Embed Size (px)
Citation preview
Cybersecurity: Federal Government AuthoritativeReports and ResourcesOctober 13, 2016 (R44427) Jump to Main Text of Report
ContentsIntroduction
TablesTable 1. Federal Government: Overview Reports and ResourcesTable 2. Federal Acquisitions Rules and Federal ContractorsTable 3. Agency Audits and EvaluationsTable 4. Federal WorkforceTable 5. White House and Office of Management and BudgetTable 6. Cybersecurity Framework (NIST) and Information SharingTable 7. Department of Homeland Security (DHS)Table 8. Department of Defense (DOD)Table 9. National Institute of Standards and Technology (NIST)
SummaryThis report serves as a starting point for congressional staff assigned to cover cybersecurity issues related tofederal and military government activities. Much is written by and about the federal government's efforts toaddress cybersecurity policy challenges, and this CRS report directs the reader to authoritative sources thataddress many of the most prominent issues. The annotated descriptions of these sources are listed in reversechronological order with an emphasis on material published in the past several years. This report includesresources and studies from government agencies (federal, state, local, and international), think tanks,academic institutions, news organizations, and other sources related to
Table 1, overview reports;Table 2, federal acquisitions rules and federal contractors;Table 3, federal agency audits and evaluations, including Government Accountability Office (GAO);Table 4, federal workforce;Table 5, White House and Office of Management and Budget (OMB);Table 6, cybersecurity framework and information sharing;Table 7, Department of Homeland Security (DHS);Table 8, Department of Defense (DOD); andTable 9, National Institute of Standards and Technology (NIST).
The following CRS reports comprise a series that compiles authoritative reports and resources on theseadditional cybersecurity topics:
CRS Report R44405, Cybersecurity: Overview Reports and Links to Government, News, and RelatedResources, by [author name scrubbed]CRS Report R44406, Cybersecurity: Education, Training, and R&D Authoritative Reports andResources, by [author name scrubbed]CRS Report R44408, Cybersecurity: Cybercrime and National Security Authoritative Reports andResources, by [author name scrubbed]CRS Report R44410, Cybersecurity: Critical Infrastructure Authoritative Reports and Resources, by[author name scrubbed]CRS Report R44417, Cybersecurity: State, Local, and International Authoritative Reports andResources, by [author name scrubbed]CRS Report R43310, Cybersecurity: Data, Statistics, and Glossaries, by [author name scrubbed]CRS Report R43317, Cybersecurity: Legislation, Hearings, and Executive Branch Documents, by[author name scrubbed]
For access to additional CRS reports and other resources, see the Cybersecurity Issue Page athttp://www.crs.gov.
Cybersecurity: Federal Government Authoritative Reports and Resources
IntroductionThis report serves as a starting point for congressional staff assigned to cover cybersecurity issues related tofederal and military agency activities. Much is written by and about the federal government's efforts toaddress cybersecurity policy and practical challenges, and this CRS report directs the reader to authoritativesources that address many of the most prominent issues. The annotated descriptions of these sources arelisted in reverse chronological order with an emphasis on material published in the past several years. Thisreport includes resources and studies from government agencies (federal, state, local, and international), thinktanks, academic institutions, news organizations, and other sources related to
Table 1, overview reports;Table 2, federal acquisitions rules and federal contractors;Table 3, federal agency audits and evaluations, including Government Accountability Office (GAO);Table 4, federal Workforce;Table 5, White House and Office of Management and Budget (OMB);Table 6, cybersecurity framework and information sharing;Table 7, Department of Homeland Security (DHS);Table 8, Department of Defense (DOD); andTable 9, National Institute of Standards and Technology (NIST).
Table 1. Federal Government: Overview Reports and Resources
Title Source Date NotesGAO reportsoncybersecurity
GAO ContinuouslyUpdated
A list of five "Key Reports," and dozens of othercybersecurity reports by GAO.
NationalStrategy forTrusted National Institute of Continuously
The NSTIC pilot projects seek to catalyze a marketplaceof online identity solutions that ensures the envisionedIdentity Ecosystem is trustworthy and reliable. Usingprivacy-enhancing architectures in real-world
Identities inCyberspace(NSTIC)
Standards andTechnology (NIST)
Updated environments, the pilots are testing new methods foronline identification for consumers that increase usability,security, and interoperability to safeguard onlinetransactions.
Federalcybersecurityinitiativestimeline -Draft 1.b
Center for Strategicand InternationalStudies (CSIS)
ContinuouslyUpdated
A timeline of presidential and congressional cybersecurityinitiatives from 1998 to the present.
Cyber-RelatedSanctionsRegulations
Office of ForeignAssets Control ofthe U.S. Departmentof the Treasury(OFAC)
December31, 2015
OFAC is issuing regulations to implement ExecutiveOrder 13694, "Blocking the Property of Certain PersonsEngaging in Significant Malicious Cyber-EnabledActivities," April 1, 2015. OFAC intends to supplementthis part 578 with a more comprehensive set ofregulations, which may include additional interpretive anddefinitional guidance and additional general licenses andstatements of licensing policy. (8 pages)
Comments onStakeholderEngagementonCybersecurityin the DigitalEcosystem
NationalTelecommunicationsand InformationAdministration(NTIA)
June 1, 2015Public comments to the NTIA regarding its new voluntarycybersecurity project three main areas of industry andresearcher concern: (1) the Internet of Things, (2)vulnerability disclosure, and (3) malware.
2016 InternetSecurityThreat Report| Government
Symantec April 13,2016
Public-sector data breaches exposed some 28 millionidentities in 2015, but hackers were responsible for onlyone-third of those compromises, according to newresearch. Negligence was behind nearly two-thirds of theexposed identities through government agencies. In total,the report suggests 21 million identities werecompromised accidentally, compared with 6 million byhackers.
Formation ofthe Office ofTechnologyResearch andInvestigation(OTRI)
Federal TradeCommission
(FTC)
March 23,2015
The OTRI will provide expert research, investigativetechniques, and further insights to the agency ontechnology issues involving all facets of the FTC'sconsumer protection mission, including privacy, datasecurity, connected cars, smart homes, algorithmictransparency, emerging payment methods, big data, andthe Internet of Things.
StakeholderEngagementonCybersecurityin the DigitalEcosystem
NTIA March 19,2015
"The Internet Policy Task Force (IPTF) is requestingcomment to identify substantive cybersecurity issues thataffect the digital ecosystem and digital economic growthwhere broad consensus, coordinated action, and thedevelopment of best practices could substantially improvesecurity for organizations and consumers. The IPTFinvites public comment on these issues from allstakeholders with an interest in cybersecurity, includingthe commercial, academic, and civil society sectors, and
from relevant federal, state, local, and tribal entities." (4pages)
FederalIncidentReportingGuidelines
United StatesComputerEmergencyReadiness Team (US-CERT)
October 1,2014
The guidance instructs federal agencies to classifyincidents according to their impacts rather than bycategories of attack methods. It modifies a 2007requirement for agencies to report to US-CERT within anhour any incident involving the loss of personallyidentifiable information (PII). Rather, agencies shouldnotify US-CERT of a confirmed cyber incident within onehour of it reaching the attention of an agency's securityoperations center or IT department. The Office ofManagement and Budget (OMB) said in a concurrentlyreleased memo that nonelectronic losses of PII must alsobe reported within an hour of a confirmed breach butshould be reported to the agency privacy office rather thanUS-CERT. (10 pages)
MeasuringWhatMatters:ReducingRisks byRethinkingHow WeEvaluateCybersecurity
National Academyof PublicAdministration andSafegov.org
March 2013
Federal agencies and their inspectors general should keeprunning scorecards of "cyber risk indicators" based oncontinual information governance assessments of a theirorganization's cyber vulnerabilities, rather thanperiodically auditing whether an agency's systems meetthe standards enumerated in the Federal InformationSecurity Management Act (FISMA) at a static moment intime. (39 pages)
Source: Highlights compiled by CRS from the reports.
Note: Page counts are documents; other cited resources ae web pages.
Table 2. Federal Acquisitions Rules and Federal Contractors
(including regulations, guidance documents, and audit reports)
Title Source Date Notes
CybersecurityServices
GeneralServicesAdministration(GSA)
April 11,2016
GSA's Federal Acquisition Service (FAS) Office of IntegratedTechnology Services (ITS) is conducting business channelresearch to gain an enhanced understanding of what agencies'needs are, what solutions currently exist, and what role GSA canplay in improving the ability of agencies to procure the suite ofcybersecurity services. This information will help GSA identifycurrent offerings available, improve the visibility of thoseofferings, and determine gaps that need to be filled.
Fiscal Year2015 TopManagementChallenges
Office ofPersonnelManagement(OPM), Officeof Inspector
October30, 2015
See Internal Challenges section (pp. 10-19) for a discussion ofchallenges related to information technology, improper payments,the retirement claims process, and the procurement process.Officials in OPM's Office of Procurement Operations violated theFederal Acquisition Regulation and the agency's own policies inawarding a $20.7 million contract to provide credit monitoring andID theft services. Investigators turned up "significant deficiencies"
General (OIG) in the process of awarding the contract to Winvale Group and itssubcontractor CSID. (22 pages)
ImprovingCybersecurityProtections inFederalAcquisitionsPublicCommentSpace
Office ofManagementand Budget(OMB)
August10, 2015
OMB proposed that agencies make private-sector adherence tocybersecurity controls a contractual requirement. It is alsoproposed that contractors operating systems on behalf of federalagencies earn an official approval known as an "Authority toOperate," and that vendors implement a program of continuousmonitoring. Also, under an existing policy, security controls for theprivate sector handling of "controlled unclassified information"will become mandatory for civilian agency contractors in 2016.
Request forComments onImprovingCybersecurityProtections inFederalAcquisitions
OMB July 30,2015
OMB's Office of E-Government & Information Technology (E-Gov) is seeking public comment on draft guidance to improvecybersecurity protections in federal acquisitions. The increase inthreats facing federal information systems demand that certainissues regarding security of information on these systems isclearly, effectively, and consistently addressed in federal contracts.(1 page)
InformationSecurity:AgenciesNeed toImproveOversight ofContractorControls
GovernmentAccountabilityOffice (GAO)
September8, 2014
Although the six federal agencies—the Departments of Energy,Homeland Security, State, and Transportation; the EnvironmentalProtection Agency; and the Office of Personnel Management—that GAO reviewed generally established security and privacyrequirements and planned effectiveness assessments of contractorimplementation of controls, five of the six agencies wereinconsistent in overseeing the execution and review of thoseassessments, resulting in security lapses. For example, in oneagency, testing did not discover that background checks ofcontractor employees were not conducted. (43 pages)
CybersecurityforGovernmentContractors
RobertNichols et al.,West BriefingPapers
April2014
The briefing paper presents a summary of the key legal issues andevolving compliance obligations that contractors now face in thefederal cybersecurity landscape. It provides an overview of themost prevalent types of cyberattacks and targets and the federalcybersecurity budget; outlines the current federal cybersecuritylegal requirements applicable to government contractors, includingstatutory and regulatory requirements, the President's 2013cybersecurity executive order, the resulting "cybersecurityframework" issued by NIST in February 2014; highlights furtherexpected developments; and identifies and discusses the real-worldlegal risks that contractors face when confronting cyberattacks andaddresses the availability of possible liability backstops in the faceof such attacks. (28 pages)
ImprovingCybersecurityandResiliencethroughAcquisition
Department ofDefense(DOD) and theGSA
January23, 2014
DOD and GSA jointly released a report announcing six plannedreforms to improve the cybersecurity and resilience of the FederalAcquisition System. The report provides a path forward to aligningfederal cybersecurity risk management and acquisition processes.It provides strategic recommendations for addressing relevantissues, suggests how challenges might be resolved, and identifiesimportant considerations for the implementation of therecommendations. (24 pages)The regulation imposed two new requirements: (1) an obligation
DefenseFederalAcquisitionRegulationSupplement:SafeguardingUnclassifiedControlledTechnicalInformation
DOD November18, 2013
on contractors to provide adequate security to safeguardunclassified controlled technical information (UCTI) and (2)contractors' obligation to report cyber incidents that affect UCTI tocontracting officers. In both obligations, UCTI is defined as"technical information with military or space application that issubject to controls on access, use, reproduction, modification,performance, display, release, disclosure, or dissemination." Thisis the first time DOD has imposed specific requirements forcybersecurity that are generally applicable to all contractors. (10pages)
JointWorkingGroup onImprovingCybersecurityandResilienceThroughAcquisition,Notice ofRequest forInformation
GSA May 13,2013
Among other things, Presidential Policy Directive-21requiresGSA, in consultation with DOD and the Department of HomelandSecurity (DHS), to jointly provide and support government-widecontracts for critical infrastructure systems and ensure that suchcontracts include audit rights for the security and resilience ofcritical infrastructure. (3 pages)
BasicSafeguardingof ContractorInformationSystems(ProposedRule)
DOD, GSA,and NationalAeronauticsand SpaceAdministration(NASA)
August24, 2012
This regulation, authored by DOD, GSA, and NASA, "would adda contract clause to address requirements for the basicsafeguarding of contractor information systems that contain orprocess information provided by or generated for the government(other than public information)." (4 pages)
Source: Highlights compiled by CRS from the reports.
Note: Page counts are documents; other cited resources are web pages.
Table 3. Agency Audits and Evaluations
(reports evaluating agency cybersecurity programs, excluding DHS and DOD, see Tables 7 and 8 below)
Title Source Date NotesGAO reports oncybersecurity GAO Continuously
UpdatedA list of five"Key Reports," and dozens of othercybersecurity reports by GAO.
Pulse: How FederalGovernmentDomains areMeeting BestPractices on the Web
GeneralServicesAdministration(GSA)
ContinuouslyUpdated
Pulse.cio.gov is a public dashboard that displays howwell all federal domains are performing in accordancewith government-wide web policy requirements and bestpractices. The first release of Pulse covers two areas offederal web policy—Secure Hypertext TransferProtocol (HTTPS) and the Digital Analytics Program(DAP).The FDA did not fully or consistently implement access
FDA Needs toRectify ControlWeaknesses ThatPlace Industry andPublic Health Dataat Risk
GAO September29, 2016
controls, which are intended to prevent, limit, and detectunauthorized access to computing resources.Specifically, FDA did not always (1) adequately protectthe boundaries of its network, (2) consistently identifyand authenticate system users, (3) limit users' access toonly what was required to perform their duties, (4)encrypt sensitive data, (5) consistently audit and monitorsystem activity, and (6) conduct physical securityreviews of its facilities. (59 pages)
Federal InformationSecurity: ActionsNeeded to AddressChallenges
GAO September19, 2016
Cyber incidents affecting federal agencies havecontinued to grow, increasing about 1,300% fromFY2006 to FY2015. Several laws and policies establish aframework for the federal government's informationsecurity and assign implementation and oversightresponsibilities to key federal entities, including theOffice of Management and Budget (OMB), executivebranch agencies, and the Department of HomelandSecurity (DHS). However, implementation of thisframework has been inconsistent, and additional actionsare needed. (17 pages)
HHS Needs toStrengthen Securityand PrivacyGuidance andOversight
GAO August 1,2016
In 2015, 113 million electronic health records werebreached, a major leap over the 12.5 million the yearbefore. In 2009, the number was less than 135,000. Thenumber of reported hacks and breaches affecting recordsof at least 500 individuals rose from none in 2009 to 56last year, almost double from 2014.
Work Plan: Status ofAudit andEvaluation Projects
FederalReserve Officeof InspectorGeneral
July 8, 2016
The growing sophistication and volume of cybersecuritythreats presents a serious risk to all financial institutions.The report reviews how the Federal Reserve System'sexamination process has evolved and whether it isproviding adequate oversight of financial institutions'information security controls and cybersecurity threats.The Fed has already developed guidance for banks "todefine expectations for information security and databreach management." Now the watchdog agency willreview how—and if—banks are complying with thatguidance. (43 pages; see pp. 4-5)
FDIC ImplementedControls overFinancial Systems,but FurtherImprovements areNeeded
GAO June 29,2016
As part of its audit of the 2015 financial statements ofthe Deposit Insurance Fund and the Federal Savings andLoan Insurance Corporation Resolution Fundadministered by FDIC, GAO assessed the effectivenessof the corporation's controls in protecting theconfidentiality, integrity, and availability of its financialsystems and information. To do so, GAO examinedsecurity policies, procedures, reports, and otherdocuments; tested controls over key financialapplications; and interviewed FDIC personnel. (29pages)Federal systems categorized as high impact—those that
Agencies Need toImprove Controlsover Selected High-Impact Systems
GAO June 21,2016
hold sensitive information, the loss of which could causeindividuals, the government, or the nation catastrophicharm—warrant increased security to protect them. Inthis report, GAO (1) describes the extent to whichagencies have identified cyber threats and have reportedincidents involving high-impact systems, (2) identifiesgovernment-wide guidance and efforts to protect thesesystems, and (3) assesses the effectiveness of controls toprotect selected high-impact systems at federal agencies.To do this, GAO surveyed 24 federal agencies; examinedfederal policies, standards, guidelines and reports; andinterviewed agency officials (94 pages)
Management Report:Areas forImprovement in theFederal ReserveBanks' InformationSystems Controls
GAO June 6, 2016
The report presents the deficiencies identified duringGAO's FY2015 testing of information systems controlsover key financial systems maintained and operated byFederal Reserve Banks on behalf of Treasury that arerelevant to the Schedule of Federal Debt. The report alsoincludes the results of GAO's FY2015 follow-up on thestatus of FRBs' corrective actions to address informationsystems control-related deficiencies and associatedrecommendations contained in GAO's prior years'reports that were open as of September 30, 2014. (9pages)
Federal AgenciesNeed to AddressAging LegacySystems
GAO May 26,2016
GAO is making 16 recommendations, one of which isfor OMB to develop a goal for its spending measure andfinalize draft guidance to identify and prioritize legacyIT needing to be modernized or replaced. GAO is alsorecommending that selected agencies address at-risk andobsolete legacy O&M investments. (87 pages)
Second InterimStatus Report on theU.S. Office ofPersonnelManagement's(OPM)InfrastructureImprovement Project– Major ITBusiness Case
OPM May 18,2016
The report finds that funding for the troubled IT securityupgrades project remains an issue in part because of poorplanning by the agency. The inspector general finds thatthe agency still lacks a "realistic budget" for the massiveupgrade. (12 pages)
Polar WeatherSatellites: NOAA IsWorking to EnsureContinuity butNeeds to QuicklyAddress InformationSecurity Weaknessesand Future Program
GAO May 17,2016
Although the National Oceanic and AtmosphericAdministration (NOAA) established information securitypolicies in key areas recommended by the NationalInstitute of Standards and Technology, the Joint PolarSatellite System (JPSS) program has not yet fullyimplemented them. Specifically, the program categorizedthe JPSS ground system as a high-impact system andselected and implemented multiple relevant securitycontrols. However, the program has not yet fullyimplemented almost half of the recommended securitycontrols, did not have all of the information it needed
Uncertainties when assessing security controls, and has not addressedkey vulnerabilities in a timely manner. Until NOAAaddresses these weaknesses, the JPSS ground systemremains at high risk of compromise. (70 pages)
Management AlertReport: GSA DataBreach
GeneralServicesAdministrationOffice ofInspectorGeneral
May 12,2016
The inspector general of the General ServicesAdministration said the 18F tech squad should stop usingSlack after the group messaging app was linked to aninternal data breach. As part of an audit report, the IGfound that 18F's configuration of Slack had allowedaccess to more than 100 Google Drive accounts insidethe agency, resulting in a data breach that potentiallyexposed "sensitive content" like personal information.According to the report, a supervisor said the issue hasbeen fixed, but the IG said 18F "should cease usingSlack" until it's approved as a "standard product" underagency rules. (4 pages)
InformationSecurity:Opportunities Existfor SEC to ImproveIts Controls overFinancial Systemsand Data
GAO April 28,2016
The report details weaknesses GAO identified in theinformation security program at SEC during its audit ofthe commission's FY2015 and FY2014 financialstatements. GAO's objective was to determine theeffectiveness of information security controls forprotecting the confidentiality, integrity, and availabilityof SEC's key financial systems and information. To dothis, GAO examined information security policies, plans,and procedures; tested controls over key financialapplications; interviewed agency officials; and assessedcorrective actions taken to address previously reportedweaknesses. (26 pages)
Final Memorandum,Review of NASA'sInformation SecurityProgram
NationalAeronauticsand SpaceAdministration
April 14,2016
Although NASA has made progress in meetingrequirements in support of an agency-wide informationsecurity program, it has not fully implemented keymanagement controls essential to managing thatprogram. Specifically, NASA lacks an agency-wide riskmanagement framework for information security andinformation security architecture. (17 pages)
InformationSecurity: IRS Needsto Further EnhanceControls overTaxpayer andFinancial Data
GAO April 14,2016
The statement discusses (1) IRS's information securitycontrols over tax processing and financial systems and(2) roles that federal agencies with government-wideinformation security responsibilities play in providingguidance and oversight to agencies. The statement isbased on previously published GAO work and a reviewof federal guidance. (22 pages)
VehicleCybersecurity: DOTand Industry HaveEfforts Under Way,but DOT Needs to GAO March 24,
2016
The report addresses, among other things, (1) availableinformation about the key cybersecurity vulnerabilitiesin modern vehicles that could impact passenger safety;(2) key practices and technologies, if any, available tomitigate vehicle cybersecurity vulnerabilities and theimpacts of potential attacks; (3) views of selectedstakeholders on challenges they face related to vehicle
Define Its Role inResponding to aReal-world Attack
cybersecurity and industry-led efforts to address vehiclecybersecurity; and (4) DOT efforts to address vehiclecybersecurity. (61 pages)
Healthcare.gov:Actions Needed toEnhance InformationSecurity and PrivacyControls
GAO March 23,2016
GAO was asked to review security issues related to thedata hub, and CMS oversight of state-basedmarketplaces. Its objectives were to (1) describe securityand privacy incidents reported for Healthcare.gov andrelated systems, (2) assess the effectiveness of securitycontrols for the data hub, and (3) assess CMS oversightof state-based marketplaces and the security of selectedstate-based marketplaces. GAO reviewed incident data,analyzed networks and controls, reviewed policies andprocedures, and interviewed CMS and marketplaceofficials. (55 pages)
Audit of the EPA'scompliance with themandated "InspectorGeneral Report orPersonallyIdentifiableInformation
EPA March 14,2016
EPA's inspector general's office said it will "determine towhat extent the EPA implemented information systemsecurity policies and procedures to protect agencysystems" under cybersecurity provisions contained in the2015 omnibus spending package (P.L. 114-113). The IGwill examine the Office of Administrative ServicesInformation System, which contains a wealth ofemployee personal information to facilitate agencyadministration, and the Superfund Cost RecoveryPackage Imaging Online System, which is used to detailgovernment and contractor expenses related toSuperfund cleanup. (8 pages)
Assessing the FDA'sCybersecurityGuidelines forMedical DeviceManufacturers: WhySubtle "Suggestions"May Not Be Enough
Institute forCriticalInfrastructureTechnology
February 15,2016
The guidance advises medical device manufacturers toaddress cybersecurity "throughout a product's lifecycle"and is the latest action by the FDA that underscores itsposition that medical device cybersecurity is a priorityfor the health sector. However, despite the implied senseof urgency, the FDA has chosen not to implementenforceable regulations over medical devicemanufacturers. This examination of the FDA's'suggestions' provides a concise summary of the draftguidance as well as recommendations for the healthcarecommunity. (9 pages)
FY2015 FederalInformation SecurityModernization ActReport: Status ofCSB's InformationSecurity Program
EPA Office ofInspectorGeneral
January 27,2016
The Chemical Safety Board, the government board thatinvestigates industrial chemical accidents, does not keeptrack of computer systems it has outsourced tocontractors, which could jeopardize informationconfidentiality. The audit criticizes the board for lackinga complete catalog of contractor-run systems, as well asdatabases maintained by other federal agencies. Dataapplications running in the cloud also have not beeninventoried. (30 pages)The Obama Administration is creating a neworganization within the Office of Personnel Management
The Way Forwardfor FederalBackgroundInvestigations
FBI January 22,2016
to handle background investigations, in its latestresponse to last year's revelations that hackers hadpilfered highly sensitive documents on 22 millionAmericans. The new organization, the NationalBackground Investigations Bureau, will be headed by apresidential appointee and will have a "considerableamount of operational autonomy." The technologysystems will be "designed, built, secured, and operated"by the Defense Department.
Audit of NRC'sNetwork SecurityOperations Center
NuclearRegulatoryCommission(NRC), Officeof theInspectorGeneral
January 11,2016
According to the audit, security contracts related tounclassified nuclear computer systems do not specifywho is responsible for protecting them from attacks. TheNRC's Security Operations Center (SOC) is not"optimized to protect the agency's network in the currentcyber treat environment." The report did not examineclassified NRC networks. (18 pages)
DOT&E FY2015Annual Report(Cybersecurityexcerpt; click herefor full report)
DOD Office ofthe Director,OperationalTest andEvaluation
January 2016
Despite some key improvements from the previous fiscalyear, Defense Department missions and systems remainvulnerable to hacking. Cyber testing teams deployed onDOD networks were "frequently in a position to delivercyber effects that could degrade the performance ofoperational missions." (8 pages)
CriticalInfrastructureProtection: MeasuresNeeded to AssessAgencies' Promotionof the CybersecurityFramework
GAO December17, 2015
The Cybersecurity Enhancement Act of 2014 includedprovisions for GAO to review aspects of thecybersecurity standards and procedures developed by theNational Information Standards and Technology (NIST).The report determines the extent to which (1) NISTfacilitated the development of voluntary cybersecuritystandards and procedures and (2) federal agenciespromoted these standards and procedures. GAOexamined NIST's efforts to develop standards, surveyeda non-generalizable sample of critical infrastructurestakeholders, reviewed agency documentation, andinterviewed relevant officials. (48 pages)
Semiannual Reportto the Congress:April 1, 2015 toSeptember 30, 2015
Department ofState, Officeof InspectorGeneral (OIG)
December 9,2015
Between April and September 2015, a number ofcybersecurity incidents illustrated deficiencies in the wayState department personnel went about protectingnetworks. Malicious actors exploited vulnerabilities,compromised sensitive information, and causedsignificant downtime to normal business operations. (99pages)
Department ofEducation and OtherFederal AgenciesNeed to BetterImplement Controls
GAO November17, 2015
Since 1997, GAO has identified federal informationsecurity as a government-wide high-risk area, and inFebruary 2015, expanded this to include protecting theprivacy of personally identifiable information (PII). Thisstatement provides information on cyber threats facingfederal systems and information security weaknessesidentified at federal agencies, including the Departmentof Education. (27 pages)
Federal AgenciesNeed to BetterProtect SensitiveData
GAO November17, 2015
Over the past six years, GAO has made about 2,000recommendations to improve information securityprograms and associated security controls. Agencieshave implemented about 58% of these recommendations.Further, agency inspectors general have made amultitude of recommendations to assist their agencies.(22 pages)
Implementation ofReform LegislationNeeded to ImproveAcquisitions andOperations
GAO November 4,2015
The law commonly known as the Federal InformationTechnology Acquisition Reform Act (FITARA) wasenacted in December 2014 and aims to improve federalinformation technology (IT) acquisition and operations.As GAO previously reported, underperformance offederal IT projects can be traced to a lack of disciplinedand effective management and inadequate executive-level oversight. Last year, GAO added improving themanagement of IT acquisitions and operations to itshigh-risk list—a list of agencies and program areas thatare high risk due to their vulnerabilities to fraud, waste,abuse, and mismanagement, or are most in need oftransformation. (21 pages)
Inspector General'sStatementSummarizing theMajor Managementand PerformanceChallenges Facingthe U.S. Departmentof the Interior
Department ofthe Interior(DOI), OIG
November2015
Networks at the Department of the Interior (DOI) werebreached (nearly 20 times) over the past several years.An OIG report states, "hackers and foreign intelligenceservices have compromised DOI's computer networks byexploiting vulnerabilities in publicly accessible systems... result[ing] in the loss of sensitive data and disruptionof bureau operations." (Discussion of breaches starts onpage 23.) (72 pages)
High-Risk SecurityVulnerabilitiesIdentified DuringReviews ofInformation SystemGeneral Controls atThree CaliforniaManaged-CareOrganizations RaiseConcerns About theIntegrity of SystemsUsed To ProcessMedicaid Claims
Health andHumanServices(HHS), OIG
November2015
Federal auditors found 74 high-risk securityvulnerabilities in the IT systems of three CaliforniaMedicaid-managed care organizations. The OIG foundthat most of these security vulnerabilities were"significant and pervasive" and potentially put Medicaidclaims data at risk. The report raised concerns about theintegrity of the systems used to process Medicaid-managed care claims.(19 pages)
Fiscal Year 2015Top ManagementChallenges
Office ofPersonnelManagement(OPM), OIG
October 30,2015
See Internal Challenges section (pp. 10-19) for adiscussion of challenges related to informationtechnology, improper payments, the retirement claimsprocess, and the procurement process. Officials in OPM'sOffice of Procurement Operations violated the FederalAcquisition Regulation and the agency's own policies inawarding a $20.7 million contract to provide creditmonitoring and ID theft services. Investigators turned up"significant deficiencies" in the process of awarding the
contract to Winvale Group and its subcontractor CSID.(22 pages)
CriticalInfrastructureProtection:Cybersecurity of theNation's ElectricityGrid RequiresContinued Attention
GAO October 21,2015
In a 2011 report, GAO recommended that (1) NISTimprove its cybersecurity standards, (2) the FederalEnergy Regulatory Commission (FERC) assess whetherchallenges identified by GAO should be addressed inongoing cybersecurity efforts, and (3) FERC coordinatewith other regulators to identify strategies for monitoringcompliance with voluntary standards. The agenciesagreed with the recommendations, but FERC has nottaken steps to monitor compliance with voluntarystandards. (18 pages)
Agencies Need toCorrect Weaknessesand Fully ImplementSecurity Programs
GAO September29, 2015
Persistent weaknesses at 24 federal agencies illustratethe challenges they face in effectively applyinginformation security policies and practices. Thedeficiencies place critical information and informationsystems used to support the operations, assets, andfederal personnel at risk, and can impair agencies' effortsto fully implement effective information securityprograms. In prior reports, GAO and inspectors generalhave made hundreds of recommendations to agenciesaddressing deficiencies in their information securitycontrols and weaknesses in their programs, but many ofthese recommendations remain unimplemented. (71pages)
DefenseCybersecurity:Opportunities Existfor DOD to ShareCybersecurityResources withSmall Businesses
GAO September24, 2015
DOD's Office of Small Business Programs (OSBP) hasexplored some options, such as online training videos, tointegrate cybersecurity into its existing efforts; however,as of July 2015, the office had not identified anddisseminated cybersecurity resources in its outreach andeducation efforts to defense small businesses. AlthoughDOD OSBP is not required to educate small businesseson cybersecurity, its officials acknowledged thatcybersecurity is an important and timely issue for smallbusinesses. (32 pages)
Records: EnergyDepartment Struckby Cyber Attacks
USA TodayReview ofDepartment ofEnergyRecords
September11, 2015
According to information obtained by USA Todaythrough a Freedom of Information Act (FOIA) request,the Department of Energy's computer systems werebreached by attackers more than 150 times between 2010and 2014. Although there were many failed attempts tobreak into the systems, the success rate was roughly15%.
The Centers forMedicare &Medicaid Services'Implementation ofSecurity ControlsOver theMultidimensional
HHS, OIG September2015
HealthCare.gov relies on a $110 million digitalrepository called MIDAS to store the information itcollects. While MIDAS does not handle medical records,it does store names, Social Security numbers, addresses,passport numbers, and financial and employmentinformation for exchange customers. In addition to poorsecurity policies, the HHS audit found 135 database
Insurance DataAnalytics SystemNeeds Improvement
vulnerabilities—such as software bugs—22 of whichwere classified as "high risk." (7 pages)
Information SecurityConcerns
Department ofLabor (DOL),OIG
July 31,2015
Report asserts that DOL only recently turned its attentionto implementing two-factor authentication agency-widein response to data breaches at OPM. It also detailedlingering problems with former employees andcontractors having privileged access to governmentsystems. (16 pages)
DefenseInfrastructure:Improvements inDOD Reporting andCybersecurityImplementationNeeded to EnhanceUtility ResiliencePlanning
GAO July 23,2015
The report addresses (1) whether threats and hazardshave caused utility disruptions on DOD installations and,if so, what impacts they have had; (2) the extent to whichDOD's collection and reporting on utility disruptions iscomprehensive and accurate; and (3) the extent to whichDOD has taken actions and developed and implementedguidance to mitigate risks to operations at itsinstallations in the event of utility disruptions. (72 pages)
U.S. Postal ServiceCybersecurityFunctions
U.S. PostalService(USPS), OIG
July 17,2015
The report found that Postal Service leadership had notfostered a culture of effective cybersecurity across theenterprise. Staffing and resources for cybersecurityfunctions focused heavily on complying with specificlegal and industry requirements, leaving limitedresources for systems that are not subject to theserequirements. In addition, management had notintegrated cybersecurity risks into a comprehensivecybersecurity strategy. (41 pages)
Cyberthreats andData BreachesIllustrate Need forStronger Controlsacross FederalAgencies
GAO July 8, 2015
This statement summarizes (1) cyberthreats to federalsystems, (2) challenges facing federal agencies insecuring their systems and information, and (3)government-wide initiatives aimed at improvingcybersecurity. In preparing this statement, GAO reliedon its previously published and ongoing work in thisarea. In previous work, GAO and agency IGs have madehundreds of recommendations to assist agencies inaddressing cybersecurity challenges. GAO has also maderecommendations to improve government-wideinitiatives. (25 pages)
Audit of the FederalBureau ofInvestigation'sImplementation ofIts Next GenerationCyber Initiative
FederalBureau ofInvestigation(FBI)
July 2015
Following the Office of the Inspector General's (OIG)April 2011 report on the FBI's ability to address thenational cyber intrusion threat, in October 2012 the FBIlaunched its Next Generation Cyber (Next Gen Cyber)Initiative to enhance its ability to address cybersecuritythreats to the United States. The objective of this auditwas to evaluate the FBI's implementation of its Next GenCyber Initiative. (40 pages)
Recent DataBreaches IllustrateNeed for Strong GAO
June 24,
This statement summarizes (1) challenges facing federalagencies in securing their systems and information and(2) government-wide initiatives, including those led by
Controls acrossFederal Agencies
2015 DHS, aimed at improving cybersecurity. In preparingthis statement, GAO relied on its previously publishedand ongoing work in this area. (17 pages)
Insider Threats:DOD ShouldStrengthenManagement andGuidance to ProtectClassifiedInformation andSystems
GAO June 2, 2015
DOD components have identified technical and policychanges to help protect classified information andsystems from insider threats, but DOD is not consistentlycollecting this information to support management andoversight responsibilities. According to Office of theUnder Secretary of Defense for Intelligence officials,they do not consistently collect this information becauseDOD has not identified a program office that is focusedon overseeing the insider-threat program. Without anidentified program office dedicated to oversight ofinsider-threat programs, DOD may not be able to ensurethe collection of all needed information and could facechallenges in establishing goals and in recommendingresources and improvements to address insider threats.This is an unclassified version of a classified report GAOissued in April 2015. (55 pages)
Cybersecurity:Actions Needed toAddress ChallengesFacing FederalSystems
GAO April 22,2015
Because of the risk posed by certain cyberthreats, it iscrucial that the federal government take appropriatesteps to secure its information and information systems.Until agencies take actions to address these challenges—including the hundreds of recommendations GAO andinspectors general made—their systems andinformation will be at increased risk of compromise fromcyber-based attacks and other threats. (21 pages)
Air Traffic Control:FAA Needs a MoreComprehensiveApproach toAddressCybersecurity AsAgency Transitionsto NextGen
GAO April 14,2015
GAO reviewed the Federal Aviation Administration's(FAA's) cybersecurity efforts. The report (1) identifiesthe cybersecurity challenges facing FAA as it shifts tothe Next Generation Air Transportation System(NextGen) and how FAA has begun addressing thosechallenges, and (2) assesses the extent to which FAA andits contractors, in the acquisition of NextGen programs,have followed federal guidelines for incorporatingcybersecurity controls. (56 pages)
FDIC ImplementedMany Controls overFinancial Systems,but Opportunities forImprovementRemain
GAO April 9, 2015
The Federal Deposit Insurance Corporation (FDIC) hasimplemented numerous information security controlsintended to protect its key financial systems;nevertheless, weaknesses remain that place theconfidentiality, integrity, and availability of financialsystems and information at risk. In 2014, the corporationimplemented 27 of the 36 GAO recommendationspertaining to previously reported security weaknessesthat were unaddressed as of December 31, 2013; actionsto implement the remaining 9 recommendations are inprogress. (28 pages)The Centers for Medicare & Medicaid Services (CMS)contracted with PricewaterhouseCoopers (PwC) to
Review of MedicareContractorInformation SecurityProgram Evaluationsfor Fiscal Year 2013
HHS, OIG April 2015
evaluate information security programs at the Medicareadministrative contractors (MACs), fiscal intermediaries,and carriers using a set of agreed-upon procedures. SomeMACs have made improvements in their informationsecurity programs, but most still have a way to go inclosing a number of key gaps. Among the concerns citedin the report are a lack of policies and procedures toreduce risk, failure to conduct periodic testing ofinformation security controls, and insufficient incidentdetection reporting and response. (19 pages)
The FBI: Protectingthe Homeland in the21st Century
9/11 ReviewCommission
March 26,2015
The 9/11 Review Commission found in its report on theFBI and its modern national security mission that whilethe FBI and DHS' relationship has improved in the pastfew years, especially on counterterrorism, thatimprovement has lagged in the area of cybersecurity."The challenge for both DHS and the FBI incoordinating cyber relationships is due in large part tothe lack of clarity at the national level on cyber roles andresponsibilities," the commissioners wrote. "WhileWashington tries to coordinate the overlappingresponsibilities of various federal agencies, the privatesector is left in the dark. … The FBI is limited in itscyber efforts by the muddled national cyber architecturethat will continue to affect the relationship with DHS.This issue … is beyond the FBI's ability to address inisolation." (128 pages)
InformationSecurity: IRS Needsto ContinueImproving Controlsover Financial andTaxpayer Data
GAO March 19,2015
Until the Internal Revenue Service (IRS) takes additionalsteps to (1) address unresolved and newly identifiedcontrol deficiencies and (2) effectively implementelements of its information security program, includingupdating policies, test and evaluation procedures, andremedial action procedures, its financial and taxpayerdata will remain unnecessarily vulnerable toinappropriate and undetected use, modification, ordisclosure. GAO recommends that IRS take fiveadditional actions to more effectively implementelements of its information security program. In aseparate report with limited distribution, GAOrecommends 14 actions that IRS can take to addressnewly identified control weaknesses. (30 pages)
Healthcare.gov:CMS Has TakenSteps to AddressProblems, but Needsto FurtherImplement SystemsDevelopment Best
GAO March 4,2015
GAO reviewed CMS's management of the developmentof IT systems supporting the federal marketplace. Itsobjectives were to (1) describe problems encountered indeveloping and deploying systems supportingHealthcare.gov and determine the status of efforts toaddress deficiencies and (2) determine the extent towhich CMS applied disciplined practices for managingand overseeing the development effort, and the extent towhich HHS and OMB provided oversight. GAOrecommended that CMS take seven actions to implement
Practices improvements in its requirements management, systemtesting, and project oversight, and that HHS improve itsoversight of the Healthcare.gov effort. (86 pages)
High Risk List:Ensuring theSecurity of FederalInformation Systemsand Cyber CriticalInfrastructure andProtecting thePrivacy ofPersonallyIdentifiableInformation
GAO February 11,2015
If cyber assets are not adequately protected, it "couldlead to serious consequences and result in substantialharm to individuals and to the federal government." Thegovernment still faces challenges in achieving that goal,however, in several areas, including establishing risk-based cybersecurity programs at federal agencies,securing the global IT supply chain, securing criticalinfrastructure, overseeing IT contractors, improvingincident response, and putting security programs in placeat small agencies.
DOT&E FY 2014Annual Report(Director OfOperational Test &Evaluation)
DOD Office ofthe Director,OperationalTest andEvaluation(OT&E)
January 2015
A series of live fire tests of the military's computernetworks security in 2015 found many combatantcommands could be compromised by low-to-middlingskilled hackers and might not be able to "fight through"in the face of enemy cyberattacks. The assessmentechoes previous OT&E annual assessments, whichroutinely found that military services and combatantcommands did not have a sufficiently robust securityposture or training to repel sustained cyberattacks duringbattle. (91 pages)
A Review of theU.S. Navy CyberDefenseCapabilities:Abbreviated Versionof a ClassifiedReport
NationalResearchCouncil(NRC)
January 2015
The NRC appointed an expert committee to review theU.S. Navy's cyber defense capabilities. The Departmentof the Navy determined that the committee's final reportis classified in its entirety under Executive Order 13526and therefore cannot be made available to the public. AReview of U.S. Navy Cyber Defense Capabilities, theabbreviated report, provides background information onthe full report and the committee that prepared it. (13pages)
Final Audit Report:Federal InformationSecurityManagement ActAudit FY 2014
Office ofPersonnelManagement(OPM)
November12, 2014
OPM's OIG reported that the agency "does not maintaina comprehensive inventory of servers, databases, andnetwork devices." The report also noted that eleven"major systems" were operating without the agencycertifying they met security standards. (66 pages)
FFIECCybersecurityAssessment: GeneralObservations
FederalFinancialInstitutionsExaminationCouncil(FFIEC)
November 3,2014
Companies are critically dependent on IT. Financialcompanies should routinely scan IT networks forvulnerabilities and anomalous activities and test systemsfor potential exposure to cyberattacks. The studyrecommends sharing threat data through such avenues asthe Financial Services Information Sharing and AnalysisCenter.
Healthcare.gov:Information Security
The specific objectives of this work were to (1) describethe planned exchanges of information between theHealthcare.gov website and other organizations and (2)
and Privacy ControlsShould Be Enhancedto AddressWeaknesses
GAO September18, 2014
assess the effectiveness of programs and controls CMSimplemented to protect the security and privacy of theinformation and IT systems supporting Healthcare.gov.Although CMS has security and privacy protections inplace for Healthcare.gov and related systems,weaknesses exist that put these systems and the sensitivepersonal information they contain at risk. (17 pages)
FDIC MadeProgress in SecuringKey FinancialSystems, butWeaknesses Remain
GAO July 17,2014
FDIC has implemented numerous information securitycontrols intended to protect its key financial systems;nevertheless, weaknesses place the confidentiality,integrity, and availability of financial systems andinformation at unnecessary risk. In 2013, the corporationimplemented 28 of the 39 open GAO recommendationspertaining to previously reported security weaknessesthat were unaddressed as of December 31, 2012. (30pages)
Maritime CriticalInfrastructureProtection: DHSNeeds to BetterAddress PortCybersecurity
GAO June 5, 2014
GAO's objective was to identify the extent to whichDHS and other stakeholders have taken steps to addresscybersecurity in the maritime port environment. GAOexamined relevant laws and regulations, analyzed federalcybersecurity-related policies and plans, observedoperations at three U.S. ports selected based on being ahigh-risk port and a leader in calls by vessel type (e.g.,container), and interviewed federal and nonfederalofficials. (54 pages)
HHS Activities toEnhanceCybersecurity
HHS May 12,2014
Additional oversight on cybersecurity issues fromoutside of HHS is not necessary, according to an HHSreport on its existing cyber regulatory policies. "All ofthe regulatory programs identified [in the HHS Section10(a) analysis] operate within particular segments of the[Healthcare and Public Health] Sector. Expanding any oreach of these authorities solely to address cybersecurityissues would not be appropriate or recommended."
Inadequate Practiceand ManagementHinder Department'sIncident Detectionand Response
Department ofCommerce(DOC) OIG
April 24,2014
Auditors sent a prolonged stream of deliberatelysuspicious network traffic to five public-facing websitesat the DOC to assess incident-detection capabilities.Only one bureau—auditors do not say which—successfully moved to block the suspicious traffic.Responses at the other bureaus ranged from no action toineffective action, even for those that paid for specialsecurity services from vendors. (15 pages)
IRS Needs toAddress ControlWeaknesses ThatPlace Financial andTaxpayer Data atRisk
GAO April 8, 2014
"Until the Internal Revenue Service (IRS) takesadditional steps to (1) more effectively implement itstesting and monitoring capabilities, (2) ensure thatpolicies and procedures are updated, and (3) addressunresolved and newly identified control deficiencies, itsfinancial and taxpayer data will remain vulnerable toinappropriate and undetected use, modification, ordisclosure. These deficiencies, including shortcomings in
the information security program, indicate that IRS had asignificant deficiency in its internal control over itsfinancial reporting systems for FY2013." (29 pages)
High-Risk SecurityVulnerabilitiesIdentified DuringReviews ofInformationTechnology GeneralControls at StateMedicaid Agencies
HHS OIG March 2014The report says dozens of high-risk securityvulnerabilities found in information systems at 10 stateMedicaid agencies should serve as a warning to otherstates about the need to take action to prevent fraud.
Agency Responsesto Breaches ofPersonallyIdentifiableInformation Need toBe More Consistent
GAO December 9,2013
GAO recommends that "to improve the consistency andeffectiveness of governmentwide data breach responseprograms, the Director of OMB should update itsguidance on federal agencies' responses to a PII-relateddata breach to include (1) guidance on notifying affectedindividuals based on a determination of the level of risk;(2) criteria for determining whether to offer assistancesuch as credit monitoring to affected individuals; and (3)revised reporting requirements for PII-related breachesto US-CERT [Computer Emergency Response Team],including time frames that better reflect the needs ofindividual agencies and the government as a whole andconsolidated reporting of incidents that pose limitedrisk." (67 pages)
The Department ofEnergy's July 2013Cyber SecurityBreach
DOE OIG December2013
Nearly eight times as many current and former DOEstaff members were affected by a July 2013 computerhack than was previously estimated, according to theagency's inspector general. In August, DOE estimatedthat the hack affected roughly 14,000 current and formerstaff, leaking personally identifiable information, such asSocial Security numbers, birthdays, and bankinginformation, but the breach apparently affected morethan 104,000 people. (28 pages)
GPS Disruptions:Efforts to AssessRisks to CriticalInfrastructure andCoordinate AgencyActions Should BeEnhancedÂ
GAO November 6,2013
GAO was reviewed the effects of global positioningsystem (GPS) disruptions on the nation's criticalinfrastructure. GAO examined (1) the extent to whichDHS has assessed the risks and potential effects of GPSdisruptions on critical infrastructure; (2) the extent towhich the Department of Transportation (DOT) andDHS have developed backup strategies to mitigate GPSdisruptions; and (3) what strategies, if any, selectedcritical infrastructure sectors employ to mitigate GPSdisruptions and any remaining challenges. (58 pages)
Federal EnergyRegulatoryCommission's
DOE OIGOctober
To help protect against continuing cybersecurity threats,the commission estimated that it would spendapproximately $5.8 million during FY2013 to secure itsinformation technology assets, a 9% increase comparedwith FY2012.... As directed by FISMA, the OIG
Unclassified CyberSecurity Program -2013
2013 conducted an independent evaluation of thecommission's unclassified cybersecurity program todetermine whether it adequately protected data andinformation systems. The report presents the results ofthe evaluation for FY2013. (13 pages)
DHS Is GenerallyFilling Mission-Critical Positions,but Could BetterTrack Costs ofCoordinatedRecruiting Efforts
GAO September17, 2013
Within DHS, one in five jobs at a key cybersecuritycomponent is vacant, in large part due to steepcompetition in recruiting and hiring qualifiedpersonnel. National Protection and ProgramsDirectorate (NPPD) officials cited challenges inrecruiting cyber professionals because of the length oftime taken to conduct security checks to grant top-secretsecurity clearances as well as low pay in comparisonwith the private sector. (47 pages)
Offensive CyberCapabilities at theOperational Level:The Way Ahead
Center forStrategic andInternationalStudies (CSIS)
September16, 2013
The report examines whether DOD should make a moredeliberate effort to explore the potential of offensivecyber tools at levels below that of a combatantcommand. (20 pages)
An Assessment ofthe Department ofDefense Strategy forOperating inCyberspace
U.S. ArmyWar College
September2013
This monograph is organized in three main parts. Thefirst part explores the evolution of cyberspace strategythrough a series of government publications leading upto the DoD Strategy for Operating in Cyberspace. Thesecond part elaborates on and critiques each strategicinitiative in terms of significance, novelty, andpracticality. The third part critiques DOD's strategy as awhole. (60 pages)
Joint ProfessionalMilitary EducationInstitutions in anAge of Cyber Threat
FrancescaSpidalieri (PellCenter Fellow)
August 7,2013
The report found that the Joint Professional MilitaryEducation at the six U.S. military graduate schools—arequirement for becoming a joint staff officer and forpromotion to the senior ranks—has not effectivelyincorporated cybersecurity into specific courses,conferences, war-gaming exercises, or other forms oftraining for military officers. Although these graduateprograms are more advanced on cybersecurity than mostAmerican civilian universities, a preparation gap stillexists. (18 pages)
TelecommunicationsNetworks:Addressing PotentialSecurity Risks ofForeign-ManufacturedEquipment
GAO May 21,2013
The federal government began efforts to address supplychain security for commercial networks. A variety ofother approaches exist for addressing the potential risksposed by foreign-manufactured equipment incommercial communications networks, including thosetaken by foreign governments. Although theseapproaches are intended to improve supply chainsecurity of communications networks, they may alsocreate the potential for trade barriers, additional costs,and constraints on competition, which the federalgovernment would have to take into account if it choosesto pursue such approaches. (52 pages)Until DHS and its sector partners develop appropriate
Outcome-BasedMeasures WouldAssist DHS inAssessingEffectiveness ofCybersecurityEfforts
GAO April 11,2013
outcome-oriented metrics, it will be difficult to gauge theeffectiveness of efforts to protect the nation's core andaccess communications networks and critical supportcomponents of the Internet from cyber incidents.Although no cyber incidents affecting the nation's coreand access networks have been reported,communications networks operators can use FCC's andDHS's reporting mechanisms to share information onoutages and incidents. (45 pages)
Information Sharing:Agencies CouldBetter Coordinate toReduce Overlap inField-BasedActivities
GAO April 4, 2013
Agencies have neither held entities accountable forcoordinating nor assessed opportunities for furtherenhancing coordination to help reduce the potential foroverlap and achieve efficiencies. The Department ofJustice (DOJ), DHS, and the Office of National DrugControl Policy (ONDCP)—the federal agencies thatoversee or provide support to the five types of field-based entities—acknowledged that it is important forentities to work together and share information, but theseagencies do not hold the entities accountable for suchcoordination. (72 pages)
Cybersecurity: ABetter Defined andImplementedNational Strategy IsNeeded to AddressPersistentChallenges
GAO March 7,2013
"[A]lthough federal law assigns the Office ofManagement and Budget (OMB) responsibility foroversight of federal government information security,OMB recently transferred several of theseresponsibilities to Department of Homeland Security(DHS).... [I]t remains unclear how OMB andDepartment of Homeland Security are to share oversightof individual departments and agencies. Additionallegislation could clarify these responsibilities." (36pages)
Cybersecurity:National Strategy,Roles, andResponsibilitiesNeed to Be BetterDefined and MoreEffectivelyImplemented
GAO February 14,2013
GAO recommends that the White House cybersecuritycoordinator develop an overarching federal cybersecuritystrategy that includes all key elements of the desirablecharacteristics of a national strategy. Such a strategywould provide a more effective framework forimplementing cybersecurity activities and better ensurethat such activities will lead to progress in cybersecurity.(112 pages)
InformationSecurity: FederalCommunicationsCommission Needsto StrengthenControls overEnhanced SecuredNetwork Project
GAO January 25,2013
The Federal Communications Commission (FCC) didnot effectively implement appropriate informationsecurity controls in the initial components of theEnhanced Secured Network (ESN) project. Weaknessesidentified in the commission's deployment of ESN'sproject components as of August 2012 resulted inunnecessary risk that sensitive information could bedisclosed, modified, or obtained without authorization.GAO is made seven recommendations to the FCC toimplement management controls to help ensure that ESNmeets its objective of securing FCC's systems andinformation. (35 pages)
Follow-up Audit ofthe Department'sCyber SecurityIncidentManagementProgram
DOE OIG December2012
In 2008, the DOE's Cyber Security IncidentManagement Program (DOE/IG-0787, January 2008)reported the Department and National Nuclear SecurityAdministration (NNSA) had established and maintaineda number of independent, at least partially duplicative,cybersecurity incident management capabilities. Severalissues were identified that limited the efficiency andeffectiveness of the department's cybersecurity programand adversely affected the ability of law enforcement toinvestigate incidents. In response to the findings,management concurred with the recommendations andindicated that it had initiated actions to address theissues. (25 pages)
InformationTechnology Reform:Progress Made butFuture CloudComputing EffortsShould be BetterPlanned
GAO July 11, 2012
GAO recommended that the Secretaries of Agriculture,Health and Human Services, Homeland Security, State,and the Treasury, and the Administrators of the GeneralServices Administration (GSA) and Small BusinessAdministration (SBA) should direct their respectivechief information officers to establish estimated costs,performance goals, and plans to retire associated legacysystems for each cloud-based service discussed thereport, as applicable. (43 pages)
Electronic Warfare:DOD ActionsNeeded toStrengthenManagement andOversight
GAO July 9, 2012
DOD's oversight of electronic warfare capabilities maybe further complicated by its evolving relationship withcomputer network operations, which is also aninformation operations-related capability. Withoutclearly defined roles and responsibilities and updatedguidance regarding oversight responsibilities, DOD doesnot have reasonable assurance that its managementstructures will provide effective department-wideleadership for electronic warfare activities andcapabilities development and ensure effective andefficient use of its resources. (46 pages)
InformationSecurity: CyberThreats FacilitateAbility to CommitEconomic Espionage
GAO June 28,2012
The statement discusses (1) cyber threats facing thenation's systems, (2) reported cyber incidents and theirimpacts, (3) security controls and other techniquesavailable for reducing risk, and (4) the responsibilities ofkey federal entities in support of protecting Internetprotocol. (20 pages)
Cyber Sentries:Preparing Defendersto Win in aContested Domain
Army WarCollege
February 7,2012
The paper examines the current impediments to effectivecybersecurity workforce preparation and offers newconcepts to create Cyber Sentries through realistictraining, network authorities tied to certification, andethical training. These actions present an opportunity tosignificantly enhance workforce quality and allow DODto operate effectively in the contested cyber domain inaccordance with the vision established in its Strategy forCyberspace Operations. (38 pages)
According to the DOE' inspector general, the
The Department'sManagement of theSmart GridInvestment GrantProgram
DOE OIG January 20,2012
department's rush to award stimulus grants for projectsunder the next generation of the power grid, known asthe Smart Grid, resulted in some firms receiving fundswithout submitting complete plans for how to safeguardthe grid from cyberattacks. (21 pages)
CybersecurityHuman Capital:Initiatives NeedBetter Planning andCoordination
GAO November29, 2011
To ensure that government-wide cybersecurityworkforce initiatives are better coordinated and planned,and to better assist federal agencies in defining roles,responsibilities, skills, and competencies for theirworkforce, the DOC Secretary, OMB Director, OPM,and DHS Secretary should collaborate through theNational Initiative for Cybersecurity Education (NICE)initiative to develop and finalize detailed plans allowingagency accountability, measurement of progress, anddetermination of resources to accomplish agreed-uponactivities. (86 pages)
Federal ChiefInformationOfficers:Opportunities Existto Improve Role inInformationTechnologyManagement
GAO October 17,2011
GAO recommended that the OMB update its guidance toestablish measures of accountability for ensuring thatchief information officers' responsibilities are fullyimplemented and to require agencies to establish internalprocesses for documenting lessons learned. (72 pages)
InformationSecurity: AdditionalGuidance Needed toAddress CloudComputingConcerns
GAO October 6,2011
Twenty-two of 24 major federal agencies reported thatthey were either concerned or very concerned about thepotential information security risks associated with cloudcomputing. GAO recommended that the NIST issueguidance specific to cloud computing security. (17pages)
InformationSecurity:WeaknessesContinue Amid NewFederal Efforts toImplementRequirements
GAO October 3,2011
Weaknesses in information security policies andpractices at 24 major federal agencies continue to placethe confidentiality, integrity, and availability of sensitiveinformation and information systems at risk. Consistentwith this risk, reports of security incidents from federalagencies are on the rise, increasing by more than 650%over the past five years. Each of the 24 agenciesreviewed had weaknesses in information securitycontrols. (49 pages)
Defense DepartmentCyber Efforts:Definitions, FocalPoint, andMethodologyNeeded for DOD toDevelop Full-SpectrumCyberspace BudgetEstimates
GAO July 29, 2011
The letter discusses DOD's cyber and informationassurance budget for FY2012 and future years' defensespending. The objectives of the review were to (1) assessthe extent to which DOD prepared an overarchingbudget estimate for full-spectrum cyberspace operationsacross the department and (2) identify the challengesDOD faced in providing such estimates. (33 pages)
Defense DepartmentCyber Efforts: DODFaces Challenges inIts Cyber Activities
GAO July 25, 2011
GAO recommended that DOD evaluate how it isorganized to address cybersecurity threats; assess theextent to which it developed joint doctrine that addressescyberspace operations; examine how it assigns commandand control responsibilities; and determine how itidentifies and acts to mitigate key capability gapsinvolving cyberspace operations. (79 pages)
InformationSecurity:[Department of]State Has TakenSteps to Implement aContinuousMonitoringApplication, but KeyChallenges Remain
GAO July 8, 2011
The Department of State implemented a customapplication called iPost and a risk-scoring program thataimed to provide continuous monitoring capabilities ofinformation security risk to elements of the department'sIT infrastructure. To improve implementation of iPost atState, the Secretary of State directed the chiefinformation officer to develop, document, and maintainan iPost configuration management and test process. (63pages)
USCYBERCOM[U.S. CyberCommand] andCyber Security: Is aComprehensiveStrategy Possible?
Army WarCollege
May 12,2011
Examines five aspects of USCYBERCOM: (1)organization, (2) command and control, (3) computernetwork operations, (4) synchronization, and (5)resourcing. Identifies areas that currently presentsignificant risk to USCYBERCOM's ability to create astrategy that can achieve success in its cyberspaceoperations and recommends potential solutions that canincrease the effectiveness of the USCYBERCOMstrategy. (32 pages)
Cybersecurity:Continued AttentionIs Needed to ProtectFederal InformationSystems fromEvolving Threats
GAO March 16,2011
The White House, OMB, and certain federal agencieshave undertaken several government-wide initiativesintended to enhance information security at federalagencies. Although progress has been made on theseinitiatives, they all face challenges that require sustainedattention, and GAO has made several recommendationsfor improving the implementation and effectiveness ofthese initiatives. (15 pages)
Federal EnergyRegulatoryCommission'sMonitoring of PowerGrid Cyber Security
DOE OIG January 26,2011
The Nuclear Energy Regulatory Commission (NERC)developed Critical Infrastructure Protection (CIP)cybersecurity reliability standards, which were approvedby the Federal Energy Regulatory Commission (FERC)in January 2008. Although the commission had takensteps to ensure CIP cybersecurity standards weredeveloped and approved, NERC's testing revealed thatsuch standards did not always include controlscommonly recommended for protecting criticalinformation systems. In addition, the CIP standardsimplementation approach and schedule approved by thecommission were not adequate to ensure that systems-related risks to the nation's power grid were mitigated oraddressed in a timely manner. (30 pages)
InformationSecurity: Federal Existing government-wide guidelines and oversight
Agencies HaveTaken Steps toSecure WirelessNetworks, butFurther Actions CanMitigate Risk
GAO November30, 2010
efforts do not fully address agency implementation ofleading wireless security practices. Until agencies takesteps to better implement these leading practices andOMB takes steps to improve government-wideoversight, wireless networks will remain at an increasedvulnerability to attacks. (50 pages)
DHS Efforts toAssess and PromoteResiliency AreEvolving butProgramManagement CouldBe Strengthened
GAO September23, 2010
DHS has not developed an effective way to ensure thatcritical national infrastructure, such as electrical gridsand telecommunications networks, can bounce backfrom a disaster. DHS has conducted surveys andvulnerability assessments of critical infrastructure toidentify gaps, but has not developed a way to measurewhether owners and operators of that infrastructureadopt measures to reduce risks. (46 pages)
InformationSecurity: ProgressMade onHarmonizingPolicies andGuidance forNational Securityand Non-NationalSecurity Systems
GAO September15, 2010
OMB and NIST established policies and guidance forcivilian non-national security systems, and otherorganizations, including the Committee on NationalSecurity Systems (CNSS), DOD, and the U.S.intelligence community, and have developed policies andguidance for national security systems. GAO assessedthe progress of federal efforts to harmonize policies andguidance for these two types of systems. (38 pages)
Continued AttentionIs Needed to ProtectFederal InformationSystems fromEvolving Threats
GAO June 16,2010
GAO and agency IGs have made hundreds ofrecommendations over the past several years, many ofwhich agencies are implementing. In addition, the WhiteHouse, OMB, and certain federal agencies haveundertaken several government-wide initiatives intendedto enhance information security at federal agencies.Progress has been made on these initiatives, but they allface challenges that require sustained attention. GAOmade several recommendations for improving theimplementation and effectiveness of these existinginitiatives. (15 pages)
NSTB AssessmentsSummary Report:Common IndustrialControl SystemCyber SecurityWeaknesses
DOE, IdahoNationalLaboratory
May 2010
The National SCADA Test Bed (NSTB) programreported that computer networks controlling the electricgrid are plagued with security holes that could allowintruders to redirect power delivery and steal data. Manyof the security vulnerabilities are strikingly basic andfixable problems. (123 pages)
InformationSecurity: ConcertedResponse Needed toResolve PersistentWeaknesses
GAO March 24,2010
Without proper safeguards, federal computer systems arevulnerable to malicious intruders seeking to obtainsensitive information. The need for a vigilant approachto information security is demonstrated by the pervasiveand sustained cyberattacks against the United States;these attacks continue to pose a potentially devastatingimpact to systems and the operations and criticalinfrastructures they support. (21 pages)
Cybersecurity:Progress Made ButChallenges Remainin Defining andCoordinating theComprehensiveNational Initiative
GAO March 5,2010
To address strategic challenges in areas that are not thesubject of the Comprehensive National CybersecurityInitiative's existing projects but remain key to achievingthe initiative's overall goal of securing federalinformation systems, GAO recommended that OMB'sdirector continue developing a strategic approach toidentity management and authentication and link it to theHomeland Security Presidential Directive 12. Thedirective was initially described in the Chief InformationOfficers Council's (CIOC's) plan to implement federalidentity, credential, and access management to providegreater assurance that only authorized individuals andentities can gain access to federal information systems.(64 pages)
Continued EffortsAre Needed toProtect InformationSystems fromEvolving Threats
GAO November17, 2009
GAO identified weaknesses in all major categories ofinformation security controls at federal agencies. Forexample, in FY2008, weaknesses were reported in suchcontrols at 23 of 24 major agencies. Specifically,agencies did not consistently authenticate users toprevent unauthorized access to systems; applyencryption to protect sensitive data; or log, audit, andmonitor security-relevant events, among other actions.(24 pages)
Efforts to ImproveInformation SharingNeed to BeStrengthened
GAO August 27,2003
Information on threats, methods, and techniques ofterrorists is not routinely shared, and the information thatis shared is not perceived as timely, accurate, or relevant.(59 pages)
Source: Highlights compiled by CRS from the reports.
Note: Page counts are documents; other cited resources are web pages.
Table 4. Federal Workforce
(includes evaluations, grants, job programs, surveys, and statistics on federal cybersecurity personnel)
Title Source Date Notes
InformationAssuranceScholarshipProgram
DOD ContinuouslyUpdated
The Information Assurance Scholarship Program is designed toincrease the number of qualified personnel entering theinformation assurance and technology fields within DOD. Thescholarships also are an attempt to effectively retain militaryand civilian cybersecurity and IT personnel.
U.S. DigitalServices
WhiteHouse
ContinuouslyUpdated
The U.S. Digital Services (USDS) is a group of about 100technologists on two- to four-year fellowships that do somecybersecurity work. Cybersecurity is only a small portion ofUSDS' work, however, and the group is not yet spreadthroughout all agencies.
PERSEREC(Personnel and
DODContinuously
The Pentagon is expected to create a database for investigatingthe trustworthiness of personnel who could have access tofederal facilities and computer systems. The Defense
SecurityResearch Center)
Updated Information System for Security, or DISS, will consolidate twoexisting tools used for vetting employees and job applicants.
NIST 'RAMPS'UpCybersecurityEducation andWorkforceDevelopmentWith NewGrants
NIST May 12,2016
NIST is offering up to $1 million in grants to establish up toeight Regional Alliances and Multistakeholder Partnerships toStimulate (RAMPS) cybersecurity education and workforcedevelopment. Applicants must be nonprofit organizations,including institutions of higher education, located in the UnitedStates or its territories. Applicants must also demonstratethrough letters of interest that at least one of each of thefollowing types of organizations is interested in being part ofthe proposed regional alliance: K-12 school or Local EducationAgency (LEA), institution of higher education orcollege/university system, and a local employer.
Closing SkillsGaps: Strategy,Reporting andMonitoring
OPM April 15,2016
OPM "revalidated" the need to close skills gaps in certain"high-risk mission critical occupations," includingcybersecurity, acquisition, and STEM. Agency experts and chiefhuman capital officers will work together to develop agovernmentwide strategy "to address the root causes for why anoccupation has been deemed 'at risk.'" OPM tasked chief humancapital officers with identifying specific skills gaps in theiragencies. The memo calls on agencies to develop 4-year and 10-year plans for closing gaps in those areas.
The WayForward forFederalBackgroundInvestigations
FBI January 22,2016
The Obama Administration is creating a new organizationwithin the OPM to handle background investigations, in itslatest response to last year's revelations that hackers had pilferedhighly sensitive documents on 22 million Americans. The neworganization, the National Background Investigations Bureau,will be headed by a presidential appointee, and will have a"considerable amount of operational autonomy." Thetechnology systems will be "designed, built, secured, andoperated" by the Defense Department.
Guidance onrecruitment,relocation andretention (3R)incentives
OPM January 15,2016
OPM has enhanced the ability of federal human resourcesmanagers to use recruitment, relocation, and retention (3R)incentives to attract or hang onto cybersecurity workers. Themore flexible grants for exceptions to the 3R spending limit"may assist agencies in recruiting and retaining the most highlyqualified cybersecurity employees to meet the government'simportant challenges of strengthening federal networks, systemsand data."
NIST to SupportCybersecurityJobs "Heat Map"to HighlightEmployer Needsand WorkerSkills
NIST October 27,2015
NIST will fund a project developing a visualization tool to showthe demand for and availability of cybersecurity jobs across theUnited States. CompTIA, a non-profit information technologytrade association, in partnership with job market research andanalytics company Burning Glass Technologies, received athree-year grant to create a "heat map" visualizing the need forand the supply of cybersecurity professionals across the country.
WorkforceShortfall Due toHiring
In 2014, the average annual salary of a federal cybersecurityworker was $110,500, with federal contractors taking home
DifficultiesDespite RisingSalaries,IncreasedBudgets andHigh JobSatisfaction
(ISC)2 April 17,2015
$114,000. U.S. private-sector cyber professionals are expectedto bring in $118,000 in 2015. Analysts from Frost & Sullivanforecast a shortfall of 1.5 million cyber professionals by 2020.This number is compounded by 45% of hiring managersreporting that they are struggling to support additional hiringneeds and 62% of respondents reporting that their organizationshave too few information security professionals. (46 pages)
Tech Hire WhiteHouse
March 9,2015
The White House has unveiled a multi-sector effort to empowerAmericans with technology skills. Many jobs do not require afour-year computer science degree. To kick off TechHire, 21regions, with more than 120,000 open technology jobs and morethan 300 employer partners in need of this workforce, areannouncing plans to work together to find new ways to recruitand place applicants based on their actual skills and to createmore fast-track tech training opportunities.
U.S. Dept. ofEnergy to Offer$25M Grant forCybersecurity
Departmentof Energy(DOE)
January 15,2015
DOE announced a $25 million cybersecurity education grantover five years to establish a Cybersecurity Workforce PipelineConsortium within the DOE with funding from its MinorityServing Institutions Partnerships Program under its NationalNuclear Security Administration. The participants arehistorically black colleges and universities, national labs, andK-12 school districts.
DHS IsGenerally FillingMission-CriticalPositions, butCould BetterTrack Costs ofCoordinatedRecruitingEfforts
GAO September17, 2013
Within DHS, one in five jobs at a key cybersecurity componentis vacant, in large part due to steep competition in recruiting andhiring qualified personnel. National Protection and ProgramsDirectorate officials cited challenges in recruiting cyberprofessionals because of the length of time taken to conductsecurity checks to grant top-secret security clearances and lowpay in comparison with the private sector. (47 pages)
Professionalizingthe Nation'sCybersecurityWorkforce?:Criteria forDecision-Making
NationalAcademiesPress
September16, 2013
The report "examines workforce requirements for cybersecurity;the segments and job functions in which professionalization ismost needed; the role of assessment tools, certification,licensing, and other means for assessing and enhancingprofessionalization; and emerging approaches, such asperformance-based measures. It also examines requirements forthe federal (military and civilian) workforce, the private sector,and state and local government." (66 pages)
JointProfessionalMilitaryEducationInstitutions in anAge of CyberThreat
FrancescaSpidalieri(PellCenterFellow)
August 7,2013
The report found that the Joint Professional Military Educationat the six U.S. military graduate schools—a requirement forbecoming a joint staff officer and for promotion to the seniorranks—has not effectively incorporated cybersecurity intospecific courses, conferences, war-gaming exercises, or otherforms of training for military officers. Although these graduateprograms are more advanced on cybersecurity than mostAmerican civilian universities, a preparation gap still exists. (18pages)
SpecialCybersecurityWorkforceProject (Memofor Heads ofExecutiveDepartments andAgencies)
OPM July 8, 2013
OPM is collaborating with the White House Office of Scienceand Technology Policy, the Chief Human Capital OfficersCouncil, and the Chief Information Officers Council inimplementing a special workforce project that tasks federalagencies' cybersecurity, information technology, and humanresources communities to build a statistical data set of existingand future cybersecurity positions in the OPM EnterpriseHuman Resources Integration data warehouse.
GlobalInformationSecurityWorkforce Study
(ISC)2
Foundationand FrostandSullivan
May 7, 2013Federal cyber workers earn an average salary of $106,430, lessthan the average private-sector salary of $111,376. The lag infederal salaries is likely due to federal budget restraints. (28pages)
2012InformationTechnologyWorkforceAssessment forCybersecurity
DepartmentofHomelandSecurity(DHS)
March 14,2013
The report, which is based on an anonymous survey of nearly23,000 cyber workers across 52 departments and agencies,found that while the majority (49%) of cyber federal workershas more than 10 years of service until they reach retirementeligibility, nearly 33% will be eligible to retire in the next threeyears. (131 pages)
CyberSkills TaskForce Report DHS October
2012DHS's task force on CyberSkills proposes far-reachingimprovements to enable the department to recruit and retain thecybersecurity talent it needs. (41 pages)
Smart GridCybersecurity:Job PerformanceModel Report
PacificNorthwestNationalLaboratory
August 2012
The report outlines the work done to develop a Smart-Gridcybersecurity certification. The primary purpose develops ameasurement model used to guide curriculum, assessments, andother development of technical and operational Smart-Gridcybersecurity knowledge, skills, and abilities. (178 pages)
CybersecurityHuman Capital:Initiatives NeedBetter PlanningandCoordination
GAO November29, 2011
To ensure that government-wide cybersecurity workforceinitiatives are better coordinated and planned, and to betterassist federal agencies in defining roles, responsibilities, skills,and competencies for their workforce, the Secretaries ofCommerce and Homeland Security and the Directors of OMBand OPM collaborated through the National Initiative forCybersecurity Education (NICE) initiative to develop andfinalize detailed plans allowing agency accountability,measurement of progress, and determination of resources toaccomplish agreed-upon activities. (86 pages)
CyberOperationsPersonnel Report
DOD April 2011
The report focuses on FY2009 DOD Cyber Operationspersonnel, with duties and responsibilities as defined in Section934 of the FY2010 National Defense Authorization Act(NDAA). Its appendices include the following:
Appendix A—Cyber Operations-Related Military Occupations
Appendix B—Commercial Certifications Supporting the DODInformation Assurance Workforce Improvement Program
Appendix C—Military Services Training and Development
Appendix D—Geographic Location of National Centers ofAcademic Excellence in Information Assurance (84 pages)
The Power ofPeople: Buildingan IntegratedNationalSecurityProfessionalSystem for the21st Century
Project onNationalSecurityReform
November2010
The study was conducted in fulfillment of Section 1054 of theFY2010 NDAA, which required the commissioning of a studyby "an appropriate independent, nonprofit organization, of asystem for career development and management of interagencynational security professionals." (326 pages)
Source: Highlights compiled by CRS from the reports.
Notes: Page counts are documents; other cited resources are web pages.
Table 5. White House and Office of Management and Budget
(reports by or about cybersecurity policies in the White House, OMB, or executive branch agencies)
Title Source Date Notes
ImprovingCybersecurity OMB Continuously
Updated
OMB is working with agencies, inspectors general, chiefinformation officers, and senior agency officials incharge of privacy, as well as the GovernmentAccountability Office (GAO) and Congress, tostrengthen the federal government's IT security andprivacy programs. The site provides information onCross-Agency Priority (CAP) goals, proposedcybersecurity legislation, CyberStat, continuousmonitoring and remediation, using SmartCards foridentity management, and standardizing security throughconfiguration settings.
FACT SHEET:Announcing Over$80 million inNew FederalInvestment and aDoubling ofParticipatingCommunities inthe White HouseSmart CitiesInitiative
White House September26, 2016
In September 2015, the White House launched the SmartCities Initiative to make it easier for cities, federalagencies, universities, and the private sector to worktogether to research, develop, deploy, and testbed newtechnologies that can help make our cities moreinhabitable, cleaner, and more equitable. This year, tokick off Smart Cities Week, the Administration isexpanding this initiative, with more than $80 million innew federal investments and a doubling of the number ofparticipating cities and communities, exceeding 70 intotal.
Announcing theFirst Federal ChiefInformationSecurity Officer
White House September 8,2016
The Administration announced Brigadier General(retired) Gregory J. Touhill as the first Federal ChiefInformation Security Officer (CISO). A key feature ofthe Cybersecurity National Action Plan (CNAP) is thecreation of the first CISO to drive cybersecurity policy,planning, and implementation across the federalgovernment.
Revision of OMBCircular No. A-130, "ManagingInformation as aStrategicResource"
OMB July 28,2016
OMB has revised Circular A-130, "ManagingInformation as a Strategic Resource," to reflect changesin law and advances in technology. The revisions alsoensure consistency with executive orders, presidentialdirectives, recent OMB policy, and National Institute ofStandards and Technology standards and guidelines. TheCircular establishes general policy for informationgovernance, acquisitions, records management, opendata, workforce, security, and privacy. It also emphasizesthe role of both privacy and security in the Federalinformation life cycle. (30 pages)
Letter Sent to 27Executive BranchOffices RegardingInformationSecurityObligations Underthe FederalInformationSecurityManagement Act(FISMA)
House Oversightand GovernmentReformCommittee
July 26,2016
The letter notes all agencies are required by law tosubmit annual reports to the committee and Office ofManagement and Budget—which is a part of EOP—and that the term "agency" was intentionally definedbroadly in the legislation, which specifically mentionsEOP as an example. Requests a copy of EOP's FISMAreport or, if it doesn't exist, an explanation of why theoffice is exempt. (17 pages)
CategoryManagementPolicy 16-2:ProvidingComprehensiveIdentity ProtectionServices, IdentityMonitoring, andData BreachResponse
OMB July 1, 2016
OMB issued a memorandum to all department headsoutlining how agencies should go about contracting foridentity protection services. Going forward, all agenciesoffering identity protection services to citizens oremployees must contract through the General ServicesAdministration's Identity Monitoring Data BreachResponse and Protection Services (IPS) blanket purchaseagreement (BPA). (3 pages)
President ObamaAppointsCommission onEnhancingNationalCybersecurity
White House April 13,2016
President Barack Obama announced his intent to appointindividuals to the Commission on Enhancing NationalCybersecurity.
Annual Report toCongress: FederalInformationSecurityModernization Act
OMB March 18,2016
In 2015, government agencies reported 77,183cybersecurity incidents, a 10% increase from 69,851incidents in 2014. These incidents were reported bygovernment agencies to the United States ComputerEmergency Readiness Team (US-CERT). Sixteenpercent of these were caused by "non-cyber" reasons,such as employees losing data storage devices thatcontained personally identifiable information. [See p. 39for agency scores]. (95 pages)
CybersecurityFebruary 9,
The White House proposed a Cybersecurity NationalAction Plan, which provides a 35% increase in federal
National ActionPlan
White House 2016 funds for the next budget year to boost the nation'sability to safeguard its computer networks, both privateand public, from attacks while preserving privacy.
CybersecurityStrategy andImplementationPlan (CSIP) forthe FederalCivilianGovernment
OMB October 30,2015
The document includes an update on the comprehensivereview of the federal government's cyber policies, whichtook place during a 30-day "Cybersecurity Sprint"directed by the federal chief information officer in June2015. The plan identifies a number of action items thatthe federal government will take in the coming year toimprove the cybersecurity of the federal governmentnetworks. (21 pages)
Fiscal Year 2015-2016 Guidance onFederalInformationSecurity andPrivacyManagementRequirements
OMB October 30,2015
The White House is updating annual cybersecurityguidelines that provide a definition for a "major" cyberincident. The new definition is mandated by a 2014update to the Federal Information Security ManagementAct (FISMA). Agencies can consult with the Departmentof Homeland Security about whether an incident meetsthe major threshold, but ultimately it's up to the victimagency to make the final call. (11 pages)
Appendix III toOMB Circular No.A-130:Responsibilitiesfor ProtectingFederalInformationResources
OMB October 21,2015
The policy lays out guidance for managing ITinvestments, improving information security practices,and streamlining the process for acquiring newtechnology.
Strengthening &Enhancing FederalCybersecurity forthe 21st Century
OMB August 3,2015
In July 2015, OMB launched a 30-day CybersecuritySprint to assess and improve the health of all federalassets and networks, both civilian and military. As partof the Sprint, OMB directed agencies to further protectfederal information, improve the resilience of theirnetworks, and report on their successes and challenges.Agencies were instructed to immediately patch criticalvulnerabilities, review and tightly limit the number ofprivileged users with access to authorized systems, anddramatically accelerate the use of strong authentication,especially for privileged users.
Request forComments onImprovingCybersecurityProtections inFederalAcquisitions
OMB July 30,2015
OMB's Office of E-Government & InformationTechnology (E-Gov) is seeking public comment on draftguidance to improve cybersecurity protections in federalacquisitions. Threats to federal information systems haveincreased as agencies provide more services online andthe demand to secure information on these systemsincrease. (1 page)
FACT SHEET:Administration OMB July 9, 2015
The 30-day Cybersecurity Sprint, by the ObamaAdministration in the wake of the OPM breach, hasresulted in a jump in the use of multi-factor IDauthentication and tens of thousands of scans of federal
CybersecurityEfforts 2015
networks for vulnerabilities. The White House released afact sheet detailing what the Administration has done toimprove cybersecurity. (9 pages)
FACT SHEET:Enhancing andStrengthening theFederalGovernment'sCybersecurity
OMB June 12,2015
To further improve federal cybersecurity and protectsystems against these evolving threats, the U.S. chiefinformation officer (CIO) launched a 30-dayCybersecurity Sprint. The CIO instructed federalagencies to immediately take numerous steps to furtherprotect federal information and assets and improve theresilience of federal networks. Agencies were instructedto immediately test networks for DHS-providedindicators, patch vulnerabilities flagged in weekly DHSscan reports, restrict the number of privileged useraccounts and what they can do, and dramatically rampup the use of multi-factor authentication, especially forsensitive users. On the latter three requirements,agencies were to report back to OMB and DHS on theirprogress within a month.
Management andOversight ofInformationTechnologyResources
OMB June 10,2015
The guidance takes major steps toward ensuring agencyCIOs have significant involvement in procurement,workforce, and technology-related budget matters whilecontinuing a partnership with other senior leaders. It alsotakes major steps toward positioning CIOs so that theycan reasonably be held accountable for how effectivelytheir agencies use modern digital approaches to achievethe objectives of effective and efficient programs andoperations. (34 pages)
Policy to RequireSecureConnectionsacross FederalWebsites and WebServices
OMB June 8, 2015
In a memo to agency executives, federal CIO Tony Scottdetailed four requirements for agencies to meet, startingwith using a risk-based approach for determining whichwebsites or web services to move to HTTPS first. Sitesdealing with personally identifiable information (PII),where the content is sensitive, or where the site receivesa high level of traffic should be migrated to HTTPS assoon as possible. Agencies have until Dec. 31, 2016, tomove all public facing online services to the securitystandard. (5 pages)
White HouseSummit onCybersecurity andConsumerProtection
White House February 13,2015
The Summit brought together leaders from across thecountry who have a stake in this issue—industry, techcompanies, law enforcement, consumer and privacyadvocates, law professors who specialize in this field,and students—to collaborate and explore partnershipsthat will help develop the best ways to bolster U.S.cybersecurity. Topics included Public-PrivateCollaboration on Cybersecurity; ImprovingCybersecurity Practices at Consumer-OrientedBusinesses and Organizations; Promoting More SecurePayment Technologies; Cybersecurity InformationSharing; International Law Enforcement Cooperation on
Cybersecurity; Improving Authentication: MovingBeyond the Password; and Chief Security Officers'Perspectives: New Ideas on Technical Security.
Strengthening ourNation's CyberDefenses(AnnouncingPlans for a NewCyber ThreatIntelligenceIntegration Center)
White House February 11,2015
The White House will establish a new Cyber ThreatIntelligence Integration Center, or CTIIC, under theauspices of the Director of National Intelligence.Currently, no single government entity is responsible forproducing coordinated cyber threat assessments, andensuring that information is shared rapidly amongexisting cyber centers and other elements within thegovernment, and supporting the work of operators andpolicymakers with timely intelligence about the latestcyber threats and threat actors. The CTIIC is intended tofill these gaps.
National SecurityStrategy White House February 6,
2015
The document states the United States will "defendourselves, consistent with U.S. and international law,against cyberattacks and impose costs on maliciouscyber actors, including through prosecution of illegalcyber activity." The strategy praises the NIST frameworkfor cybersecurity and promises to work with Congress to"pursue a legislative framework that ensures high [cyber]standards" for critical infrastructure. The governmentwill also work to develop "global standards forcybersecurity and building international capacity todisrupt and investigate cyber threats." The documentalso promises to help other nations improve thecybersecurity of their critical infrastructure and developlaws that punish hackers. (32 pages)
Fiscal Year 2014-2015 Guidance onImproving FederalInformationSecurity andPrivacyManagementPractices
OMB October 3,2014
OMB is making updates to streamline agency reportingof information security incidents to DHS's U.S.Computer Emergency Readiness Team (US-CERT) andto improve US-CERT's ability to respond effectively toinformation security incidents. Under the updates, lossesof PII caused by non-electronic means must be reportedwithin one hour of a confirmed breach to the agencyprivacy office rather than to US-CERT. (17 pages)
AssessingCybersecurityRegulations
White House May 22,2014
The White House directed federal agencies to examinetheir regulatory authority over private-sectorcybersecurity in the February 2013 executive order thatalso created the National Institute of Standards andTechnology (NIST) cybersecurity framework. A reviewof agency reports concluded that "existing regulatoryrequirements, when complemented with strong voluntarypartnerships, are capable of mitigating cyber risks." Nonew federal regulations are needed for improving thecybersecurity of privately held American criticalinfrastructure.The 24 largest federal departments and agencies spent$10.34 billion on cybersecurity in fiscal year 2014. The
FederalInformationSecurityManagement Act,Annual Report toCongress
OMB May 1, 2014
Chief Financial Officers Act agency with the greatestexpenditure was the DOD at $7.11 billion, followed byDHS at $1.11 billion. Federal agencies' collectiverequest for cybersecurity spending during FY2015amounts to about $13 billion, federal CIO StevenVanRoekel told reporters during the March rollout of theWhite House spending proposal for the coming fiscalyear—making cybersecurity a rare area of federalinformation technology spending growth. (80 pages)
Big Data: SeizingOpportunities,Preserving Values
White House May 2014The findings outline a set of consumer protectionrecommendations, including that Congress should passlegislation on "single national data breach standard." (85pages)
State and LocalGovernmentCybersecurity
White House April 2, 2014
The White House in March 2014 convened an array ofstakeholders, including government representatives,local-government-focused associations, private-sectortechnology companies, and partners from multiplefederal agencies at the State and Local GovernmentCybersecurity Framework Kickoff Event.
Liberty andSecurity in aChanging World:Report andRecommendationsof The President'sReview Group onIntelligence andCommunicationsTechnologies
The President'sReview Groupon IntelligenceandCommunicationsTechnologies
December12, 2013
From the report, "The national security threats facing theUnited States and our allies are numerous andsignificant, and they will remain so well into the future.These threats include international terrorism, theproliferation of weapons of mass destruction, and cyberespionage and warfare.... After careful consideration, werecommend a number of changes to our intelligencecollection activities that will protect [privacy and civilliberties] values without undermining what we need todo to keep our nation safe." (308 pages)
ImmediateOpportunities forStrengthening theNation'sCybersecurity
President'sCouncil ofAdvisors onScience andTechnology(PCAST)
November2013
The report recommends the government phase outinsecure, outdated operating systems, such as WindowsXP; implement better encryption technology; andencourage automatic security updates, among otherchanges. PCAST also recommends that the governmenthelp create cybersecurity best practices and audit theiradoption in regulated industries. For independentagencies, PCAST proposes writing new rules that requirebusinesses to report their cyber improvements. (31pages)
Cross AgencyPriority Goal:Cybersecurity,FY2013 Q3 StatusReport
Performance.gov October2013
Executive branch departments and agencies achieved95% implementation of the Administration's prioritycybersecurity capabilities by the end of FY2014. Thesecapabilities include strong authentication, TrustedInternet Connections (TIC), and continuous monitoring.(24 pages)
Incentives toSupport Adoption August 6,
From the report, "To promote cybersecurity practicesand develop these core capabilities, we are working withcritical infrastructure owners and operators to create aCybersecurity Framework – a set of core practices to
of theCybersecurityFramework
White House 2013 develop capabilities to manage cybersecurity risk....Over the next few months, agencies will examine theseoptions in detail to determine which ones to adopt andhow, based substantially on input from criticalinfrastructure stakeholders."
FY2012 Report toCongress on theImplementation ofthe FederalInformationSecurityManagement Actof 2002
OMB March 2013
More government programs violated data security lawstandards in 2012 than in the previous year. At the sametime, computer security costs have increased by morethan $1 billion. Inadequate training was a large part ofthe reason all-around scores for adherence to the FederalInformation Security Management Act of 2002 (FISMA)slipped from 75% in 2011 to 74% in 2012. Agenciesreported that about 88% of personnel with system accessprivileges received annual security awarenessinstruction, down from 99% in 2011. Meanwhile,personnel expenses accounted for the vast majority—90%—of the $14.6 billion departments spent oninformation technology security in 2012. (68 pages)
AdministrationStrategy forMitigating theTheft of U.S.Trade Secrets
Executive Officeof the President
February 20,2013
From the report, "First, we will increase our diplomaticengagement.... Second, we will support industry-ledefforts to develop best practices to protect trade secretsand encourage companies to share with each other bestpractices that can mitigate the risk of trade secret theft....Third, DOJ will continue to make the investigation andprosecution of trade secret theft by foreign competitorsand foreign governments a top priority.... Fourth,President Obama recently signed two pieces oflegislation that will improve enforcement against tradesecret theft.... Lastly, we will increase public awarenessof the threats and risks to the U.S. economy posed bytrade secret theft." (141 pages)
National Strategyfor InformationSharing andSafeguarding
White House December2012
Provides guidance for effective development,integration, and implementation of policies, processes,standards, and technologies to promote secure andresponsible information sharing. (24 pages)
Collaborative andCross-CuttingApproaches toCybersecurity
White House August 1,2012
Michael Daniel, White House cybersecurity coordinator,highlights initiatives in which voluntary, cooperativeactions helped to improve the nation's overallcybersecurity.
TrustworthyCyberspace:Strategic Plan forthe FederalCybersecurityResearch andDevelopmentProgram
Executive Officeof the President
December2011
As a research and development strategy, this plan definesfour strategic thrusts: (1) inducing change, (2)developing scientific foundations, (3) maximizingresearch impact, and (4) accelerating transition topractice. (36 pages)
FY2012 ReportingInstructions for the Rather than enforcing a static, three-year reauthorization
FederalInformationSecurityManagement Actand AgencyPrivacyManagement
OMB September14, 2011
process, agencies conduct ongoing authorizations ofinformation systems by implementing continuousmonitoring programs. These programs thus fulfill thethree-year security reauthorization requirement, so aseparate reauthorization process is not necessary. (29pages)
CybersecurityLegislativeProposal (FactSheet)
White House May 12,2011
The Administration's proposal ensures the protection ofindividuals' privacy and civil liberties through aframework designed expressly to address the challengesof cybersecurity. The Administration's legislativeproposal includes management, personnel, intrusion-prevention systems, and data centers.
InternationalStrategy forCyberspace
White House May 2011
The strategy marks the first time any Administration hasattempted to set forth in one document the U.S.government's vision for cyberspace, including goals fordefense, diplomacy, and international development. (30pages)
National Strategyfor TrustedIdentities in Cyberspace(NSTIC)
White House April 15,2011
The NSTIC aims to make online transactions moretrustworthy, thereby giving businesses and consumersmore confidence in conducting business online. (52pages)
Federal CloudComputingStrategy
White House February 13,2011
The strategy outlines how the federal government canaccelerate the safe, secure adoption of cloud computing,and provides agencies with a framework for migrating tothe cloud. It also examines how agencies can addresschallenges related to the adoption of cloud computing,such as privacy, procurement, standards, andgovernance. (43 pages)
25 PointImplementationPlan to ReformFederalInformationTechnologyManagement
White House December 9,2010
The plan aims to reduce the number of federally run datacenters from 2,100 to approximately 1,300, rectify orcancel one-third of troubled IT projects, and requirefederal agencies to adopt a "cloud first" strategy in whichthey will move at least one system to a hostedenvironment within a year. (40 pages)
CyberspacePolicy: ExecutiveBranch Is MakingProgressImplementing2009 PolicyReviewRecommendations,but SustainedLeadership IsNeeded
GovernmentAccountabilityOffice (GAO)
October 6,2010
Of the 24 recommendations in the President's May 2009cyber policy review report, 2 were fully implementedand 22 were partially implemented. Although theseefforts appeared to be steps forward, agencies werelargely not able to provide milestones and plans thatshowed when and how implementation of therecommendations was to occur. (66 pages)
The CNCI establishes a multipronged approach the
ComprehensiveNationalCybersecurityInitiative (CNCI)
White House March 2,2010
federal government is to take in identifying current andemerging cyber threats, shoring up current and futuretelecommunications and cyber vulnerabilities, andresponding to or proactively addressing entities that wishto steal or manipulate protected data on secure federalsystems. (5 pages)
Cyberspace PolicyReview: Assuringa Trusted andResilientCommunicationsInfrastructure
White House May 29,2009
The President directed a 60-day, comprehensive, "clean-slate" review to assess U.S. policies and structures forcybersecurity. The review team of governmentcybersecurity experts engaged and received input from abroad cross-section of industry, academia, the civilliberties and privacy communities, state governments,international partners, and the legislative and executivebranches. The paper summarizes the review team'sconclusions and outlines the beginning of the wayforward toward a reliable, resilient, trustworthy digitalinfrastructure for the future. (76 pages)
Source: Highlights compiled by CRS from the White House reports.
Notes: Page counts are documents; other cited resources are web pages. For a list of White House executiveorders, see CRS Report R43317, Cybersecurity: Legislation, Hearings, and Executive Branch Documents, by[author name scrubbed].
Table 6. Cybersecurity Framework (NIST) and Information Sharing
(NIST's Feb. 12, 2014 Cybersecurity Framework, and proposals for cyberthreat information sharing amongfederal and private stakeholders)
Title Source Date Notes
InformationSharing andAnalysisOrganizations(ISAOs)
DHS Continuouslyupdated
Many companies have found it challenging to developeffective information sharing organizations—orInformation Sharing and Analysis Organizations (ISAOs).In response, President Obama issued the 2015 ExecutiveOrder 13691 directing DHS to encourage the developmentof ISAOs.
ISAO VoluntaryGuidelines
ISAO StandardsOrganization
September2016
The ISAO SO has published initial voluntary guidelinesfor emerging and established ISAOs. These publicationshave been developed in response to presidential ExecutiveOrder 13691 to provide guidelines for robust and effectiveinformation sharing and analysis related to cybersecurityrisks, incidents, and best practices.
The NISTCybersecurity Federal Trade August 31,
From the perspective of the staff of the FTC, NIST'sCybersecurity Framework is consistent with the process-based approach that the FTC has followed since the late1990s, the 60+ law enforcement actions the FTC hasbrought to date, and the agency's educational messages tocompanies.... The framework and the FTC's approach arefully consistent: The types of things the framework callsfor organizations to evaluate are the types of things the
Framework andthe FTC
Commission 2016 FTC has been evaluating for years in its Section 5enforcement to determine whether a company's datasecurity and its processes are reasonable. By identifyingdifferent risk management practices and defining differentlevels of implementation, the NIST framework takes asimilar approach to the FTC's long-standing Section 5enforcement.
Network of'Things' NIST July 28,
2016
The publication provides a basic model aimed at helpingresearchers better understand the Internet of Things (IoT)and its security challenges. The Network of Things (NoT)model is based on four fundamentals at the heart of IoT—sensing, computing, communication and actuation. Themodel's five building blocks, called "primitives," are corecomponents of distributed systems. They provide avocabulary to compare different NoTs that can be used toaid understanding of IoTs. (Note: This document wasinitially released as a draft back in mid-February 2016, itwas under a different technical publication series calledNIST Interagency Report (NISTIR) as Draft NISTIR 8063,Internet of Things. After considerable review, it wasdecided that when the draft becomes approved as final, itwill be placed into the Special Publication 800-series - SP800-183, Network of 'Things'. So this final SpecialPublication replaces the draft NISTIR 8063). (30 pagesO
Revision ofOMB CircularNo. A-130,"ManagingInformation as aStrategicResource"
OMB July 28,2016
OMB has revised Circular A-130, "Managing Informationas a Strategic Resource," to reflect changes in law andadvances in technology. The circular establishes generalpolicy for information governance, acquisitions, recordsmanagement, open data, workforce, security, and privacy.It also emphasizes the role of both privacy and security inthe federal information life cycle. When implemented byagencies, these revisions to the circular will promoteinnovation, enable appropriate information sharing, andfoster the wide-scale and rapid adoption of newtechnologies while strengthening protections for securityand privacy.
CybersecurityFrameworkFeedback: WhatWe Heard andNext Steps
NIST June 9, 2016
NIST is developing a minor update of its CybersecurityFramework based on feedback from its users. A draft of theupdate will be published for comment in early 2017. Therich body of stakeholder feedback called for other actionsthat NIST will undertake: Publish a governance processthat outlines the process of framework maintenance andevolution and defines the role of stakeholders and how theywill continue to work together in the future; Remain asconvener of framework stakeholders; and Continueframework outreach and focus on international, small andmedium-sized businesses and regulators. (10 pages)"This Notice announces a request for public comment ondraft products produced by the Information Sharing and
InformationSharing andAnalysisOrganization
DHS May 11,2016
Analysis Organization (ISAO) Standards Organization(SO) in partnership with the six established ISAO SOStandards Working Groups (SWG). This is the firstiteration of draft products that will be used in thedevelopment of voluntary standards for InformationSharing and Analysis Organizations (ISAOs) as they relateto E.O. 13691." (2 pages)
NPPD SeeksComments onCyber IncidentData RepositoryWhite Papers
DHS NationalProtection andProgramsDirectorate(NPPD)
March 28,2016
NPPD is seeking public comment on three white papersprepared by NPPD staff. Links to the white papers areposted on the cybersecurity insurance section of DHS.gov:Comments will assist NPPD to further refine the content ofthe white papers to address the critical need forinformation sharing as a means to create a more robustcybersecurity insurance marketplace and improveenterprise cyber hygiene practices across the public andprivate sectors. (2 pages)
MultistakeholderProcess ToPromoteCollaboration onVulnerabilityResearchDisclosure
NTIA March 28,2016
NTIA convened a meeting of a multistakeholder processconcerning the collaboration between security researchersand software and system developers and owners to addresssecurity vulnerability disclosure. Stakeholders engaged inan open, transparent, consensus-driven process to developvoluntary principles guiding the collaboration betweenvendors and researchers about vulnerability information. (1page)
CybersecurityInformationSharing Act of2015 InterimGuidanceDocuments-Notice ofAvailability
NPPD February 18,2016
DHS announced the availability of CybersecurityInformation Sharing Act of 2015 Interim GuidanceDocuments jointly issued with the Department of Justice(DOJ) in compliance with the act (CISA), which authorizesthe voluntary sharing and receiving of cyber threatindicators and defensive measures for cybersecuritypurposes, consistent with certain protections, includingprivacy and civil liberty protections. The CISA guidancedocuments may be found on http://www.us-cert.gov/ais. (1page)
NIST SeekingComments onthe Frameworkfor ImprovingCriticalInfrastructureCybersecurity
NationalInstitute ofStandards andTechnology(NIST)
December11, 2015
NIST requested information about the variety of ways inwhich the Framework for Improving Critical Infrastructureis being used to improve cybersecurity risk management,how best practices using the framework are shared, therelative value of different parts of the framework, thepossible need for a framework update, and options forlong-term governance of the Framework. (3 pages)
Notice of PublicMeetingRegardingStandards forInformationSharing andAnalysisOrganizations
DHS October 26,2015
In accordance with EO 13691, DHS has entered into acooperative agreement with a non-governmental ISAOStandards Organization led by the University of Texas atSan Antonio with support from the Logistics ManagementInstitute (LMI) and the Retail Cyber Intelligence SharingCenter (R-CISC). The notice announces the ISAOStandards Organization's initial public meeting onNovember 9, 2015, to discuss Standards for the
development of ISAOs. (2 pages)
Standards forInformationSharing andAnalysisOrganizations(ISAO)
DHS May 26,2015
DHS posted a cooperative agreement funding notice forthe outfit that will set standards for ISAO. The grant willbe worth up to $11 million over five years. The notice rulesout Mitre as a possible bidder, because it excludesfederally funded research and development centers andlaboratories. However, FFRDCs can be hired by thestandards organization for specific projects.
CybersecurityRiskManagementand BestPractices(WG4):CybersecurityFramework fortheCommunicationsSector
FederalCommunicationsCommission
(FCC)
March 18,2015
The CSRIC is a federal advisory committee that providesrecommendations to the FCC regarding best practices andactions the commission can take to help ensure security,reliability, and interoperability of communications systemsand infrastructure. The CSRIC approved a report thatidentifies best practices, provides a variety of importanttools and resources for communications companies ofdifferent sizes and types to manage cybersecurity risks, andrecommends a path forward. (418 pages)
Update on theCybersecurityFramework
NIST December 5,2014
In a status update, NIST said there was widespreadagreement among stakeholders that it was too early toupdate the framework. NIST will consider producingadditional guidance for using the framework, includinghow to apply the little-understood four-tiered system forgauging organizational cybersecurity programsophistication. In general, information and trainingmaterials that advance framework use, includingillustrative examples, was to be an immediate priority forNIST. (8 pages)
Energy SectorCybersecurityFrameworkImplementationGuidance - DraftFor PublicComment andCommentSubmissionForm
Department ofEnergy (DOE)Office ofElectricityDelivery andEnergyReliability
September12, 2014
Energy companies need not choose between the NISTcybersecurity framework and the DOE's CybersecurityCapability Maturity Model (C2M2). The NIST frameworktells organizations to grade themselves on a four-tier scalebased on their overall cybersecurity programsophistication. C2M2 instructs users to assesscybersecurity control implementation across 10 domains ofcybersecurity practices, such as situational awareness,according to the users' specific "maturity indicator level."
Guidelines forSmart GridCybersecurity,Smart GridCybersecurityStrategy,
NIST September2014
The three-volume report presents an analytical frameworkthat organizations can use to develop effectivecybersecurity strategies tailored to their particularcombinations of smart grid-related characteristics, risks,and vulnerabilities. Organizations in the diversecommunity of smart grid stakeholders—from utilities toproviders of energy management services to manufacturersof electric vehicles and charging stations—can use themethods and supporting information in the report asguidance for assessing risk and identifying and applying
Architecture,and High-LevelRequirements
appropriate security requirements. The approachrecognizes that the electric grid is changing from arelatively closed system to a complex, highlyinterconnected environment. Each organization'scybersecurity requirements should evolve as technologyadvances and as threats to grid security inevitably multiplyand diversify. (668 pages)
How Do WeKnow WhatInformationSharing IsReally Worth?ExploringMethodologiesto Measure theValue ofInformationSharing andFusion Efforts
RANDCorporation June 2014
Given resource constraints, there are concerns about theeffectiveness of information-sharing and fusion activitiesand, therefore, their value relative to the public fundsinvested in them. Solid methods for evaluating theseefforts are lacking, however, limiting the ability to makeinformed policy decisions. Drawing on a substantialliterature review and synthesis, the report lays out thechallenges of evaluating information-sharing efforts thatfrequently seek to achieve multiple goals simultaneously;reviews past evaluations of information-sharing programs;and lays out a path to improving the evaluation of suchefforts. (33 pages)
SharingCyberthreatInformationUnder 18 USC§ 2702(a)(3)
Department ofJustice (DOJ) May 9, 2014
DOJ issued guidance for Internet service providers toassuage legal concerns about information sharing. Thewhite paper interprets the Stored Communications Act,which prohibits providers from voluntarily disclosingcustomer information to governmental entities. The papersays that the law does not prohibit companies fromdivulging data in the aggregate, without any specific detailsabout identifiable customers. (7 pages)
Antitrust PolicyStatement onSharing ofCybersecurityInformation
DOJ and FederalTradeCommission(FTC)
April 10,2014
Information-sharing about cyber threats can be donelawfully as long as companies are not discussingcompetitive information such as pricing, the JusticeDepartment and Federal Trade Commission said in a jointstatement. "Companies have told us that concerns aboutantitrust liability have been a barrier to being able toopenly share cyber threat information," said DeputyAttorney General James Cole. "Antitrust concerns shouldnot get in the way of sharing cybersecurity information." (9pages)
Framework forImprovingCriticalInfrastructureCybersecurity
NIST February 12,2014
The voluntary framework consists of cybersecuritystandards that can be customized to various sectors andadapted by both large and small organizations. DHSannounced the Critical Infrastructure Cyber Community(C3)—or "C-cubed"—voluntary program. The C3
program gives state and local governments and companiesthat provide critical services, such as cell phones, email,banking, and energy, direct access to DHS cybersecurityexperts who have knowledge about specific threats, waysto counter those threats, and how, over the long term, todesign and build systems that are less vulnerable to cyberthreats. (41 pages)
Update on theDevelopment oftheCybersecurityFramework
NIST January 15,2014
From the document, "While stakeholders have said theysee the value of guidance relating to privacy, manycomments stated a concern that the methodology did notreflect consensus private sector practices and thereforemight limit use of the Framework. Many commenters alsostated their belief that privacy considerations should befully integrated into the Framework Core." (3 pages)
CybersecurityFramework NIST October 22,
2013
NIST sought comments on the preliminary version of theCybersecurity Framework. Executive Order 13636 directedNIST to work with stakeholders to develop such aframework to reduce cyber risks to critical infrastructure.(47 pages)
Discussion Draftof thePreliminaryCybersecurityFramework
NIST August 28,2013
The framework provides a common language andmechanism for organizations to (1) describe currentcybersecurity posture; (2) describe their target state forcybersecurity; (3) identify and prioritize opportunities forimprovement within the context of risk management; (4)assess progress toward the target state; and (5) fostercommunications among internal and external stakeholders.(36 pages)
Cyber SecurityTask Force:Public-PrivateInformationSharing
BipartisanPolicy Center July 2012
Outlines a series of proposals to enhance informationsharing. The recommendations have two majorcomponents: (1) mitigating perceived legal impediments toinformation sharing, and (2) incentivizing private-sectorinformation sharing by alleviating statutory and regulatoryobstacles. (24 pages)
Annual Reportto Congress2012: NationalSecurityThroughResponsibleInformationSharing
InformationSharingEnvironment
June 30,2012
The report states, "This Report, which PM-ISE issubmitting on behalf of the President, incorporates inputfrom our mission partners and uses their initiatives andPM-ISE's management activities to provide a cohesivenarrative on the state and progress of terrorism-relatedresponsible information sharing, including its impact onour collective ability to secure the nation and our nationalinterests." (188 pages)
NICECybersecurityWorkforceFramework
NationalInitiative forCybersecurityEducation(NICE)
November21, 2011
The federal government's adoption and implementation ofcloud computing depend upon a variety of technical andnontechnical factors. A fundamental reference point, basedon the NIST definition of cloud computing, is needed todescribe an overall framework that can be usedgovernment-wide. The document presents the NIST CloudComputing Reference Architecture and Taxonomy that willaccurately communicate the components and offerings ofcloud computing. (35 pages)
Improving ourNation'sCybersecuritythrough thePublic-Private
BusinessSoftwareAlliance, Centerfor Democracyand Technology,U.S. Chamber of
March 8,2011
The paper proposes expanding the existing partnershipwithin the framework of the National InfrastructureProtection Plan. Specifically, it makes a series ofrecommendations that build upon the conclusions of
Partnership: AWhite Paper
Commerce,Internet SecurityAlliance, andTech America
President Obama's Cyberspace Policy Review. (26 pages)
Efforts toImproveInformationSharing Need toBe Strengthened
GovernmentAccountabilityOffice (GAO)
August 27,2003
Information on threats, methods, and techniques ofterrorists is not routinely shared, and the information that isshared is not perceived as timely, accurate, or relevant. (59pages)
Source: Highlights compiled by CRS from the reports.
Note: Page counts are documents; other cited resources are web pages.
Table 7. Department of Homeland Security (DHS)
(reports and audits)
Title Source Date Notes
Office ofCybersecurity andCommunications(CS&C)
DHS ContinuouslyUpdated
CS&C
works to prevent or minimize disruptions to criticalinformation infrastructure to protect the public, theeconomy, and government services andleads efforts to protect the federal ".gov" domain ofcivilian government networks and to collaboratewith the private sector—the ".com" domain—toincrease the security of critical networks.
ContinuousDiagnostic andMitigationProgram
DHS ContinuouslyUpdated
An initiative to deploy continuous monitoring at U.S.federal government agencies will be done in phases, withthe initial rollout occurring over three years. The initialphase is aimed at getting federal civilian agencies toemploy continuous diagnostic tools to improvevulnerability management, enforce strong compliancesettings, manage hardware and software assets, andestablish white-listing of approved services andapplications.
CriticalInfrastructureProtection:ImprovementsNeeded for DHS'sChemical FacilityWhistleblowerReport Process
GovernmentAccountabilityOffice (GAO)
July 12,2016
The Chemical Facility Anti-Terrorism Standards (CFATS)Act of 2014 required DHS to establish a whistleblowerprocess. Employees and contractors at hundreds ofthousands of U.S. facilities with hazardous chemicals canplay an important role in helping to ensure CFATScompliance by submitting a whistleblower report whenthey suspect noncompliance This report addresses (1) thenumber and types of CFATS whistleblower reports DHSreceived, and any actions DHS took as a result, and (2) theextent to which DHS has implemented and followed aprocess to address the whistleblower reports, includingreports of retaliation against whistleblowers. (49 pages)
CybersecurityInformationSharing Act of2015 FinalGuidanceDocuments-Noticeof Availability
DHS June 15,2016
DHS is announcing the availability of CybersecurityInformation Sharing Act of 2015 (CISA) Final GuidanceDocuments jointly issued with the Department of Justice(DOJ) in compliance with the act, which authorizes thevoluntary sharing and receiving of cyber threat indicatorsand defensive measures for cybersecurity purposes,consistent with certain protections, including privacy andcivil liberty protections. The CISA-mandated finalprocedures and guidance, as well as an updated version ofthe non-federal entity sharing guidance, may be found atwww.us-cert.gov/ais. (2 pages)
DHS Needs toEnhanceCapabilities,Improve Planning,and SupportGreater Adoptionof Its NationalCybersecurityProtection System
GAO January 28,2016
DHS's National Cybersecurity Protection System (NCPS)is partially meeting its stated system objectives….Federal agencies have adopted NCPS to varying degrees.The 23 agencies required to implement the intrusiondetection capabilities had routed some traffic to NCPSintrusion detection sensors. However, only 5 of the 23agencies were receiving intrusion prevention services, butDHS was working to overcome policy and implementationchallenges. Further, agencies have not taken all thetechnical steps needed to implement the system, such asensuring that all network traffic is being routed throughNCPS sensors. This occurred in part because DHS has notprovided network routing guidance to agencies. As aresult, DHS has limited assurance regarding theeffectiveness of the system. (61 pages)
DHS CanStrengthen ItsCyber MissionCoordinationEfforts
Department ofHomelandSecurity(DHS), OIG
September15, 2015
DHS still struggles to coordinate its cyber-responseactivities and lacks an automated information-sharing toolto share cyberthreat data among components within thedepartment—let alone between government and theprivate sector, which the Obama Administration and somelawmakers have been pressing for. In addition, the IGfound scattershot training for cybersecurity professionalsin the department, with some analysts paying for their owntraining courses to keep their skills fresh. (36 pages)
IT Security SuffersfromNoncompliance
DHS Office ofInspectorGeneral (OIG)
December22, 2014
DHS has made progress in improving its informationsecurity program, but noncompliance by several DHScomponent agencies is undermining that effort. The OIGraised concerns over a lack of compliance by thesecomponents and urged DHS leadership to strengthen itsoversight and enforcement of existing security policies. (2pages)
Health InsuranceMarketplacesGenerallyProtectedPersonallyIdentifiableInformation butCould Improve
Department ofHomelandSecurity(DHS), OIG
September22, 2014
The websites and databases in some state health insuranceexchanges are still vulnerable to attack, putting personallyidentifiable information at risk. The report examined thewebsites and databases of the federal insurance exchange,as well as the state exchanges for Kentucky and New
CertainInformationSecurity Controls
Mexico.
ImplementationStatus of theEnhancedCybersecurityServices Program
DHS OIG July 2014
The National Protection Programs Directorate (NPPD) hasmade progress in expanding the Enhanced CybersecurityServices program. As of May 2014, 40 criticalinfrastructure entities were participating in the programand 22 companies had signed memorandums of agreementto join the program. Although progress has been made, theprogram has been slow to expand because of limitedoutreach and resources. In addition, cyber threatinformation sharing relies on NPPD's manual reviews andanalysis, which has led to inconsistent cyber threatindicator quality. (23 pages)
The CriticalInfrastructureCyber CommunityC³ VoluntaryProgram
Department ofHomelandSecurity(DHS)
February 12,2014
The C³ Voluntary Program serves as a point of contactand a customer relationship manager to assistorganizations with using the Cybersecurity Frameworkand guide interested organizations and sectors to DHS andother public and private-sector resources to support use ofthe framework.
ITIRecommendationsto the Departmentof HomelandSecurity Regardingits WorkDeveloping aVoluntary ProgramUnder ExecutiveOrder 163636,"ImprovingCriticalInfrastructureCybersecurity"
InformationTechnologyIndustryCouncil (ITI)
February 11,2014
ITI released a set of recommendations eying furtherimprovement of the framework, changes that call for DHSto "de-emphasize the current focus on incentives." Partly,ITI recognizes the cyber order can produce change even inan environment in which fiscal constraints andcongressional inaction stall carrots for adoption, but ITIand others "do not want incentives if they come at the costof "compliance-based programs." (3 pages)
Evaluation of DHS'InformationSecurity Programfor Fiscal Year2013
DHS OIG November2013
The report reiterates that the agency uses outdated securitycontrols and Internet connections that are not verified astrustworthy and that the agency does not review its top-secret information systems for vulnerabilities. (50 pages)
DHS' Efforts toCoordinate theActivities ofFederal CyberOperations Center
DHS OIG October2013
DHS could do a better job sharing information among thefive federal centers that coordinate cybersecurity work.The department's National Cybersecurity andCommunications Integration Center (NCCIC) is taskedwith sharing information about malicious activities ongovernment networks with cybersecurity offices withinDOD, the Federal Bureau of Investigation (FBI), andfederal intelligence agencies. But the DHS center and thefive federal cybersecurity hubs all have differenttechnology and resources, preventing them from sharing
intrusions, threats, or awareness information andrestricting their ability to coordinate responses. Thecenters also have not created a standard set of categoriesfor reporting incidents. (29 pages)
DHS Is GenerallyFilling Mission-Critical Positions,but Could BetterTrack Costs ofCoordinatedRecruiting Efforts
GAO September17, 2013
Within DHS, o at a key cybersecurity component isvacant, in large part due to steep competition in recruitingand hiring qualified personnel. National Protection andPrograms Directorate (NPPD) officials cited challenges inrecruiting cyber professionals because of the length oftime taken to conduct security checks to grant top-secretsecurity clearances and low pay in comparison with theprivate sector. (47 pages)
DHS Can TakeActions to AddressIts AdditionalCybersecurityResponsibilities
DHS June 2013
The National Protection and Programs Directorate (NPPD)was audited to determine whether the Office ofCybersecurity and Communications had effectivelyimplemented its additional cybersecurity responsibilities toimprove the security posture of the federal government.Although it has made some progress, NPPD can makefurther improvements to address its additionalcybersecurity responsibilities. (26 pages)
Privacy ImpactAssessment forEINSTEIN 3Accelerated (E3A)
DHS April 19,2013
DHS deployed EINSTEIN 3 Accelerated (E3A) toenhance cybersecurity analysis, situational awareness, andsecurity response. Under DHS's direction, Internet serviceproviders will administer intrusion prevention and threat-based decisionmaking on network traffic entering andleaving participating federal civilian executive branchagency networks. This Privacy Impact Assessment (PIA)was being conducted because E3A will include analysis offederal network traffic, which may contain personallyidentifiable information. (27 pages)
Outcome-BasedMeasures WouldAssist DHS inAssessingEffectiveness ofCybersecurityEfforts
GAO April 11,2013
Until DHS and its sector partners develop appropriateoutcome-oriented metrics, it will be difficult to gauge theeffectiveness of efforts to protect the nation's core andaccess communications networks and the Internet's criticalsupport components from cyber incidents. Although nocyber incidents affecting the nation's core and accessnetworks have been reported, communications networksoperators can use reporting mechanisms established by theFederal Communications Commission and DHS to shareinformation on outages and incidents. (45 pages)
Federal Support forand Involvement inState and LocalFusion Centers
U.S. SenatePermanentSubcommitteeonInvestigations
October 3,2012
A two-year bipartisan investigation found that DHS effortsto engage state and local intelligence "fusion centers" hasnot yielded significant useful information to supportfederal counterterrorism intelligence efforts. In Section VI,"Fusion Centers Have Been Unable to MeaningfullyContribute to Federal Counterterrorism Efforts," Part G,"Fusion Centers May Have Hindered, Not Aided, FederalCounterterrorism Efforts," the report discusses the Russian"cyberattack" in Illinois. (141 pages)
CyberSkills TaskForce Report DHS October
2012DHS's task force on CyberSkills proposes far-reachingimprovements to enable the department to recruit andretain the cybersecurity talent it needs. (41 pages)
DHS Efforts toAssess andPromoteResiliency AreEvolving butProgramManagementCould BeStrengthened
GAO September23, 2010
DHS has not developed an effective way to ensure thatcritical national infrastructure, such as electrical grids andtelecommunications networks, can bounce back from adisaster. DHS conducted surveys and vulnerabilityassessments of critical infrastructure to identify gaps buthas not developed a way to measure whether owners andoperators of that infrastructure adopt measures to reducerisks. (46 pp)
Source: Highlights compiled by CRS from the reports.
Note: Page counts are documents; other cited resources are web pages.
Table 8. Department of Defense (DOD)
(reports by and audits of)
Title Source Date Notes
DefenseIndustrial Base(DIB)Cybersecurityand InformationAssurance(CS/IA) Program
DOD ContinuouslyUpdated
DOD established the Defense Industrial Base (DIB)Cybersecurity and Information Assurance (CS/IA)Program to enhance and supplement DIB participants'capabilities to safeguard DOD information that resideson or transits DIB unclassified networks orinformation systems. The public-private cybersecuritypartnership is designed to improve DIB networkdefenses, reduce damage to critical programs, andincrease DOD and DIB cyber situational awareness.Under the DIB CS/IA Program, DOD and DIBparticipants share unclassified and classified cyberthreat information.
ProgramProtection andSystem SecurityEngineeringInitiative
DOD SystemsEngineering
ContinuouslyUpdated
DOD systems have become increasingly networked,software-intensive, and dependent on a complicatedglobal supply chain, which has increased theimportance of security as a systems engineering designconsideration. In response to this new reality, DODhas established Program Protection/System SecurityEngineering as a key discipline to protect technology,components, and information from compromisethrough the cost-effective application ofcountermeasures to mitigate risks posed by threats andvulnerabilities. The analysis, decisions, and plans ofacquisition programs are documented in a ProgramProtection Plan, which is updated prior to everymilestone decision.This final rule responds to public comments and
DOD's DefenseIndustrial BaseCybersecurityActivities
DOD October 4, 2016
updates DOD's Defense Industrial Base (DIB)Cybersecurity (CS) Activities. This rule implementsmandatory cyber incident reporting requirements forDOD contractors and subcontractors who haveagreements with DOD. In addition, the rule modifieseligibility criteria to permit greater participation in thevoluntary DIB CS information sharing program. (6pages)
What isNORAD's Rolein Military CyberAttack Warning?
HomelandSecurityAffairs
May 2016
The essay traces NORAD's warning mission history,discusses the basic concepts involved withcyberattacks, identifies key U.S. and Canadian militarycyber organizations, and examines significant U.S. andCanadian cyberspace government policies. It thenproposes three potential new courses of action forNORAD, identifying advantages, disadvantages, andproposed solutions to implementation. (24 pages)
DOD Needs toClarify Its RolesandResponsibilitiesfor DefenseSupport of CivilAuthoritiesduring CyberIncidents, Reportto CongressionalCommittees
GAO April 4, 2016
This report assesses the extent to which DOD hasdeveloped guidance that clearly defines the roles andresponsibilities for providing support to civilauthorities in response to a cyber incident. GAOreviewed DOD DSCA guidance, policies, and plans;and met with relevant DOD, National Guard Bureau,and Department of Homeland Security officials. (31pages)
Department ofDefense ProvidesGovernmentContractorsGrace Period forCompliance withKeyCybersecurityRequirements
National LawReview January 4, 2016
The Pentagon is giving military contractors an 18-month extension to comply with certain cybersecurityrequirements in the Defense Federal AcquisitionRegulation Supplement (DFARS). The decision toallow contractors a grace period was made followingpublic comments in December 2015.
National GuardSet to ActivateAdditional CyberUnits
U.S. Army December 9, 2015
The National Guard announced plans to activate 13additional cyber units spread throughout 23 states bythe end of FY2019. Seven new Army Guard cyberprotection teams, or CPTs, will be activated acrossAlabama, Arkansas, Colorado, Illinois, Kentucky,Louisiana, Minnesota, Mississippi, Missouri,Nebraska, New Jersey, New York, North Dakota,South Dakota, Tennessee, Texas, Utah, and Wisconsin.They join four previously announced Army GuardCPTs spread across California, Georgia, Indiana,Maryland, Michigan, and Ohio.
Department ofDOD is revising its DoD-DIB Cybersecurity (CS)Activities regulation to mandate reporting of cyber
Defense (DoD)-DefenseIndustrial Base(DIB)Cybersecurity(CS) Activities
DOD ChiefInformationOfficer
October 2, 2015incidents that result in an actual or potentially adverseeffect on a covered contractor information system orcovered defense information residing therein, or on acontractor's ability to provide operationally criticalsupport, and modify eligibility criteria to permitgreater participation in the voluntary DoD- DIB CSinformation sharing program. (8 pages)
Cyber SecurityDoDCybersecurityWeaknesses asReported inAudit ReportsIssued FromAugust 1, 2014,Through July 31,2015
DOD Officeof InspectorGeneral (OIG)
September 25,2015
In the span of one year, the Pentagon addressed fewerthan half of the recommendations to shore up cybervulnerabilities identified by its OIG. The DefenseDepartment addressed 93 of 229 cyberrecommendations made by the OIG between August 1,2014 and July 31, 2015, according to a summary of anew audit released by the IG's office. DOD left themajority of recommendations—136—unresolved.
Defense FederalAcquisitionRegulationSupplement:NetworkPenetrationReporting andContracting forCloud Services
DOD August 26, 2015
DOD is issuing an interim rule amending DFARS toimplement a section of the National DefenseAuthorization Act for Fiscal Year 2013 and a sectionof the National Defense Authorization Act for FiscalYear 2015, both of which require contractor reportingon network penetrations. Additionally, this ruleimplements DOD's policy on the purchase of cloudcomputing services. (10 pages)
Insider Threats:DOD ShouldStrengthenManagement andGuidance toProtect ClassifiedInformation andSystems
GovernmentAccountabilityOffice (GAO)
June 2, 2015
DOD components have identified technical and policychanges to help protect classified information andsystems from future insider threats, but DOD is notconsistently collecting this information to supportmanagement and oversight responsibilities. DOD hasnot identified a program office to oversee the insider-threat program. Without an office dedicated tooversight of insider-threat programs, DOD may not beable to ensure the collection of all needed informationand could face challenges in establishing goals and inrecommending resources and improvements to addressinsider threats. This is an unclassified version of aclassified report GAO issued in April 2015. (55 pages)
The DOD CyberStrategy DOD April 17, 2015
Deterrence is a key part of the new cyber strategy,which describes the department's contributions to abroader national set of capabilities to deter adversariesfrom conducting cyberattacks. The strategy sets fivestrategic goals and establishes specific objectives forDOD to achieve over the next five years and beyond.(42 pages)
Cyber Insurance:Managing CyberRisk
Institute forDefenseAnalyses
April 2015
The paper provides an overview of the components ofcyber insurance, discusses the role of the government,and examines specific implications to the Defense
Department. (14 pages)
Excepted Service(DOD)
Office ofPersonnelManagement(OPM)
March 5, 2015
DOD is given authority to make permanent, time-limited, and temporary appointments not to exceed3,000 positions that require unique cybersecurity skillsand knowledge to perform cyber risk and strategicanalysis, incident handling and malware/vulnerabilityanalysis, program management, distributed controlsystems security, cyber incident response, cyberexercise facilitation and management, cybervulnerability detection and assessment, network andsystems engineering, enterprise architecture,investigative analysis, and cyber-related infrastructureinter-dependency analysis. (3 pages)
DOT&E FY2014 AnnualReport
DOD Officeof theDirector,OperationalTest andEvaluation(OT&E)
January 2015
A series of live fire tests of the military's computernetworks security in 2015 found many combatantcommands could be compromised by low-to-middling-skilled hackers and might not be able to"fight through" in the face of enemy cyberattacks. Theassessment echoes previous OT&E annualassessments, which routinely found that militaryservices and combatant commands did not have asufficiently robust security posture or training to repelsustained cyberattacks during battle. (91 pages)
A Review of theU.S. Navy CyberDefenseCapabilities:AbbreviatedVersion of aClassified Report
NationalResearchCouncil(NRC)
January 2015
The NRC appointed an expert committee to review theU.S. Navy's cyber defense capabilities. TheDepartment of the Navy determined that thecommittee's final report is classified in its entiretyunder Executive Order 13526 and therefore cannot bemade available to the public. A Review of U.S. NavyCyber Defense Capabilities, the abbreviated report,provides background information on the full reportand the committee that prepared it. (13 pages)
Training CyberWarriors: WhatCan Be Learnedfrom DefenseLanguageTraining?
RANDCorporation January 20015
The study examines what the military services andnational security agencies have done to train linguistpersonnel with skills in critical languages other thanEnglish and the kinds of language training provided tobuild and maintain this segment of the workforce. Thestudy draws from published documents, researchliterature, and interviews of experts in both languageand cyber. (97 pages)
DOD CloudComputingStrategy NeedsImplementationPlan andDetailed WaiverProcess
DOD OIG December 4, 2014
Report states that the DOD chief information officer"did not develop an implementation plan that assignedroles and responsibilities as well as associated tasks,resources and milestones," despite promises that animplementation plan would directly follow the cloudstrategy's release. (40 pages)
The results of this analysis reflect DOD's current viewof its requirements for successful conduct of
Cyber MissionAnalysis:Mission Analysisfor CyberOperations ofDepartment ofDefense
NationalGuard August 21, 2014
cyberspace operations, leveraging a Total Forcesolution. DOD assesses there can be advantages tousing reserve component (RC) resources for CyberMission Force (CMF) missions, such as providing loadsharing with active duty forces, providing availablesurge capacity if authorized to activate, andmaintaining DOD-trained forces to defend nationalcritical infrastructure. (45 pages)
State-of-the-ArtResources(SOAR) forSoftwareVulnerabilityDetection, Test,and Evaluation
and
Appendix E:State-of-the-ArtResources(SOAR) Matrix(Excelspreadsheet)
Institute forDefenseAnalysesReport P-5061
July 2014
The paper assists DOD program managers and theirstaffs in making effective software assurance andsoftware supply chain risk management decisions. Itdescribes some key gaps identified in the course of thestudy, including difficulties in finding unknownmalicious code, obtaining quantitative data, analyzingbinaries without debug symbols, and obtainingassurance of development tools. Additional challengeswere found in the mobile environment. (234 pages)
Military andSecurityDevelopmentsInvolving thePeople'sRepublic ofChina 2013(Annual Reportto Congress)
DOD May 6, 2013
China is using its computer network exploitationcapability to support intelligence collection against theU.S. diplomatic, economic, and defense-industrialbase sectors that support U.S. national defenseprograms. The information targeted could potentiallybe used to benefit China's defense industry, high-technology industries, policy-maker interest in U.S.leadership thinking on key China issues, and militaryplanners building a picture of U.S. network defensenetworks, logistics, and related military capabilitiesthat could be exploited during a crisis. (92 pages)
FY2012 AnnualReport DOD January 2013
The annual report to Congress by J. Michael Gilmore,director of Operational Test and Evaluation, assessesthe operational effectiveness of systems beingdeveloped for combat. See Information Assurance(I/A) and Interoperability (IOP) chapter, pages 305-312, for information on network exploitation andcompromise exercises. (372 pages)
Resilient MilitarySystems and theAdvanced CyberThreat
Department ofDefense(DOD)Science Board
January 2013
The report states that, despite numerous Pentagonactions to parry sophisticated attacks by othercountries, efforts are "fragmented" and DOD "is notprepared to defend against this threat." The report laysout a scenario in which cyberattacks in conjunctionwith conventional warfare damaged the ability of U.S.forces to respond, creating confusion on the battlefield
and weakening traditional defenses. (146 pages)
Crisis andEscalation inCyberspace
RANDCorporation December 2012
The report considers how the Air Force shouldintegrate kinetic and nonkinetic operations. Central tothis process was careful consideration of howescalation options and risks should be treated, which,in turn, demanded a broader consideration across theentire crisis-management spectrum. Such crises can bemanaged by taking steps to reduce the incentives forother states to step into crisis, controlling the narrative,understanding the stability parameters of the crises,and trying to manage escalation if conflicts arise fromcrises. (200 pages)
ElectronicWarfare: DODActions Neededto StrengthenManagement andOversight
GAO July 9, 2012
DOD's oversight of electronic warfare capabilities maybe further complicated by its evolving relationshipwith computer network operations, which is also aninformation operations-related capability. Withoutclearly defined roles and responsibilities and updatedguidance regarding oversight responsibilities, DODdoes not have reasonable assurance that itsmanagement structures will provide effectivedepartment-wide leadership for electronic warfareactivities and capabilities development and ensureeffective and efficient use of its resources. (46 pages)
CloudComputingStrategy
DOD, ChiefInformationOfficer
July 2012
The DOD Cloud Computing Strategy introduces anapproach to move the department from the currentstate of a duplicative, cumbersome, and costly set ofapplication silos to an end state, which is an agile,secure, and cost-effective service environment that canrapidly respond to changing mission needs. (44 pages)
DODInformationSecurityProgram:Overview,Classification,andDeclassification
DOD February 24, 2012
Describes the DOD Information Security Program andprovides guidance for classification anddeclassification of DOD information that requiresprotection in the interest of national security. (84pages)
Cyber Sentries:PreparingDefenders to Winin a ContestedDomain
Air WarCollege February 7, 2012
The paper examines the current impediments toeffective cybersecurity workforce preparation andoffers new concepts to create "Cyber Sentries" throughrealistic training, network authorities tied tocertification, and ethical training. These actionspresent an opportunity to significantly enhanceworkforce quality and allow DOD to operateeffectively in the contested cyber domain inaccordance with the vision established in its Strategyfor Cyberspace Operations. (38 pages)
AnomalyDefenseAdvanced The report describes a system for preventing leaks by
Detection atMultiple Scales(ADAMS)
ResearchProjectsAgency(DARPA)
November 9, 2011 seeding believable disinformation in militaryinformation systems to help identify individualsattempting to access and disseminate classifiedinformation. (74 pages)
DefenseDepartmentCyber Efforts:Definitions,Focal Point, andMethodologyNeeded for DODto Develop Full-SpectrumCyberspaceBudget Estimates
GAO July 29, 2011
The letter discusses DOD's cyber and informationassurance budget for FY2012 and future years' defensespending. The review's objectives were to (1) assessthe extent to which DOD has prepared an overarchingbudget estimate for full-spectrum cyberspaceoperations across the department and (2) identify thechallenges DOD has faced in providing suchestimates. (33 pages)
Legal Reviews ofWeapons andCyberCapabilities
Secretary ofthe Air Force July 27, 2011
Report concludes the Air Force must subject cybercapabilities to legal review for compliance with theLaw of Armed Conflict and other international anddomestic laws. The Air Force judge advocate generalmust ensure that all cyber capabilities "beingdeveloped, bought, built, modified, or otherwiseacquired by the Air Force" undergo legal review—except for cyber capabilities within a SpecialAccess Program, which must undergo review by theAir Force general counsel. (7 pages)
Department ofDefense Strategyfor Operating inCyberspace
DOD July 2011 An unclassified summary of DOD's cybersecuritystrategy. (19 pages)
Defending a NewDomain
ForeignAffairs
September/October2010
In 2008, DOD suffered a significant compromise of itsclassified military computer networks when aninfected flash drive was inserted into a U.S. militarylaptop at a base in the Middle East. The previouslyclassified incident was the most significant breach ofU.S. military computers ever and served as animportant wake-up call.
InformationSecurity:Progress Madeon HarmonizingPolicies andGuidance forNational Securityand Non-National SecuritySystems
GAO September 15,2010
OMB and NIST established policies and guidance forcivilian non-national security systems, and otherorganizations, including the Committee on NationalSecurity Systems (CNSS), DOD, and the U.S.intelligence community, have developed policies andguidance for national security systems. GAO assessedthe progress of federal efforts to harmonize policiesand guidance for these two types of systems. (38pages)
ComputerDefense Information Systems Agency (DISA)estimates indicate that DOD may have been attacked
Attacks atDepartment ofDefense PoseIncreasing Risk
GAO May 1996as many as 250,000 times in 1995. However, the exactnumber is not known because, according to DISA,only about 1 in 150 attacks is actually detected andreported. In addition, in testing its systems, DISAattacks and successfully penetrates DOD systems 65%of the time. (48 pages)
Source: Highlights compiled by CRS from the reports.
Note: Page counts are documents; other cited resources are web pages.
Table 9. National Institute of Standards and Technology (NIST)
(includes selected NIST standards, guidance, Special Publications (SP), and grants)
Title Date Notes
Computer SecurityDivision,Computer SecurityResource Center
ContinuouslyUpdated
Compilation of laws, regulations, and directives from 2000 to 2007 thatgovern the creation and implementation of federal information securitypractices. These laws and regulations provide an infrastructure foroverseeing implementation of required practices and charge NIST withdeveloping and issuing standards, guidelines, and other publications toassist federal agencies in implementing the Federal Information SecurityManagement Act (FISMA) of 2002 and in managing cost-effectiveprograms to protect their information and information systems.
NIST Announcesthe release of 3DRAFT NISTIRs(NIST InternalReports)
October 4,2016
(1) Draft NISTIR 8151, Dramatically Reducing Software Vulnerabilities:Report to the White House Office of Science and Technology Policy;
(2) Draft NISTIR 8149, Developing Trust Frameworks to Support IdentityFederations; and,
(3) Draft NISTIR 8138, Vulnerability Description Ontology (VDO): aFramework for Characterizing Vulnerabilities.
Assessing Threatsto Mobile Devices& Infrastructure:The Mobile ThreatCatalogue
September2016
NIST's "mobile threat catalogue" sketches out parts of a mobile devicestrategy that need special attention, including securing physical access tosmartphones and tablets, as well as authenticating who is using the devicewith passwords, fingerprints or voice recognition. "[M]obile devicecomponents are under constant development and are sourced from tens ofthousands of original equipment manufacturers." Firmware could containits own vulnerabilities, and "can increase the overall attack surface of themobile device." (50 pages)
Cybersecurity RiskAssessment Tool(BaldrigeCybersecurityExcellenceBuilder)
September2016
The Baldrige Cybersecurity Excellence Builder is intended to helporganizations ensure that their cybersecurity systems and processessupport the enterprises' larger organizational activities and functions. Thetool "is not a one-size-fits-all approach. It is adaptable and scalable toyour organization's needs, goals, capabilities, and environment. It does notprescribe how you should structure your organization's cybersecuritypolicies and operations. Through interrelated sets of open-endedquestions, it encourages you to use the approaches that best fit yourorganization." (35 pages)
DRAFT NIST
Special Publication800-63B DigitalAuthenticationGuideline
August 3,2016
In an update to its Digital Authentication Guidelines, NIST calls forphasing out two-factor authentication via SMS messaging, saying that themethod does not offer adequate security. The guidance applies togovernment service providers.
Network of'Things'
July 28,2016
The publication provides a basic model aimed at helping researchersbetter understand the Internet of Things (IoT) and its security challenges.The Network of Things (NoT) model is based on four fundamentals at theheart of IoT— sensing, computing, communication and actuation. Themodel's five building blocks, called primitives, are core components ofdistributed systems. They provide a vocabulary to compare different NoTsthat can be used to aid understanding of IoTs. (30 pages)
NIST 'RAMPS' UpCybersecurityEducation andWorkforceDevelopment WithNew Grants
May 12,2016
NIST is offering up to $1 million in grants to establish up to eightRegional Alliances and Multistakeholder Partnerships to Stimulate(RAMPS) cybersecurity education and workforce development.Applicants must be nonprofit organizations, including institutions ofhigher education, located in the United States or its territories. Applicantsmust also demonstrate through letters of interest that at least one of eachof the following types of organizations is interested in being part of theproposed regional alliance: K-12 school or Local Education Agency(LEA), institution of higher education or college/university system, and alocal employer.
NIST seekingcomments on theFramework forImproving CriticalInfrastructureCybersecurity
December11, 2015
In this Request for Information (RFI), NIST requests information aboutthe variety of ways in which the Framework is being used to improvecybersecurity risk management, how best practices for using theFramework are being shared, the relative value of different parts of theFramework, the possible need for an update of the Framework, andoptions for the long-term governance of the Framework. (3 pages)
Pilot Projects toImproveCybersecurity,Reduce OnlineTheft
September21, 2015
NIST is awarding $3.7 million to support three pilot programs that aim tomake online transactions for health care, government services,transportation, and the Internet of Things (IoT) more secure and private.This is the fourth round of grants given to support the NSTIC effort,which was launched in 2011 by the Obama Administration to encouragesecure, efficient, easy-to-use, and interoperable identity credentials foronline use.
ProtectingControlledUnclassifiedInformation inNonfederalInformationSystems andOrganizations (SP800-171)
June 2015
SP 800-171 is a final draft of security controls for federal contractors tofollow when handling a class of data known as "controlled unclassifiedinformation." The document will become a formal requirement forgovernment contractors in 2016 through an anticipated update to federalacquisition regulations. Controlled unclassified information is an umbrellaterm for a wide range of data that includes personally identifiableinformation, financial transactions, and geospatial images. (76 pages)
Assessing Securityand PrivacyControls in FederalInformationSystems and December
The publication provides organizations with the breadth and depth ofsecurity controls necessary to fundamentally strengthen their informationsystems and the environments in which those systems operate, which willcontribute to systems that are more resilient in the face of cyberattacksand other threats. This "Build It Right" strategy is coupled with a variety
Organizations:Building EffectiveAssessment Plans(SP 800-53A, rev.4)
12, 2014 of security controls for continuous monitoring to give organizations nearreal-time information that is essential for senior leaders making ongoingrisk-based decisions affecting their critical missions and businessfunctions. (487 pages)
NIST/NCCoEEstablishment of aFederally FundedResearch andDevelopmentCenter
September22, 2014
The MITRE Corporation was awarded NIST's cybersecurity FederallyFunded Research and Development Center (FFRDC) contract worth up to$5 billion over five years. MITRE already operates six individualFFRDCs for agencies including the DOD and the Federal AviationAdministration (FAA). It is also active in cybersecurity, managing theCommon Vulnerabilities and Exposures database, which cataloguessoftware security flaws. In addition, it developed specifications for theStructured Threat Information Expression (STIX) and Trusted AutomatedExchange of Indicator Information (TAXII) under DHS contract.
Systems SecurityEngineering: AnIntegratedApproach toBuildingTrustworthyResilient Systems
May 13,2014
NIST launched a four-stage process to develop detailed guidelines for"systems security engineering," adapting a set of widely usedinternational standards for systems and software engineering to thespecific needs of security engineering. The agency released the first set ofthose guidelines for public comment in a draft document. (121 pages)
Memorandum ofUnderstanding(MOU)
December 2,2010
The MOU, signed by NIST, DHS, and the Financial Services SectorCoordinating Council, formalized the parties' intent to expedite thecoordinated development and availability of collaborative research,development, and testing activities for cybersecurity technologies andprocesses based upon the financial services sector's needs. (4 pages)
Source: Highlights compiled by CRS from the reports.
Note: Page counts are documents; other cited resources are web pages.
Author Contact Information
[author name scrubbed], Senior Research Librarian ([email address scrubbed], [phone number scrubbed])
