knowledge aboutspecific threats, ways to counter those threats, and how,over the long term, to design and build systems that areless vulnerable to cyber threats. (41 pages)

Update on the Development of theCybersecurity Framework

NIST January 15,2014

From the document, "While stakeholders have saidthey see the value of guidance relating to privacy,many comments stated a concern that the methodologydid not reflect consensus private sector practices andtherefore might limit use of the Framework. Manycommenters also stated their belief that privacyconsiderations should be fully integrated into theFramework Core." (3 pages)

Cybersecurity Framework NIST October 22,2013

NIST sought comments on the preliminary version ofthe Cybersecurity Framework. Executive Order 13636directed NIST to work with stakeholders to developsuch a framework to reduce cyber risks to criticalinfrastructure. (47 pages)

Discussion Draft of the Preliminary NIST August 28, The framework provides a common language and

Cybersecurity Framework 2013 mechanism for organizations to (1) describe currentcybersecurity posture; (2) describe their target state forcybersecurity; (3) identify and prioritize opportunitiesfor improvement within the context of riskmanagement; (4) assess progress toward the targetstate; and (5) foster communications among internaland external stakeholders. (36 pages)

Cyber Security Task Force: Public-Private Information Sharing

BipartisanPolicy Center

July 2012 Outlines a series of proposals to enhance informationsharing. The recommendations have two majorcomponents: (1) mitigating perceived legalimpediments to information sharing, and (2)incentivizing private-sector information sharing byalleviating statutory and regulatory obstacles. (24pages)

Annual Report to Congress 2012:National Security ThroughResponsible Information Sharing

InformationSharingEnvironment

June 30, 2012 The report states, "This Report, which PM-ISE issubmitting on behalf of the President, incorporatesinput from our mission partners and uses theirinitiatives and PM-ISE's management activities toprovide a cohesive narrative on the state and progressof terrorism-related responsible information sharing,including its impact on our collective ability to securethe nation and our national interests." (188 pages)

NICE Cybersecurity WorkforceFramework

NationalInitiative forCybersecurityEducation(NICE)

November 21,2011

The federal government's adoption and implementationof cloud computing depend upon a variety of technicaland nontechnical factors. A fundamental referencepoint, based on the NIST definition of cloudcomputing, is needed to describe an overall frameworkthat can be used government-wide. The documentpresents the NIST Cloud Computing ReferenceArchitecture and Taxonomy that will accuratelycommunicate the components and offerings of cloudcomputing. (35 pages)

Improving our Nation'sCybersecurity through the Public-Private Partnership: A White Paper

BusinessSoftwareAlliance, Centerfor Democracyand Technology,U.S. Chamber ofCommerce,Internet SecurityAlliance, andTech America

March 8, 2011 The paper proposes expanding the existing partnershipwithin the framework of the National InfrastructureProtection Plan. Specifically, it makes a series ofrecommendations that build upon the conclusions ofPresident Obama's Cyberspace Policy Review. (26pages)

Efforts to Improve InformationSharing Need to Be Strengthened

GovernmentAccountabilityOffice (GAO)

August 27,2003

Information on threats, methods, and techniques ofterrorists is not routinely shared, and the informationthat is shared is not perceived as timely, accurate, orrelevant. (59 pages)

Source: Highlights compiled by CRS from the reports.

Note: Page counts are documents; other cited resources are web pages.

Table 7. Department of Homeland Security (DHS)

(reports and audits)

Title Source Date Notes

Office of Cybersecurity and DHS Continuously CS&C

Communications (CS&C) Updatedworks to prevent or minimize disruptions tocritical information infrastructure to protectthe public, the economy, and governmentservices andleads efforts to protect the federal ".gov"domain of civilian government networks andto collaborate with the private sector—the".com" domain—to increase the security ofcritical networks.

Continuous Diagnostic and MitigationProgram

DHS ContinuouslyUpdated

An initiative to deploy continuous monitoring atU.S. federal government agencies will be done inphases, with the initial rollout occurring over threeyears. The initial phase is aimed at getting federalcivilian agencies to employ continuous diagnostictools to improve vulnerability management, enforcestrong compliance settings, manage hardware andsoftware assets, and establish white-listing ofapproved services and applications.

Mobile Device Security DHS April 2017 The study found that threats to the federalgovernment's use of mobile devices—smartphonesand tablet computers running mobile operatingsystems—exist across all elements of the mobileecosystem. These threats require a securityapproach that differs substantially from theprotections developed for desktop workstationslargely because mobile devices are exposed to adistinct set of threats, frequently operate outside ofenterprise protections and have evolvedindependently of desktop architectures. The studypresents a series of recommendations to enhance thefederal government's mobile device security. (125pages)

Information Security: DHS Needs toContinue to Advance Initiatives toProtect Federal Systems

GAO March 28,2017

DHS has initiatives for (1) detecting and preventingmalicious cyber intrusions into agencies' networksand (2) deploying technology to assist agencies tocontinuously diagnose and mitigate cyber threatsand vulnerabilities. In a January 2016 report, GAOmade nine recommendations related to expandingNCPS's capability to detect cyber intrusions,notifying customers of potential incidents,providing analytic services, and sharing cyber-related information, among other things. DHSconcurred with the recommendations and is takingactions to implement them. (16 pages)

Cybersecurity: Actions Needed toStrengthen U.S. Capabilities

GAO February 1,2017

"GAO recommends nine actions to DHS forenhancing the effectiveness and efficiency ofNCCIC, including to determine the applicability ofthe implementing principles and establish metricsand methods for evaluating performance; andaddress identified impediments." (67 pages)

Critical Infrastructure Protection:Improvements Needed for DHS'sChemical Facility Whistleblower ReportProcess

GAO July 12, 2016 The Chemical Facility Anti-Terrorism Standards(CFATS) Act of 2014 required DHS to establish awhistleblower process. Employees and contractorsat hundreds of thousands of U.S. facilities withhazardous chemicals can play an important role inhelping to ensure CFATS compliance by submittinga whistleblower report when they suspectnoncompliance This report addresses (1) thenumber and types of CFATS whistleblower reportsDHS received, and any actions DHS took as a

result, and (2) the extent to which DHS hasimplemented and followed a process to address thewhistleblower reports, including reports ofretaliation against whistleblowers. (49 pages)

Cybersecurity Information Sharing Actof 2015 Final Guidance Documents-Notice of Availability

DHS June 15,2016

DHS is announcing the availability of CybersecurityInformation Sharing Act of 2015 (CISA) FinalGuidance Documents jointly issued with theDepartment of Justice (DOJ) in compliance with theact, which authorizes the voluntary sharing andreceiving of cyber threat indicators and defensivemeasures for cybersecurity purposes, consistentwith certain protections, including privacy and civilliberty protections. The CISA-mandated finalprocedures and guidance, as well as an updatedversion of the non-federal entity sharing guidance,may be found at www.us-cert.gov/ais. (2 pages)

DHS Needs to Enhance Capabilities,Improve Planning, and Support GreaterAdoption of Its National CybersecurityProtection System

GAO January 28,2016

DHS's National Cybersecurity Protection System(NCPS) is partially meeting its stated systemobjectives…. Federal agencies have adopted NCPSto varying degrees. The 23 agencies required toimplement the intrusion detection capabilities hadrouted some traffic to NCPS intrusion detectionsensors. However, only 5 of the 23 agencies werereceiving intrusion prevention services, but DHSwas working to overcome policy andimplementation challenges. Further, agencies havenot taken all the technical steps needed toimplement the system, such as ensuring that allnetwork traffic is being routed through NCPSsensors. This occurred in part because DHS has notprovided network routing guidance to agencies. Asa result, DHS has limited assurance regarding theeffectiveness of the system. (61 pages)

DHS Can Strengthen Its Cyber MissionCoordination Efforts

Department ofHomeland Security(DHS), OIG

September15, 2015

DHS still struggles to coordinate its cyber-responseactivities and lacks an automated information-sharing tool to share cyberthreat data amongcomponents within the department—let alonebetween government and the private sector, whichthe Obama Administration and some lawmakershave been pressing for. In addition, the IG foundscattershot training for cybersecurity professionalsin the department, with some analysts paying fortheir own training courses to keep their skills fresh.(36 pages)

IT Security Suffers from Noncompliance DHS Office ofInspector General(OIG)

December22, 2014

DHS has made progress in improving itsinformation security program, but noncomplianceby several DHS component agencies is underminingthat effort. The OIG raised concerns over a lack ofcompliance by these components and urged DHSleadership to strengthen its oversight andenforcement of existing security policies. (2 pages)

Health Insurance MarketplacesGenerally Protected PersonallyIdentifiable Information but CouldImprove Certain Information SecurityControls

Department ofHomeland Security(DHS), OIG

September22, 2014

The websites and databases in some state healthinsurance exchanges are still vulnerable to attack,putting personally identifiable information at risk.The report examined the websites and databases ofthe federal insurance exchange, as well as the stateexchanges for Kentucky and New Mexico.

Implementation Status of the EnhancedCybersecurity Services Program

DHS OIG July 2014 The National Protection Programs Directorate(NPPD) has made progress in expanding the

Enhanced Cybersecurity Services program. As ofMay 2014, 40 critical infrastructure entities wereparticipating in the program and 22 companies hadsigned memorandums of agreement to join theprogram. Although progress has been made, theprogram has been slow to expand because of limitedoutreach and resources. In addition, cyber threatinformation sharing relies on NPPD's manualreviews and analysis, which has led to inconsistentcyber threat indicator quality. (23 pages)

The Critical Infrastructure CyberCommunity C³ Voluntary Program

Department ofHomeland Security(DHS)

February 12,2014

The C³ Voluntary Program serves as a point ofcontact and a customer relationship manager toassist organizations with using the CybersecurityFramework and guide interested organizations andsectors to DHS and other public and private-sectorresources to support use of the framework.

ITI Recommendations to the Departmentof Homeland Security Regarding itsWork Developing a Voluntary ProgramUnder Executive Order 163636,"Improving Critical InfrastructureCybersecurity"

InformationTechnologyIndustry Council(ITI)

February 11,2014

ITI released a set of recommendations eying furtherimprovement of the framework, changes that callfor DHS to "de-emphasize the current focus onincentives." Partly, ITI recognizes the cyber ordercan produce change even in an environment inwhich fiscal constraints and congressional inactionstall carrots for adoption, but ITI and others "do notwant incentives if they come at the cost of"compliance-based programs." (3 pages)

Evaluation of DHS' Information SecurityProgram for Fiscal Year 2013

DHS OIG November2013

The report reiterates that the agency uses outdatedsecurity controls and Internet connections that arenot verified as trustworthy and that the agency doesnot review its top-secret information systems forvulnerabilities. (50 pages)

DHS' Efforts to Coordinate the Activitiesof Federal Cyber Operations Center

DHS OIG October 2013 DHS could do a better job sharing informationamong the five federal centers that coordinatecybersecurity work. The department's NationalCybersecurity and Communications IntegrationCenter (NCCIC) is tasked with sharing informationabout malicious activities on government networkswith cybersecurity offices within DOD, the FederalBureau of Investigation (FBI), and federalintelligence agencies. But the DHS center and thefive federal cybersecurity hubs all have differenttechnology and resources, preventing them fromsharing intrusions, threats, or awareness informationand restricting their ability to coordinate responses.The centers also have not created a standard set ofcategories for reporting incidents. (29 pages)

DHS Is Generally Filling Mission-Critical Positions, but Could BetterTrack Costs of Coordinated RecruitingEfforts

GAO September17, 2013

Within DHS, o at a key cybersecurity component isvacant, in large part due to steep competition inrecruiting and hiring qualified personnel. NationalProtection and Programs Directorate (NPPD)officials cited challenges in recruiting cyberprofessionals because of the length of time taken toconduct security checks to grant top-secret securityclearances and low pay in comparison with theprivate sector. (47 pages)

DHS Can Take Actions to Address ItsAdditional CybersecurityResponsibilities

DHS June 2013 The National Protection and Programs Directorate(NPPD) was audited to determine whether theOffice of Cybersecurity and Communications hadeffectively implemented its additional cybersecurityresponsibilities to improve the security posture of

the federal government. Although it has made someprogress, NPPD can make further improvements toaddress its additional cybersecurity responsibilities.(26 pages)

Privacy Impact Assessment forEINSTEIN 3 Accelerated (E3A)

DHS April 19,2013

DHS deployed EINSTEIN 3 Accelerated (E3A) toenhance cybersecurity analysis, situationalawareness, and security response. Under DHS'sdirection, Internet service providers will administerintrusion prevention and threat-baseddecisionmaking on network traffic entering andleaving participating federal civilian executivebranch agency networks. This Privacy ImpactAssessment (PIA) was being conducted becauseE3A will include analysis of federal network traffic,which may contain personally identifiableinformation. (27 pages)

Outcome-Based Measures Would AssistDHS in Assessing Effectiveness ofCybersecurity Efforts

GAO April 11,2013

Until DHS and its sector partners developappropriate outcome-oriented metrics, it will bedifficult to gauge the effectiveness of efforts toprotect the nation's core and access communicationsnetworks and the Internet's critical supportcomponents from cyber incidents. Although nocyber incidents affecting the nation's core andaccess networks have been reported,communications networks operators can usereporting mechanisms established by the FederalCommunications Commission and DHS to shareinformation on outages and incidents. (45 pages)

Federal Support for and Involvement inState and Local Fusion Centers

U.S. SenatePermanentSubcommittee onInvestigations

October 3,2012

A two-year bipartisan investigation found that DHSefforts to engage state and local intelligence "fusioncenters" has not yielded significant usefulinformation to support federal counterterrorismintelligence efforts. In Section VI, "Fusion CentersHave Been Unable to Meaningfully Contribute toFederal Counterterrorism Efforts," Part G, "FusionCenters May Have Hindered, Not Aided, FederalCounterterrorism Efforts," the report discusses theRussian "cyberattack" in Illinois. (141 pages)

CyberSkills Task Force Report DHS October 2012 DHS's task force on CyberSkills proposes far-reaching improvements to enable the department torecruit and retain the cybersecurity talent it needs.(41 pages)

DHS Efforts to Assess and PromoteResiliency Are Evolving but ProgramManagement Could Be Strengthened

GAO September23, 2010

DHS has not developed an effective way to ensurethat critical national infrastructure, such as electricalgrids and telecommunications networks, can bounceback from a disaster. DHS conducted surveys andvulnerability assessments of critical infrastructure toidentify gaps but has not developed a way tomeasure whether owners and operators of thatinfrastructure adopt measures to reduce risks. (46pp)

Source: Highlights compiled by CRS from the reports.

Note: Page counts are documents; other cited resources are web pages.

Table 8. Department of Defense (DOD)

(reports by and audits of)

Title Source Date Notes

DOD Cyber Strategy DOD ContinuouslyUpdated

The strategy guides the development of DOD'scyber forces and strengthens cyber defense andcyber deterrence posture. It focuses on buildingcyber capabilities and organizations for DOD'sthree primary cyber missions.

Defense Industrial Base (DIB)Cybersecurity and InformationAssurance (CS/IA) Program

DOD ContinuouslyUpdated

DOD established the Defense Industrial Base(DIB) Cybersecurity and Information Assurance(CS/IA) Program to enhance and supplement DIBparticipants' capabilities to safeguard DODinformation that resides on or transits DIBunclassified networks or information systems. Thepublic-private cybersecurity partnership isdesigned to improve DIB network defenses,reduce damage to critical programs, and increaseDOD and DIB cyber situational awareness. Underthe DIB CS/IA Program, DOD and DIBparticipants share unclassified and classified cyberthreat information.

Program Protection and SystemSecurity Engineering Initiative

DOD SystemsEngineering

ContinuouslyUpdated

DOD systems have become increasinglynetworked, software-intensive, and dependent ona complicated global supply chain, which hasincreased the importance of security as a systemsengineering design consideration. In response tothis new reality, DOD has established ProgramProtection/System Security Engineering as a keydiscipline to protect technology, components, andinformation from compromise through the cost-effective application of countermeasures tomitigate risks posed by threats and vulnerabilities.The analysis, decisions, and plans of acquisitionprograms are documented in a Program ProtectionPlan, which is updated prior to every milestonedecision.

PERSEREC (Personnel and SecurityResearch Center)

DOD Office ofPeople Analytics(OPA)

ContinuouslyUpdated

The Pentagon is slated to launch one megadatabase for investigating the trustworthiness ofpersonnel who could have access to federalfacilities and computer systems. The DefenseInformation System for Security, or DISS, willconsolidate two existing tools used for vettingemployees and job applicants.

Cyber Power Potential of the Army'sReserve Component

RAND September 2017 This report identifies the number of Army RCcyber-skilled personnel to help identify ways inwhich these soldiers can be leveraged to conductArmy cyber operations. This report also describesthe broader challenges and opportunities that theuse of RC personnel presents. (206 pages)

DOD's Monitoring of Progress inImplementing Cyber Strategies Can BeStrengthened

GAO August 1, 2017 The report examines (1) DOD officials'perspectives on the advantages and disadvantagesof the dual-hat leadership arrangement ofNSA/CSS and CYBERCOM, and actions thatcould mitigate risks if the leadership arrangementends, and (2) the extent to which DOD hasimplemented key strategic cybersecurityguidance. GAO analyzed DOD cybersecuritystrategies, guidance, and information andinterviewed cognizant DOD officials. (46 pages)

Statement by President Donald J.Trump on the Elevation of CyberCommand

White House July 18, 2017 President Trump elevated U.S. Cyber Commandto a full combatant command. U.S. CyberCommand's elevation will also help streamlinecommand and control of time-sensitivecyberspace operations by consolidating themunder a single commander with authoritiescommensurate with the importance of suchoperations. Elevation will also ensure that criticalcyberspace operations are adequately funded.

154th Cyber Protection Team engagedin network defense at Cybertropolis,Indiana

Army CyberCommand

March 2, 2017 The U.S. Army has created a realistic simulatorthat allows each member of the CPT to test,measure, and improve their cyberattack anddefense skills and the team to build trust in eachother. In a full-scale, small city in Butlerville,Indiana, called Cybertropolis, the team waschallenged to conduct an interactive battle againstattackers on the prison systems and, specifically,to detect and counter anti-virus evasion, networkenumeration, ransomware, client-side attacks,pivoting, network service exploitation, privilegeescalation, attacks against industrial controlsystems and Windows' domain attacks.

Cyber Supply Chain Defense ScienceBoard

February 2017 The task force addressed (1) practices to mitigatemalicious supply chain risk and latentvulnerabilities, and whether opportunities exist tomodify or strengthen these practices; (2) currentdepartment program protection processes, as wellas other practices to detect and assess potentialvulnerabilities in hardware and software; (3) theextent to which commercial off the shelfvulnerabilities have been reported and impact thesecurity of DOD systems; and (4)• interagencyactivities that DOD could better leverage toreduce supply chain risks.

DoD Cybersecurity Weaknesses asReported in Audit Reports Issued fromAugust 2015 Through July 31, 2016

DoD Office ofInspector General

December 13,2016

Summarized DOD and GovernmentAccountability Office audit reports issued fromAugust 1, 2015, through July 31, 2016, thatcontained findings on DOD cybersecurityweaknesses. DOD and GAO issued 21unclassified reports that addressed a wide range ofcybersecurity weaknesses within DOD systemsand networks. Reports issued during the reportingperiod most frequently cited cybersecurityweaknesses in the categories of risk management,identity and access management, security andprivacy training, contractor systems, andconfiguration management. (40 pages)

Office of the Director Operational Testand Evaluation FY 2016 AnnualReport

DOD December 2016 DOD personnel too often treat network defense asan administrative function, not a war fightingcapability. Until this paradigm changes, and thechange is reflected in the department's approachto cybersecurity personnel, resource allocation,training, accountability, and program and networkmanagement, the department will continue tostruggle to adequately defend its systems andnetworks from advanced cyberattacks. (532pages)

DOD's Defense Industrial BaseCybersecurity Activities

DOD October 4, 2016 This final rule responds to public comments andupdates DOD's Defense Industrial Base (DIB)Cybersecurity (CS) Activities. This rule

implements mandatory cyber incident reportingrequirements for DOD contractors andsubcontractors who have agreements with DOD.In addition, the rule modifies eligibility criteria topermit greater participation in the voluntary DIBCS information sharing program. (6 pages)

DoD's Policies, Procedures, andPractices for Information SecurityManagement of Covered Systems

DoD InspectorGeneral

August 15, 2016 As part of a review mandated by the 2015Cybersecurity Act, DOD's inspector general offerssummaries, not assessments of the department'spolicies and procedures on logical access controlpolicies and practices, use of multifactorauthentication, software inventory, threatprevention, and contractor oversight. (66 pages)

What is NORAD's Role in MilitaryCyber Attack Warning?

Homeland SecurityAffairs

May 2016 The essay traces NORAD's warning missionhistory, discusses the basic concepts involvedwith cyberattacks, identifies key U.S. andCanadian military cyber organizations, andexamines significant U.S. and Canadiancyberspace government policies. It then proposesthree potential new courses of action for NORAD,identifying advantages, disadvantages, andproposed solutions to implementation. (24 pages)

DOD Needs to Clarify Its Roles andResponsibilities for Defense Supportof Civil Authorities during CyberIncidents, Report to CongressionalCommittees

GAO April 4, 2016 This report assesses the extent to which DOD hasdeveloped guidance that clearly defines the rolesand responsibilities for providing support to civilauthorities in response to a cyber incident. GAOreviewed DOD DSCA guidance, policies, andplans; and met with relevant DOD, NationalGuard Bureau, and Department of HomelandSecurity officials. (31 pages)

Department of Defense ProvidesGovernment Contractors Grace Periodfor Compliance with KeyCybersecurity Requirements

National Law Review January 4, 2016 The Pentagon is giving military contractors an 18-month extension to comply with certaincybersecurity requirements in the Defense FederalAcquisition Regulation Supplement (DFARS).The decision to allow contractors a grace periodwas made following public comments inDecember 2015.

National Guard Set to ActivateAdditional Cyber Units

U.S. Army December 9, 2015 The National Guard announced plans to activate13 additional cyber units spread throughout 23states by the end of FY2019. Seven new ArmyGuard cyber protection teams, or CPTs, will beactivated across Alabama, Arkansas, Colorado,Illinois, Kentucky, Louisiana, Minnesota,Mississippi, Missouri, Nebraska, New Jersey,New York, North Dakota, South Dakota,Tennessee, Texas, Utah, and Wisconsin. Theyjoin four previously announced Army GuardCPTs spread across California, Georgia, Indiana,Maryland, Michigan, and Ohio.

Department of Defense (DoD)-DefenseIndustrial Base (DIB) Cybersecurity(CS) Activities

DOD ChiefInformation Officer

October 2, 2015 DOD is revising its DoD-DIB Cybersecurity (CS)Activities regulation to mandate reporting ofcyber incidents that result in an actual orpotentially adverse effect on a covered contractorinformation system or covered defenseinformation residing therein, or on a contractor'sability to provide operationally critical support,and modify eligibility criteria to permit greaterparticipation in the voluntary DoD- DIB CSinformation sharing program. (8 pages)

Cyber Security DoD CybersecurityWeaknesses as Reported in AuditReports Issued From August 1, 2014,Through July 31, 2015

DOD Office ofInspector General(OIG)

September 25,2015

In the span of one year, the Pentagon addressedfewer than half of the recommendations to shoreup cyber vulnerabilities identified by its OIG. TheDefense Department addressed 93 of 229 cyberrecommendations made by the OIG betweenAugust 1, 2014 and July 31, 2015, according to asummary of a new audit released by the IG'soffice. DOD left the majority of recommendations—136—unresolved.

Defense Federal AcquisitionRegulation Supplement: NetworkPenetration Reporting and Contractingfor Cloud Services

DOD August 26, 2015 DOD is issuing an interim rule amending DFARSto implement a section of the National DefenseAuthorization Act for Fiscal Year 2013 and asection of the National Defense Authorization Actfor Fiscal Year 2015, both of which requirecontractor reporting on network penetrations.Additionally, this rule implements DOD's policyon the purchase of cloud computing services. (10pages)

Insider Threats: DOD ShouldStrengthen Management and Guidanceto Protect Classified Information andSystems

GovernmentAccountability Office(GAO)

June 2, 2015 DOD components have identified technical andpolicy changes to help protect classifiedinformation and systems from future insiderthreats, but DOD is not consistently collecting thisinformation to support management and oversightresponsibilities. DOD has not identified a programoffice to oversee the insider-threat program.Without an office dedicated to oversight ofinsider-threat programs, DOD may not be able toensure the collection of all needed informationand could face challenges in establishing goalsand in recommending resources andimprovements to address insider threats. This isan unclassified version of a classified report GAOissued in April 2015. (55 pages)

The DOD Cyber Strategy DOD April 17, 2015 Deterrence is a key part of the new cyber strategy,which describes the department's contributions toa broader national set of capabilities to deteradversaries from conducting cyberattacks. Thestrategy sets five strategic goals and establishesspecific objectives for DOD to achieve over thenext five years and beyond. (42 pages)

Cyber Insurance: Managing CyberRisk

Institute for DefenseAnalyses

April 2015 The paper provides an overview of thecomponents of cyber insurance, discusses the roleof the government, and examines specificimplications to the Defense Department. (14pages)

Excepted Service (DOD) Office of PersonnelManagement (OPM)

March 5, 2015 DOD is given authority to make permanent, time-limited, and temporary appointments not toexceed 3,000 positions that require uniquecybersecurity skills and knowledge to performcyber risk and strategic analysis, incident handlingand malware/vulnerability analysis, programmanagement, distributed control systems security,cyber incident response, cyber exercisefacilitation and management, cyber vulnerabilitydetection and assessment, network and systemsengineering, enterprise architecture, investigativeanalysis, and cyber-related infrastructure inter-dependency analysis. (3 pages)

DOT&E FY 2014 Annual Report DOD Office of theDirector, OperationalTest and Evaluation(OT&E)

January 2015 A series of live fire tests of the military'scomputer networks security in 2015 found manycombatant commands could be compromised bylow-to-middling-skilled hackers and might not beable to "fight through" in the face of enemycyberattacks. The assessment echoes previousOT&E annual assessments, which routinely foundthat military services and combatant commandsdid not have a sufficiently robust security postureor training to repel sustained cyberattacks duringbattle. (91 pages)

A Review of the U.S. Navy CyberDefense Capabilities: AbbreviatedVersion of a Classified Report

National ResearchCouncil (NRC)

January 2015 The NRC appointed an expert committee toreview the U.S. Navy's cyber defense capabilities.The Department of the Navy determined that thecommittee's final report is classified in its entiretyunder Executive Order 13526 and thereforecannot be made available to the public. A Reviewof U.S. Navy Cyber Defense Capabilities, theabbreviated report, provides backgroundinformation on the full report and the committeethat prepared it. (13 pages)

Training Cyber Warriors: What CanBe Learned from Defense LanguageTraining?

RAND Corporation January 20015 The study examines what the military services andnational security agencies have done to trainlinguist personnel with skills in critical languagesother than English and the kinds of languagetraining provided to build and maintain thissegment of the workforce. The study draws frompublished documents, research literature, andinterviews of experts in both language and cyber.(97 pages)

DOD Cloud Computing StrategyNeeds Implementation Plan andDetailed Waiver Process

DOD OIG December 4, 2014 Report states that the DOD chief informationofficer "did not develop an implementation planthat assigned roles and responsibilities as well asassociated tasks, resources and milestones,"despite promises that an implementation planwould directly follow the cloud strategy's release.(40 pages)

Cyber Mission Analysis: MissionAnalysis for Cyber Operations ofDepartment of Defense

National Guard August 21, 2014 The results of this analysis reflect DOD's currentview of its requirements for successful conduct ofcyberspace operations, leveraging a Total Forcesolution. DOD assesses there can be advantages tousing reserve component (RC) resources forCyber Mission Force (CMF) missions, such asproviding load sharing with active duty forces,providing available surge capacity if authorized toactivate, and maintaining DOD-trained forces todefend national critical infrastructure. (45 pages)

State-of-the-Art Resources (SOAR) forSoftware Vulnerability Detection, Test,and Evaluation

and

Appendix E: State-of-the-ArtResources (SOAR) Matrix (Excelspreadsheet)

Institute for DefenseAnalyses Report P-5061

July 2014 The paper assists DOD program managers andtheir staffs in making effective software assuranceand software supply chain risk managementdecisions. It describes some key gaps identified inthe course of the study, including difficulties infinding unknown malicious code, obtainingquantitative data, analyzing binaries withoutdebug symbols, and obtaining assurance ofdevelopment tools. Additional challenges werefound in the mobile environment. (234 pages)

Military and Security Developments DOD May 6, 2013 China is using its computer network exploitation

Involving the People's Republic ofChina 2013 (Annual Report toCongress)

capability to support intelligence collectionagainst the U.S. diplomatic, economic, anddefense-industrial base sectors that support U.S.national defense programs. The informationtargeted could potentially be used to benefitChina's defense industry, high-technologyindustries, policy-maker interest in U.S.leadership thinking on key China issues, andmilitary planners building a picture of U.S.network defense networks, logistics, and relatedmilitary capabilities that could be exploited duringa crisis. (92 pages)

FY2012 Annual Report DOD January 2013 The annual report to Congress by J. MichaelGilmore, director of Operational Test andEvaluation, assesses the operational effectivenessof systems being developed for combat. SeeInformation Assurance (I/A) and Interoperability(IOP) chapter, pages 305-312, for information onnetwork exploitation and compromise exercises.(372 pages)

Resilient Military Systems and theAdvanced Cyber Threat

Department ofDefense (DOD)Science Board

January 2013 The report states that, despite numerous Pentagonactions to parry sophisticated attacks by othercountries, efforts are "fragmented" and DOD "isnot prepared to defend against this threat." Thereport lays out a scenario in which cyberattacks inconjunction with conventional warfare damagedthe ability of U.S. forces to respond, creatingconfusion on the battlefield and weakeningtraditional defenses. (146 pages)

Crisis and Escalation in Cyberspace RAND Corporation December 2012 The report considers how the Air Force shouldintegrate kinetic and nonkinetic operations.Central to this process was careful considerationof how escalation options and risks should betreated, which, in turn, demanded a broaderconsideration across the entire crisis-managementspectrum. Such crises can be managed by takingsteps to reduce the incentives for other states tostep into crisis, controlling the narrative,understanding the stability parameters of thecrises, and trying to manage escalation if conflictsarise from crises. (200 pages)

Electronic Warfare: DOD ActionsNeeded to Strengthen Managementand Oversight

GAO July 9, 2012 DOD's oversight of electronic warfare capabilitiesmay be further complicated by its evolvingrelationship with computer network operations,which is also an information operations-relatedcapability. Without clearly defined roles andresponsibilities and updated guidance regardingoversight responsibilities, DOD does not havereasonable assurance that its managementstructures will provide effective department-wideleadership for electronic warfare activities andcapabilities development and ensure effective andefficient use of its resources. (46 pages)

Cloud Computing Strategy DOD, ChiefInformation Officer

July 2012 The DOD Cloud Computing Strategy introducesan approach to move the department from thecurrent state of a duplicative, cumbersome, andcostly set of application silos to an end state,which is an agile, secure, and cost-effectiveservice environment that can rapidly respond tochanging mission needs. (44 pages)

DOD Information Security Program:Overview, Classification, andDeclassification

DOD February 24, 2012 Describes the DOD Information Security Programand provides guidance for classification anddeclassification of DOD information that requiresprotection in the interest of national security. (84pages)

Cyber Sentries: Preparing Defenders toWin in a Contested Domain

Air War College February 7, 2012 The paper examines the current impediments toeffective cybersecurity workforce preparation andoffers new concepts to create "Cyber Sentries"through realistic training, network authorities tiedto certification, and ethical training. These actionspresent an opportunity to significantly enhanceworkforce quality and allow DOD to operateeffectively in the contested cyber domain inaccordance with the vision established in itsStrategy for Cyberspace Operations. (38 pages)

Anomaly Detection at Multiple Scales(ADAMS)

Defense AdvancedResearch ProjectsAgency (DARPA)

November 9, 2011 The report describes a system for preventing leaksby seeding believable disinformation in militaryinformation systems to help identify individualsattempting to access and disseminate classifiedinformation. (74 pages)

Defense Department Cyber Efforts:Definitions, Focal Point, andMethodology Needed for DOD toDevelop Full-Spectrum CyberspaceBudget Estimates

GAO July 29, 2011 The letter discusses DOD's cyber and informationassurance budget for FY2012 and future years'defense spending. The review's objectives were to(1) assess the extent to which DOD has preparedan overarching budget estimate for full-spectrumcyberspace operations across the department and(2) identify the challenges DOD has faced inproviding such estimates. (33 pages)

Legal Reviews of Weapons and CyberCapabilities

Secretary of the AirForce

July 27, 2011 Report concludes the Air Force must subjectcyber capabilities to legal review for compliancewith the Law of Armed Conflict and otherinternational and domestic laws. The Air Forcejudge advocate general must ensure that all cybercapabilities "being developed, bought, built,modified, or otherwise acquired by the Air Force"undergo legal review—except for cybercapabilities within a Special Access Program,which must undergo review by the Air Forcegeneral counsel. (7 pages)

Department of Defense Strategy forOperating in Cyberspace

DOD July 2011 An unclassified summary of DOD's cybersecuritystrategy. (19 pages)

Defending a New Domain Foreign Affairs September/October2010

In 2008, DOD suffered a significant compromiseof its classified military computer networks whenan infected flash drive was inserted into a U.S.military laptop at a base in the Middle East. Thepreviously classified incident was the mostsignificant breach of U.S. military computers everand served as an important wake-up call.

Information Security: Progress Madeon Harmonizing Policies and Guidancefor National Security and Non-National Security Systems

GAO September 15,2010

OMB and NIST established policies and guidancefor civilian non-national security systems, andother organizations, including the Committee onNational Security Systems (CNSS), DOD, and theU.S. intelligence community, have developedpolicies and guidance for national securitysystems. GAO assessed the progress of federalefforts to harmonize policies and guidance for

these two types of systems. (38 pages)

Computer Attacks at Department ofDefense Pose Increasing Risk

GAO May 1996 Defense Information Systems Agency (DISA)estimates indicate that DOD may have beenattacked as many as 250,000 times in 1995.However, the exact number is not known because,according to DISA, only about 1 in 150 attacks isactually detected and reported. In addition, intesting its systems, DISA attacks and successfullypenetrates DOD systems 65% of the time. (48pages)

Source: Highlights compiled by CRS from the reports.

Note: Page counts are documents; other cited resources are web pages.

Table 9. National Institute of Standards and Technology (NIST)

(includes selected NIST standards, guidance, Special Publications (SP), and grants)

Title Date Notes

Computer Security Division,Computer Security Resource Center

ContinuouslyUpdated

Compilation of laws, regulations, and directives from2000 to 2007 that govern the creation andimplementation of federal information security practices.These laws and regulations provide an infrastructure foroverseeing implementation of required practices andcharge NIST with developing and issuing standards,guidelines, and other publications to assist federalagencies in implementing the Federal InformationSecurity Management Act (FISMA) of 2002 and inmanaging cost-effective programs to protect theirinformation and information systems.

Computer Security Portal ContinuouslyUpdated

The portal covers electronic mail, Federal InformationProcessing Standards (FIPS), and Threats andVulnerabilities.

Security and Privacy Controls forInformation Systems andOrganizations

August 2017 This publication provides a catalog of security andprivacy controls for federal information systems andorganizations to protect organizational operations andassets, individuals, other organizations, and the Nationfrom a diverse set of threats including hostile attacks,natural disasters, structural failures, human errors, andprivacy risks. (494 pages)

Digital Identity Guidelines:Authentication and LifecycleManagement

June 2017 NIST is overhauling password guidelines. One revisedrecommendation is that IT departments should onlyforce a password change when there's been a securitybreach. Another recommendation is to favor longphrases, rather than short passwords with specialcharacters. There should no longer be a requirement tohave a certain mix of special characters, upper caseletters and numbers for a password. (78 pages)

Guide for Cybersecurity EventRecovery

December 2016 This publication provides tactical and strategic guidanceregarding the planning, playbook developing, testing,and improvement of recovery planning. It also providesan example scenario that demonstrates guidance andinformative metrics that may be helpful for improvingresilience of information systems. (53 pages)

Domain Name Systems-BasedElectronic Mail Security (NISTCybersecurity Practice Guide)

November 2, 2016 The draft guide demonstrates how commerciallyavailable technologies can help email service providersimprove the security of email communications. Thepractical, user-friendly guide shows members of theinformation security community how to implementexample solutions intended to help them align moreeasily with relevant standards and best practices.

Systems Security Engineering:Considerations for a MultidisciplinaryApproach in the Engineering ofTrustworthy Secure Systems

November 2016 NIST formally unveiled their guidelines for increasingthe security of internet-connected devices. The guideprovides security guidelines for 30 different processesinvolved with managing internet connected devices,from the supply phase to testing. (257 pages)

NIST Announces the release of 3DRAFT NISTIRs (NIST InternalReports)

October 4, 2016 (1) Draft NISTIR 8151, Dramatically Reducing SoftwareVulnerabilities: Report to the White House Office ofScience and Technology Policy;

(2) Draft NISTIR 8149, Developing Trust Frameworksto Support Identity Federations; and,

(3) Draft NISTIR 8138, Vulnerability DescriptionOntology (VDO): a Framework for CharacterizingVulnerabilities.

Assessing Threats to Mobile Devices& Infrastructure: The Mobile ThreatCatalogue

September 2016 NIST's "mobile threat catalogue" sketches out parts of amobile device strategy that need special attention,including securing physical access to smartphones andtablets, as well as authenticating who is using the devicewith passwords, fingerprints or voice recognition. "[M]obile device components are under constantdevelopment and are sourced from tens of thousands oforiginal equipment manufacturers." Firmware couldcontain its own vulnerabilities, and "can increase theoverall attack surface of the mobile device." (50 pages)

Cybersecurity Risk Assessment Tool(Baldrige Cybersecurity ExcellenceBuilder)

September 2016 The Baldrige Cybersecurity Excellence Builder isintended to help organizations ensure that theircybersecurity systems and processes support theenterprises' larger organizational activities and functions.The tool "is not a one-size-fits-all approach. It isadaptable and scalable to your organization's needs,goals, capabilities, and environment. It does notprescribe how you should structure your organization'scybersecurity policies and operations. Throughinterrelated sets of open-ended questions, it encouragesyou to use the approaches that best fit yourorganization." (35 pages)

Two Cybersecurity Standards ComeTogether to Help OrganizationsQuantify and Prioritize Risk

August 11, 2016 NIST and FAIR are working together to help companiesand governments entities use and implement theorganizations' frameworks to mitigate cybersecurity riskin the most economical way. According to a FAIRInstitute blog post, FAIR and NIST are fundamentallydifferent but complimentary frameworks. NIST assessesthe maturity level of cybersecurity risks by providing alist of good practices and FAIR assesses the amount ofrisk and activities that should be prioritized by anorganization.

DRAFT NIST Special Publication800-63B Digital AuthenticationGuideline

August 3, 2016 In an update to its Digital Authentication Guidelines,NIST calls for phasing out two-factor authentication viaSMS messaging, saying that the method does not offeradequate security. The guidance applies to government

service providers.

Network of 'Things' July 28, 2016 The publication provides a basic model aimed at helpingresearchers better understand the Internet of Things(IoT) and its security challenges. The Network of Things(NoT) model is based on four fundamentals at the heartof IoT— sensing, computing, communication andactuation. The model's five building blocks, calledprimitives, are core components of distributed systems.They provide a vocabulary to compare different NoTsthat can be used to aid understanding of IoTs. (30 pages)

NIST 'RAMPS' Up CybersecurityEducation and WorkforceDevelopment With New Grants

May 12, 2016 NIST is offering up to $1 million in grants to establishup to eight Regional Alliances and MultistakeholderPartnerships to Stimulate (RAMPS) cybersecurityeducation and workforce development. Applicants mustbe nonprofit organizations, including institutions ofhigher education, located in the United States or itsterritories. Applicants must also demonstrate throughletters of interest that at least one of each of thefollowing types of organizations is interested in beingpart of the proposed regional alliance: K-12 school orLocal Education Agency (LEA), institution of highereducation or college/university system, and a localemployer.

NIST seeking comments on theFramework for Improving CriticalInfrastructure Cybersecurity

December 11, 2015 In this Request for Information (RFI), NIST requestsinformation about the variety of ways in which theFramework is being used to improve cybersecurity riskmanagement, how best practices for using theFramework are being shared, the relative value ofdifferent parts of the Framework, the possible need foran update of the Framework, and options for the long-term governance of the Framework. (3 pages)

Pilot Projects to ImproveCybersecurity, Reduce Online Theft

September 21, 2015 NIST is awarding $3.7 million to support three pilotprograms that aim to make online transactions for healthcare, government services, transportation, and theInternet of Things (IoT) more secure and private. This isthe fourth round of grants given to support the NSTICeffort, which was launched in 2011 by the ObamaAdministration to encourage secure, efficient, easy-to-use, and interoperable identity credentials for online use.

Protecting Controlled UnclassifiedInformation in NonfederalInformation Systems andOrganizations (SP 800-171)

June 2015 SP 800-171 is a final draft of security controls forfederal contractors to follow when handling a class ofdata known as "controlled unclassified information." Thedocument will become a formal requirement forgovernment contractors in 2016 through an anticipatedupdate to federal acquisition regulations. Controlledunclassified information is an umbrella term for a widerange of data that includes personally identifiableinformation, financial transactions, and geospatialimages. (76 pages)

Assessing Security and PrivacyControls in Federal InformationSystems and Organizations: BuildingEffective Assessment Plans (SP 800-53A, rev. 4)

December 12, 2014 The publication provides organizations with the breadthand depth of security controls necessary tofundamentally strengthen their information systems andthe environments in which those systems operate, whichwill contribute to systems that are more resilient in theface of cyberattacks and other threats. This "Build ItRight" strategy is coupled with a variety of securitycontrols for continuous monitoring to give organizationsnear real-time information that is essential for seniorleaders making ongoing risk-based decisions affecting

their critical missions and business functions. (487pages)

NIST/NCCoE Establishment of aFederally Funded Research andDevelopment Center

September 22, 2014 The MITRE Corporation was awarded NIST'scybersecurity Federally Funded Research andDevelopment Center (FFRDC) contract worth up to $5billion over five years. MITRE already operates sixindividual FFRDCs for agencies including the DOD andthe Federal Aviation Administration (FAA). It is alsoactive in cybersecurity, managing the CommonVulnerabilities and Exposures database, whichcatalogues software security flaws. In addition, itdeveloped specifications for the Structured ThreatInformation Expression (STIX) and Trusted AutomatedExchange of Indicator Information (TAXII) under DHScontract.

Systems Security Engineering: AnIntegrated Approach to BuildingTrustworthy Resilient Systems

May 13, 2014 NIST launched a four-stage process to develop detailedguidelines for "systems security engineering," adapting aset of widely used international standards for systemsand software engineering to the specific needs ofsecurity engineering. The agency released the first set ofthose guidelines for public comment in a draft document.(121 pages)

Memorandum of Understanding(MOU)

December 2, 2010 The MOU, signed by NIST, DHS, and the FinancialServices Sector Coordinating Council, formalized theparties' intent to expedite the coordinated developmentand availability of collaborative research, development,and testing activities for cybersecurity technologies andprocesses based upon the financial services sector'sneeds. (4 pages)

Source: Highlights compiled by CRS from the reports.

Note: Page counts are documents; other cited resources are web pages.

Author Contact Information

Rita Tehan, Senior Research Librarian (rtehan@crs.loc.gov, 7-6739)