Strengthening Federal Cybersecurity: Results of the Cyber ...cs.brown.edu/.../lectures/readings/lecture1/cybersecurity_inno.pdf · Cybersecurity Innovation Initiative _ that collected

3040 Williams Drive, Suite 500, Fairfax, VA 22031

www.actgov.org ● (p) 703.208.4800 ● (f) 703.208.4805

ACT-IAC: Advancing Government Through Collaboration, Education and Action

Strengthening Federal Cybersecurity:

Results of the Cyber Innovation Ideation Initiative

December 2015

http://www.actgov.org/


www.actgov.org ● (p) 703.208.4800 ● (f) 703.208.4805


BACKGROUND

By all accounts, cybersecurity is a great concern across the federal government. Recent events, such as the OPM data breach, underscore the need to reinforce cyber fundamentals and introduce new, innovative ways to promote cyber resilience in an ever changing threat ecosystem. OMB and the Federal CIO have issued new cyber guidance designed to improve the security posture across agencies, immediately and over time.

To help government address today’s cybersecurity challenges with real and practical solutions, the American Council for Technology and Industry Advisory Council (ACT-IAC) initiated a “Community Cybersecurity Innovation Initiative” that collected perspectives and recommendations from industry, government and academia that could significantly enhance cybersecurity posture across Federal agencies. The initiative solicited a broad array of ideas that address technical, policy, legal, operational, managerial, acquisition, funding and research and development issues, each of which points to opportunities for bolstering Federal cybersecurity. ACT-IAC did not solicit or accept information on specific products or services.

ACT-IAC asked those contributing ideas to pay special attention to underutilized or new approaches that have real potential to improve the government’s operational cybersecurity on a day-to-day basis – new and plausible action steps that can bear near-term positive impact. Nearly 200 ideas were submitted during the span of two months. ACT-IAC also cross-walked similar ideas contained in reports from other associations, including ITAPS (the Information Technology Alliance for the Public Sector) and ISACA (formerly the Information Systems Audit and Control Association) as well as other reports on cyber acquisition and human capital needs.

Based on this information, we are providing this report to OMB ‘s Federal Chief Information Officer and

the Federal CIO Council. The report showcases major ideas received through this initiative as well as key

themes permeating across multiple challenge topic areas. The report is also publically available online

at https://www.actiac.org/sites/default/files/cybersecurity-innovation.pdf.


https://www.actiac.org/sites/default/files/cybersecurity-innovation.pdf


www.actgov.org ● (p) 703.208.4800 ● (f) 703.208.4805


ACT-IAC: ADVANCING GOVERNMENT THROUGH COLLABORATION, EDUCATION AND ACTION

The American Council for Technology-Industry Advisory Council (ACT-IAC) is a 501(c)3 non-profit, public-

private partnership established to improve government through the effective, efficient and innovative

use of technologies. ACT-IAC provides an objective, trusted, and vendor-neutral forum where

government and industry executives are working together to improve the delivery of services to the

public and the operations of government. Membership in ACT-IAC is open to all government

employees, private companies and educational institutions who share the organization’s commitment to

collaboration and better government. For additional information about ACT-IAC, visit the website at

www.actiac.org.

Disclaimer

This document is the result of a collaborative process that included a wide diversity of perspectives.

The views expressed in this document do not necessarily represent the official views of the individuals

and organizations that participated in its development. Every effort has been made to present accurate

and reliable information in this report. However, ACT-IAC assumes no responsibility for consequences

resulting from the use of the information herein.

Copyright

©American Council for Technology, 2015. This document may not be quoted, reproduced and/or

distributed unless credit is given to the American Council for Technology-Industry Advisory Council.

Further Information

For further information, contact the American Council for Technology-Industry Advisory Council at (703)

208-4800 or www.actiac.org.


http://www.actiac.org/

http://www.actiac.org/


www.actgov.org ● (p) 703.208.4800 ● (f) 703.208.4805


12/14/2015

Tony Scott

Federal Chief Information Officer (CIO) and Chair, Federal CIO Council

The Office of Management and Budget

725 17th Street NW

Washington, DC 20503

Dear Mr. Scott:

Subject: Improving Cybersecurity Through Innovation

I have the honor of submitting to you the attached report “Strengthening Federal Cybersecurity: Results

of the Cyber Innovation Ideation Initiative”, which has benefited greatly from ongoing discussions with

you and your staff. As you are aware, we developed this report from ideas provided by government and

industry members of ACT-IAC as well as submissions from non-members.

We hope that you and the members of the Federal CIO Council find the report and the ideas it contains useful in framing sound cybersecurity policies and processes for the government. We plan to post a copy of the report on our public web site in a couple of weeks. We have received several expressions of interest in continuing this effort beyond the report and inquiries about “what happens next?”. We would like to meet with you and your staff if possible to answer questions, get feedback on the report, and discuss opportunities for ACT-IAC to continue to help address this important topic in the future.

KENNETH B. ALLEN

Executive Director

American Council for Technology-Industry Advisory Council



www.actgov.org ● (p) 703.208.4800 ● (f) 703.208.4805


TABLE OF CONTENTS

Page

Executive Summary 1

Project Overview 5

Chapter 1: Addressing Cybersecurity Fundamentals 6

Chapter 2: Business Initiated Vulnerabilities 11

Chapter 3: Breach-to-Response Acceleration 14

Chapter 4: Adopting a Threat Aware Proactive Defense 17

Chapter 5: Sharing of Threat Intelligence 22

Chapter 6: Solving the Cyber Talent Search 25

Chapter 7: Executive Leadership-led Risk Management 30

Chapter 8: Building Effective Security into Acquisitions 33

Conclusions and Next Steps 40

Appendix 1: Authors/Contributors 41


1

EXECUTIVE SUMMARY

Information technology (IT) is an integral part life for millions of Americans and IT permeates nearly every aspect of our society, economy, and national security. New technologies provide for radical improvements in efficiency, productivity and analytical capabilities. However, every technology has both inherent value and inherent risks; sound cybersecurity can help address risks associated with the business or mission use of IT. Despite decades of law and policy that requires government to improve its security and privacy, many Federal agencies still struggle to effectively defend themselves against a torrent of cybersecurity vulnerabilities and threats. The cyber risk ecosystem grows more complex and turbulent every day. Agencies have reported millions of attempts to penetrate their networks, and multiple major data breaches have resulted in the theft of billions of dollars in intellectual property and millions of personal identities. Until actions are taken that effectively counter these kinds of threats systematically across the government, agencies risk losing public confidence and trust in on-line activity that are key to delivering citizen and business services more efficiently through the use of technology. Given the importance of cybersecurity to achieving Federal missions, and breadth and depth of knowledge that exists in both the private and public sectors regarding potential cyber solutions, ACT-IAC developed an innovation management platform to catalogue promising practices for improving government cybersecurity. The ACT-IAC “Community Cybersecurity Innovation Initiative” report identifies constructive pathways that agencies could adopt to strengthen their cybersecurity programs. The report is based upon 127 individual submissions, many of which contained multiple ideas, via the collaborative on-line platform, addressing eight topical challenge areas:

1. Addressing Cybersecurity Fundamentals 2. Business Initiated Vulnerabilities 3. Breach-to-Response Acceleration 4. Adopting a Threat Aware Proactive Defense 5. Sharing of Threat Intelligence 6. Solving the Cyber Talent Search 7. Executive Leadership-led Risk Management 8. Building Effective Security into Acquisitions

Similar issues emerged within several of the categories; this illustrates both the integrated and complex nature of cybersecurity. We discovered five key themes cutting across the eight topical challenge areas created for our cybersecurity innovation ideation exercise:

Much of what is required, expected or even possible in cybersecurity management is known to cybersecurity professionals, but not fully or properly implemented across the government. As such, many of the ideas submitted across the different challenge areas reinforce existing requirements and approaches that still work (e.g. cyber governance and accountability, basic risk management approaches, and fundamental security hygiene).

Cybersecurity professionals and agency business executives need to communicate with each other more directly and diligently about the connection between cybersecurity and mission success.

As agencies increase attention on executive level risk management, including the introduction of Chief Risk Officers and Chief Data Officers, these executives would benefit from greater

2

interactions and engagement with Chief Information Officers and Chief Information Security Officers for cybersecurity approaches to be effective.

Cybersecurity related training in government is largely deficient. Greater emphasis is needed on competencies, practice sessions and drills, and shared cyber knowledge management.

Enhanced and timely operational information sharing (threats, incidents, and solutions/responses) between industry and government is essential to future cybersecurity improvements and overall threat detection, response, and prevention success.

Key themes also emerged in each of the individual challenge areas that are summarized below by report chapter topic.

Addressing Cybersecurity Fundamentals

Too often, agencies lack clear responsibility and accountability for cybersecurity from the highest to the lowest levels of every agency. Cybersecurity needs to be part of everyone’s job everyday – once-a-year training is not sufficient to sustain necessary vigilance. Leaders of effective cybersecurity programs have accurate, continuously maintained inventories of their IT assets and their security controls. They understand and communicate risks to the agencies’ programs in nontechnical, mission centric terms. And they rely on accurate assessments to make risk-based decisions.

Business Initiated Vulnerabilities

The press of business and lack of awareness of potential cyber vulnerabilities and threats can drive agency managers to implement technologies in ways that open greater risks. Increasing awareness, improving asset management and access controls across business systems, and building security into system and application development processes can reduce those risks. Providing agency business program managers greater awareness and understanding of cyber risks in their day to day operations is an essential element of improving government’s cyber posture.

Breach to Response Acceleration

Cyber breaches often go undetected for months (205 days is a combined industry/government average). In some cases, agencies only discover breaches from third parties after the fact, rather than detecting the breaches immediately and directly. Many agencies do not have proven, effective breach response plans and procedures in place. Breach to detection to response time frames need significant improvement. In addition to “signature-based” techniques, breach detection approaches where special penetration teams mimic hackers using their tactics to spot threats based on pattern anomalies in web traffic are growing in importance. Alternatively, software packages can rapidly analyze alerts against threat probabilities for possible weaknesses in the system. While breach awareness technologies could benefit from more research and development, technology alone cannot provide a total solution. Shortening response time requires a combination of technology, threat knowledge, and the evolving skill sets of cybersecurity practitioners.

3

Adopting a Threat Aware Proactive Defense

Government still focuses primarily on perimeter defense and incomplete defense-in-depth strategies. By modernizing security approaches beyond the perimeter-focused “moats and walls” approach, agencies can transition to a “network of secured systems” to achieve multi-layered security and improve resilience in the face of incidents that are bound to occur even with the best defense. Ideas submitted encouraged refocusing on the right threat information, not trying to act on every small bit of low-risk data. This entails creating competency models of adversaries and their techniques, and must be followed by a focused data analysis, situational awareness, meaningful metrics, and relevant business context to understand the threat and identify risk-based actions. In addition, Blue Team audits followed by Red Team operations could be performed by in-house staff or pre-qualified contractors using efficient government-wide contract services managed by the General Services Administration (GSA). Sharing of Threat Intelligence

A good first step would be an evaluation to determine whether existing response structures and programs for information sharing are too cumbersome and slow, or are otherwise meeting the need, before creating any new ones. Broadening the use of the Cyber Threat Alliance (CTA), where security vendors share zero-day threat intelligence with each other in near-real time by updating the controls within their products without the end user customer getting involved, shows real promise. Ongoing efforts also show promise on which to build; for example, the government might endorse and expand the Structured Threat Information Expression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII) framework so that data breach reporting is more robust and shared widely across a broad range of public and private sector users.

Solving the Cyber Talent Search

Qualified cybersecurity professionals are scarce and in high demand. Attracting, developing and retaining a highly skilled cybersecurity workforce requires new approaches. Agencies need to recruit earlier and more broadly, tap nontraditional pools of expertise, provide clear career paths and professional development opportunities, and leverage available financial incentives to compete for top talent effectively in this highly competitive market. Creating an elite Cybersecurity Corps made up of industry expert volunteers or top college graduates with cybersecurity related degrees warrants consideration.

Executive Leadership-led Risk Management

Effective risk management enables organizations to make informed decisions and prioritize scarce resources to maximum effect. While most Federal agencies are aware of the concepts, many struggle to implement effective, professional risk management. Adopting a standardized risk management methodology that incorporates cybersecurity as a key element, teaching people how to use such a framework, and engaging the most senior leaders to lead implementation and accountability for results can improve the effectiveness of agency risk management programs. Implementing a framework that emphasizes risks from cyberattacks to agency missions, as opposed to general cyber risks, is essential to combat cyber threats and improve response effectiveness.

4

Building Effective Security into Acquisitions

Federal agencies use the acquisition process to buy a large percentage of the IT goods and services they need to support their programs from the private sector. However, Federal acquisition processes are generally slow and IT programs too often fail to deliver the technology and cybersecurity that agencies need. Re-engineering acquisition business processes to make them more adaptive and agile, adopting new service models, enhancing market incentives, and increasing the skill level of the IT acquisition workforce could help overcome these barriers and enable agencies to acquire effective technology and sound cybersecurity.

For a complete listing of the ideas submitted on-line, go to: https://www.actiac.org/sites/default/files/cybersecurity-innovation-ideas.xls

https://www.actiac.org/sites/default/files/cybersecurity-innovation-ideas.xls

5

PROJECT OVERVIEW

To facilitate the collection of ideas designed to improve cybersecurity in government, ACT-IAC used an

ideation approach designed to facilitate an open, public discussion of fresh approaches and techniques.

Using the services of a commercial ideation platform services provider (IdeaScale), ACT-IAC created a

web-site pre-populated with eight challenge topics. Once registered on the site, participants in the

ideation exercise could contribute ideas, comment on other people’s ideas, and vote for those they

found compelling and most useful. We received ideas across the eight challenge questions from a

diverse group of industry, government, non-profits, academia, and industry associations.

A snapshot of the website appears in Figure 1 below.

Figure 1: Cybersecurity Ideation Website

6

CHAPTER 1 ADDRESSING CYBERSECURITY FUNDAMENTALS

Challenge/Question: How do we move from inconsistent security/privacy protection control approaches to solid fundamentals that address most basic risks faced by agencies?

Introduction

While sophisticated cybersecurity threats and threat actors need to be addressed, there is also a compelling case for practicing good cyber fundamentals as the foundation for an effective cybersecurity program. Too often, post-incident analyses have determined that longstanding, widely known vulnerabilities, with readily available solutions, were exploited. Reports over multiple years identify continuing exploitation of known (but unmitigated) vulnerabilities with known solutions as the source of the majority of cybersecurity incidents.

Despite widespread media coverage, numerous GAO and Inspectors General reports, training, and policies, procedures and guidance that could help counteract this weakness; many Federal agencies still do not have solid cybersecurity fundamentals in place. Reasons offered range from costs and resource constraints, to impeding mission programs, to user inconvenience, to technical complexity and lack of understanding. Mandates to improve cybersecurity have languished and fallen short for many years. In September 2015, GAO reported1:

“Persistent weaknesses at 24 federal agencies illustrate the challenges they face in effectively applying information security policies and practices. Most agencies continue to have weaknesses in (1) limiting, preventing, and detecting inappropriate access to computer resources; (2) managing the configuration of software and hardware; (3) segregating duties to ensure that a single individual does not have control over all key aspects of a computer-related operation; (4) planning for continuity of operations in the event of a disaster or disruption; and (5) implementing agency-wide security management programs that are critical to identifying control deficiencies, resolving problems, and managing risks on an ongoing basis. These deficiencies place critical information and information systems used to support the operations, assets, and personnel of federal agencies at risk, and can impair agencies' efforts to fully implement effective information security programs. In prior reports, GAO and inspectors general have made hundreds of recommendations to agencies to address deficiencies in their information security controls and weaknesses in their programs, but many of these recommendations remain unimplemented.”

A more methodical, deliberate approach to cybersecurity is needed. There is often a lack of accountability, knowledge, and awareness from an organizational and personnel perspective. At the organization level, security standards and regulations need to be more closely adhered to and compliance strengthened and audited by an independent organization, such as the Inspectors General. Departments and agencies need to have a better understanding of their IT portfolios and which of those systems hold the highest priority during a cyber-crisis. On the personnel level, better training and awareness is necessary. There is a need for increased accountability at all levels.

Recommended approaches to address these concerns include:

1 FEDERAL INFORMATION SECURITY Agencies Need to Correct Weaknesses and Fully Implement Security Programs,

http://www.gao.gov/assets/680/672801.pdf

7

Inventory, assess risks, and prioritize all IT and information assets.

Link vulnerabilities and threats directly to mission/business risks and impacts.

Make personnel more accountable for cybersecurity events.

Provide more frequent, in-depth cybersecurity awareness training for personnel.

Apply and enforce cyber standards such as FISMA and the NIST Cybersecurity Framework at the department/agency level.

Conduct independent cyber assessment of organizations.

Make ongoing cybersecurity less personnel-dependent and easier to implement.

The ideas submitted suggested five categories of action: People, IT Asset Prioritization, Assessments, Operations, and Legislation/Regulation. The major ideas in each category are discussed below.

People-Focused Ideas

IDEA: Take a Behavior-Based Approach Identify and describe the current activities which need to change e.g. leaving a device connected to a secure network unattended; writing down passwords and leaving them public, visiting unauthorized websites, etc. Identify each issue which needs to be corrected and why. Identify and document new processes and desired behavior which will correct the issues. Identify the people and organizations responsible for maintaining the process and the incentives and disincentives required to ensure the desired behaviors and outcomes.

IDEA: Increase Leadership Accountability

No real accountability exists today for executives in regards to cybersecurity failures. Accountability should exist in cases where known security program weaknesses, including those identified in audits and continuous monitoring, existed before an incident and executives failed to address them. Unsubstantiated risk acceptance should not be an acceptable excuse for failing to address security gaps.

IDEA: Make Cybersecurity Everyone’s Responsibility

The biggest cybersecurity threat is people, whether intentional or unintentional. Cybersecurity should become a core aspect of organizational culture to encourage broader awareness and understanding for what security initiatives are striving to achieve. To address this issue:

a. Heads of departments/agencies should emphasize importance of security.

b. Individuals should be held accountable for security.

c. Cybersecurity training should be more frequent.

d. Well documented policies should be provided with consistent enforcement

IDEA: Increase Continuous Awareness

Use a “Cyber Tip of the Day” to systematically improve knowledge and awareness. Establish “white hat” teams that test employees through phishing and spear-phishing intrusion testing. Change enterprise

8

email policy to only allow plain text, preventing unintentional click-through threats. Similar to the “Cybersecurity Tip of the Day” concept, establish a “Cybersecurity Blunder of the Day” program.

IT Asset Prioritization Ideas

IDEA: Strengthen Governance and Accountability Implement an outcome-focused governance framework that covers all aspects of the enterprise, resulting in effective direction setting, decision-making, oversight, transparency, and accountability. The framework should optimize governance processes by reducing or eliminating review steps that do not add value, resulting in improved security management effectiveness. Escalate security from merely an IT concern to a business risk concern; providing independence and enabling security decision-making and implementation. Provide for the escalation of risk-based decisions through senior leadership if critical security recommendations are rejected by owners of business lines or applications, ensuring critical security decisions are not made in isolation. Adopt approaches that emphasize cross-organizational collaboration, transparency, accountability, and integration; reducing costs, minimizing operational risks, and driving continuous improvement. Align investments of networks and security entities that often buy overlapping technology in isolation from each other, resulting in coordinated and consistent approaches across an organization.

IDEA: Strengthen Cybersecurity Investment Management Practices

Institute a Cyber Investment Management Board to engage senior management, align resources with highest priority assets and greatest risks and impacts. Prioritize funding through budget alignment and accountability using a publicly accessible scorecard.

IDEA: Strengthen Risk Management

Specific actions include (1) determining criticality of systems and data and prioritize accordingly to achieve an effective, risk-based approach to protecting systems; (2) keeping systems on most up-to-date or secure versions and mitigate risk posed by those systems that cannot be immediately updated; (3) evolving beyond the “moats and walls”, “secure network of systems” approach, to a “network of secured systems” to achieve security in depth and improved resilience; (4) using industry-accepted approaches, standards, and lexicon to allow for improved, consistent understanding and communication about security, both across the organization and with vendors.

In addition, the actions above must be supported by critical tasks that include:

1. Producing an accurate IT asset inventory

2. Analyzing risk based on business impact of critical assets

3. Prioritizing risks and address in accordance with that prioritization (not everything at once)

4. Implementing security intelligence based on predictive cyber threat analytics

5. Implementing a continuous cyber improvement plan

9

Assessment-Focused Ideas

IDEA: Change to Independent Assessments

Create a cyber-assessment standard with independent assessment of agencies by an assessment board composed of government and industry experts rather than relying on current self-assessment practices.

IDEA: Use a Security Self-Audit Checklist

Employ a self-audit checklist to regularly assess security capabilities. Leverage the self-audit capability of the SEC as guidance for other agencies.2

IDEA: Transform Audits into Real-time Situational Awareness

Rethink the notion of an audit from something that happens periodically to something that can be continuously analyzed at will, in real-time. Use big data tools and automated analytical processes to defend networks and provide real time threat intelligence and patch management. Having this level of visibility opens opportunity for much improved analytics (i.e. big data for security (not Security Information and Event Management), to visualize and investigate unusual activity over extended periods, at different locations and/or missions. Being able to collect details about known attempts and successes, quickly identify and remediate malicious activity, and understand where else they are present would provide superior attribution and improve intelligence. This would make security measurable in near real-time.

Operations Focused Idea

IDEA: Improving Detection, Remediation, and Investigation Capabilities

Cyber attacker’s techniques, skills and tools have evolved faster than the cyber defenders’. Incident response teams must use tools and practices that enable them to respond more quickly across distributed networks, distributed clouds, and operating system platforms. Organizations at every level remain highly vulnerable to cyberattacks and are struggling to implement even basic protections. To address this issue, security engineering and data architecture teams need to focus on shrinking organizations’ attack surfaces, especially in ways that can prevent an intrusion from spreading from an initial entry point to more valuable assets. To address this issue, operations teams need to focus on shrinking organizations’ attack surfaces. The key is to be able to issue critical security patches rapidly throughout the entire network and enforce ongoing security hygiene at scale to ensure the status of every connected device is known and available at all times. Organizations need to adequately resource threat intelligence activities and vulnerability analyses, automate incident detection, investigation, and remediation and not rely on unreliable, slow manual processes. They need to gather data and conduct breach investigations in minutes and seconds, remediate intrusions, and maintain desired security configurations to ensure a high-level of cybersecurity readiness.

2 OCIE’s 2015 Cybersecurity Examination Initiative,

https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf

10

Legislation/Regulation-Focused Ideas

IDEA: Strengthen Encryption Standards

The AES-256 standard is easily breached. There is need for earnest effort towards a stronger cybersecurity encryption standard by industry and government.

IDEA: Hold Agencies Accountable to NIST Cybersecurity Framework

Hold agencies accountable to NIST Cybersecurity Framework by implementing metrics for the Framework and assessing agency capabilities by independent evaluation.

11

CHAPTER 2

BUSINESS INITIATED VULNERABILITIES

Challenge/Question: How can agencies sharpen focus on vulnerabilities created by (or exposed by) uninformed business/program users and the array of technology solutions embedded in service delivery that does not account for cyber?

Introduction

Government business program managers are under continuous pressure to deliver new and better products and services to their customers and stakeholders. They face high expectations, resource and time constraints, and pressure to adopt commercially available technology that is familiar to their customers. Many program managers readily admit they are not experts in information technology or cybersecurity, but they have to acquire new technologies anyway to meet those needs. They often have sufficient resources and autonomy to acquire technologies outside of formal investment management processes which are criticized as slow, bureaucratic, and unresponsive to programs’ and customers’ needs. These actions can introduce vulnerabilities into agencies’ IT systems that increase their risks of being attacked and having their systems compromised. This section focuses on ways to increase the awareness of these vulnerabilities and their consequences and improve the way government programs manages those vulnerabilities to reduce their risks.

The ideas submitted that appeared to have the most promise focused on reinforcing existing management practices and applying a quantitative approach to highlighting business initiated vulnerabilities. They are grouped into three categories – increasing risk awareness and improving decision making, implementing asset management and access controls, and building security into system development lifecycles.

Ideas to Increase Risk Awareness and Improve Decision Making

IDEA: Cybersecurity needs to be escalated from being treated as an IT concern to a business risk concern

Cybersecurity decisions should involve senior leaders of an organization to enable informed risk and security based decision-making and implementation. Incorporating a risk-based approach at the executive level through the governance process enables realignment of authorities, responsibilities and accountability. This includes instituting a risk-based, analytical approach using quantifiable risk measures so mission business projects, investments, and systems are properly vetted, using realistic “what-if” scenarios to provide insight into potential risks and impacts resulting from vulnerabilities.

IDEA: Agencies should provide broad-based education to improve awareness of the risks of business-initiated vulnerabilities

Cybersecurity and risks should be described in business-oriented terms to ensure business owners’ understanding of the impact of decisions.

12

IDEA: Make a data-driven, threat visualization dashboard available to business owners

Simple, intuitive dashboards can help inform and educate them, and sustain awareness of the scope of threats in today’s environment.

IDEA: Hold personnel at all levels accountable for complying with security policies

Agency managers and staff must fulfill their assigned cybersecurity roles and responsibilities. This can be strengthened by adding accountability to job descriptions, personnel evaluations, and service contracts with appropriate incentives and disincentives.

Ideas to Implement Asset Management and Access Controls

IDEA: Achieving and maintaining a thorough, accurate inventory of information and technology assets

Departments and agencies must actively manage access to their critical assets can improve visibility and management of vulnerabilities. A well-defined business environment should include understanding where critical data are located, the risk involved with that data, and control access based on area of responsibility or job function. Organizations need to carefully adopt technologies that are capable of accurately producing a complete inventory and audit of every IT asset at any scale very quickly. This agility through speed at scale is important in order to effectively monitor and rapidly respond to unforeseen business-initiated vulnerabilities, which can come in virtually any form at any time. Achieving these capabilities could involve significant time and cost depending on the existing situation in any specific case.

IDEA: Implementing new or reinforcing existing access controls

In addition to the controls, there is merit in emphasizing existing audit functions and processes – all of which can further reduce vulnerabilities. Users should be granted access to information (particularly sensitive information), using attributes for roles and attributes associated with data, to limit access to data they “need to know”. Strong authentication and identity management practices (such as Personal Identity Verification cards) are foundational for successful access controls. External entities should be treated as higher-risk by default.

Ideas to Build Security Into the System Development Lifecycle

IDEA: Cybersecurity should be explicitly integrated into the entire system development life cycle

Building in cybersecurity elements early can enable developers to build more secure software, address security compliance requirements, and potentially reduce total costs.

IDEA: Integrate and use existing guidance and best practices from NIST and other sources into the system development lifecycle

Regardless of whether waterfall or agile methodologies are used, doing so can establish consistent, predictable processes and requirements. This can help developers learn, plan in advance, and successfully execute practices that produce more secure solutions more reliably and more often. Since agile methods focus on rapidly creating features that satisfy customers’ direct needs, and security is a customer need, it’s important that it not be overlooked. Moreover, system development would be

13

greatly improved by using tested and secure baselines in a Platform as a Service-like approach where secured and approved baselines are pulled from trusted sources and reused. Starting from a secure platform reduces the burden on system developers, reduces the authorization process workload, and also simplifies the work needed to maintain secure systems.

IDEA: A government-wide security maven program would help tear down the existing "expertise" and "contractual" barriers between security, development, and the business side

Walmart reported achieving a 92% reduction in security defects by creating a "Security Maven" role to drive security best practices into their software development teams that greatly outnumbered their security teams. Development teams are likely to be interested in a maven program because the adoption of continuous integration and DevOps is driving automated regression testing that is creating much wider appreciation of reliability as a means for deploying features faster.

14

CHAPTER 3 BREACH-TO-RESPONSE ACCELERATION

Challenge/Question: How can agencies effectively address current time lags with detection of and response to vulnerabilities and threats that will significantly compress breach-to-detection-to-response times? Please include ideas on how government agencies can expand capabilities beyond reacting to known threats through programs like Einstein, to identify new threats and zero-day exploits in near real-time.

Introduction Breach to response times are becoming greater as adversaries are increasing the level of sophistication used to gain and maintain access to critical Government systems that contributes to data theft of sensitive information. There are multiple reports of breaches going undetected for months and of agencies only finding out from third parties afterward that they had been breached rather than detecting the breaches themselves. Agencies must shorten response times using a combination of cybersecurity technology and skills. There are two complementary approaches to detecting intrusions, knowledge-based approaches and behavior-based approaches (see https://www.sans.org/security-resources/idfaq/behavior_based.php). Most tools rely upon knowledge-based approaches and internal IT staffs to look at and manually respond to all of the alerts. The knowledge-based approaches’ weakness is that they allow the Network or Security staffs to turn the “Security Alerts” to “Normal” to avoid looking at them because there are so many of them and they rely on the known “signatures” of the attacks. The behavior-based approaches mimic\ hackers by collecting data and saving them in a database. There is a program that will read this data and analyze them against the probabilities database for possible weaknesses in the system. Many commercial tools are using machine learning to find allowed behavior that is actually bad. Agencies must plan for success. Shortening response time requires a combination of technology, threat knowledge, and the evolving skill sets of cybersecurity practitioners. Lag time exists because organizations are unable to effectively integrate practitioner skills, threat knowledge, and technology. Although agencies are in possession of effective tools (e.g. Einstein and Continuous Diagnostics and Mitigation) that collect indicators and signatures of malicious traffic, many cybersecurity professionals lack the requisite skills to understand the cyber threat environment and employ the tools to successfully ensure agency cyber resiliency in the face of rapidly evolving threats. Numerous published research studies have concluded that this growing problem is attributable to insufficient training, threat understanding, and a lack fundamental knowledge essential to effectively use these tools. Reaction time can only be reduced if cybersecurity professionals hone their skills by training and exercising in a range environment where skill-based training and performance-based assessment can provide them with the requisite skills to rapidly employ their defensive cyber tools against an evolving threat. This training would significantly enhance organizational incident response preparedness. A variety of ideas were offered to speed time from breach to response.

https://www.sans.org/security-resources/idfaq/behavior_based.php

15

Ideas Related to Breach-to-Response Acceleration

IDEA: Tools and techniques must be ready and team members must be well trained and practiced before effective response efforts can be made when there are computer incidents

The training should be realistic and incorporate exercises and drills that simulate incidents where organizational play/run books are utilized. Also, agency policies, procedures, and guidelines for response need to be in place. Personnel responsible for implementing those policies, procedures and guidelines should regularly practice them in realistic environments and scenarios to improve their preparedness to respond effectively to real incidents.

IDEA: Top management from all business units and external parties (e.g., managed service providers) should be required to participate in incident response exercises

This fosters better communication between security operations and management.

IDEA: Properly identify the incident

Is the event simply an unusual but benign activity, or can it be identified as suspicious and requiring further analysis and/or corrective countermeasures? If so, what are the surrounding activities? • Respond to contain the incident and its effects. • Recover and remove/quarantine the issue as soon as it is realistically possible. • Return the infected system to operational use as soon as feasible. • Follow up with responders for improvements to the processes as documented in the play/run books.

IDEA: Expand research into methods for immediate breach awareness the moment they occur

Technology is available that can identify intrusion attempts at the source. Many private companies offer excellent cyber products and managed services to reduce the risk of successful cyber-attack. OPM and others had been breached long before there was a discovery of intrusion. Much remains to be accomplished toward protection of key assets by creating mechanisms for immediate intrusion detection and perpetrator identification. It's bad enough when breaches happen, it’s even worse when they are not detected for long periods of time.

IDEA: All agency employees should be educated and trained on general incident response planning concepts and any related responsibilities

This should include how to notify response organizations, the information to report, and other relevant activities. Employees are a great source of tips on abnormal events.

IDEA: All incidents, exercises, and general activities offer opportunities to learn and improve planning

Observation and evaluation should be key components of any incident response structure, including the planning cycle. All personnel should be provided the opportunity to provide feedback on plans, training, and exercises. Share these lessons learned with peer agencies.

IDEA: Exercise evaluation activities should be managed independently of the response organization, as there is a potential conflict of interest if the reviewing entity resides within or is subordinate to the operational entity

To illustrate, US-CERT should not self-evaluate participation in exercises like Cyber-Storm. Instead, independent evaluation personnel with the appropriate expertise, like those available from the Federal Emergency Management Agency (FEMA) National Exercise Division, should be used.

16

IDEA: After-action reports should be accompanied by improvement plans that clearly identify the responsible implementer of improvement actions

A clearly defined action plan should be put into place that tracks status of implementation. As evaluation programs mature and organizational planning processes increasingly integrate disciplines and functions (e.g., response, development, operations, business units, etc.), evaluation and learning should take place on a continual, parallel basis with regular opportunities to improve processes and protocols, rather than as a step or phase in a process or sequence.

IDEA: Both Einstein and Continuous Diagnostic and Mitigation tools should use behavior-based approaches that take advantage of computer systems to analyze events rather than relying on human analysis

It is faster for computers to analyze than a network engineer or security engineer. The security engineer builds logic for the system (unless, the vendor can provide that), to include provisions for the preventive or corrective actions. When such a behavior-based system sends alerts, the probability that a cyber-incident is occurring is high, meaning actions should be taken in near real-time to halt the cyber event. Management needs to provide direction and focus limited 24/7/365 resources against risk prioritized threats. Security metrics can help to capture the effectiveness of the security team. There are a lot of advantages to using behavior-based approaches as long as your probabilities logic/database is frequently updated to adapt to our adversaries’ most recent methods. The system keeps the same information as the hackers would while casing the target systems/networks. The data collected will be analyzed before the hackers can do theirs and the organization can plan to prevent or collect the evidences for prosecution.

17

CHAPTER 4 ADOPTING A THREAT-AWARE PROACTIVE DEFENSE Challenge/Question: How should the government expand beyond its emphasis on perimeter defense and even defense-in-depth, and instead put more relative resources toward combining actionable threat intelligence with robust response and resiliency strategies and architectures that account for the adversary’s point of view?

Introduction Today, governments are in constant contact with the enemy - and the form of conflict has changed. The expansion of the Internet globally is being accompanied by an explosion of cyber threats. Nation-state adversaries, terrorists, and criminals exploit our weakly secured technology. The United States principally relies on technology for a competitive advantage across the globe. Now, thanks to the Internet and cyberspace, malevolent cyber actors erode that advantage by routinely and consistently targeting American industries and critical infrastructure (CI) sectors with rising success. Despite this elevated threat environment, the government is still fixated on perimeter defense and shallow defense-in-depth strategies. The problem centers on an enterprise security architecture that is designed to usually protect the entire network with equal priority and risk, thus thinly spreading network defense resources. Consequently, agencies often fail to focus on effectively protecting data and tracking data exfiltrations. By being proactive, government agencies can significantly reduce the risk posed by threat and reap economic benefits by avoiding or minimizing real and opportunity costs that security inactions create. Improvements to threat awareness and measures to put a more proactive cyber defense posture in place cannot all be done overnight. A more plausible approach would be to segment improvement activities into impact timeframes. For example, quick wins (impact or results seen in 1-3 months) could include activities such as having reinforcements and alternative plans ready for implementation when attacks are recognized or using audits and penetration tests to find low to mid-level cyber weaknesses. Mid-term wins (impact or results achievable in 3-12 months) could include activities such as taking concrete steps to create a more priority-focused defense grounded in risks associated with key assets. Longer term wins (impact or results in 12+ months) could be activities such as enhancing awareness and shared incident/response reporting jointly across government and industry. Responses to this challenge focus in four areas: prioritizing cyber defense, providing in-depth defense for high-priority assets, notification, and thinking deeply about exploiting and attacking cyber threats.

Ideas Pertaining to Priority-Focused Cyber-Defense

A priority focused cyber defense starts with defining the “core” of what must be protected and subsequently preparing pre-emptive action requirements. Once inside a system, successful intruders often make lateral movements to and from less defended assets which can be thwarted by architecting and engineering greater data separation. Mission impact models are built for each system that shows all the assets that function depends on (e.g., what servers, data bases, routers, computers, users).

18

Competency models of adversaries are also created including information on the techniques and skills they use to be successful. Technology research into capabilities used to identify intrusions becomes paramount. Risky-behavior across the organization that creates risks is defined and targeted. IDEA: Focus on the right threat information, not everything

Create competency models of adversaries and the techniques they use. Then focus data analysis, situational awareness, meaningful metrics, and relevant business context to understand the threat and identify the risk-based actions to take.

IDEA: Ensure existing vulnerabilities and risks are identified and remediated immediately

US-CERT, vendors, vulnerability and penetration scans, incidents, and US Gov’t Cyber Board, etc. may be sources. In addition, escalate open residual risks (vulnerabilities, open Plans of Action and Milestones, etc.) to the highest levels (Department/Agency head, OMB, Cyber Board, etc.) for prioritization and risk acceptance as appropriate.

IDEA: Tailor defenses and shape network flows to what is needed, making it harder for an adversary to be successful.

It is important to create a threat-aware proactive defense based on an understanding of the Cyber Key Terrain (C-KT) to manage the risks to each line of business or agency function. Applying the C-KT concepts can help identify the most important lines of business, functions, and information assets to help prioritize protections. All information assets need to be locatable on network maps for an effective cyber-protection strategy (e.g., risk mitigation strategy) to be developed. Actions can be planned from an assessment based on a RISK = Criticality*Vulnerability*Recoverability*Threat analysis, e.g. limiting access to certain types of users over limited protocols, locking down certain databases, applying encryption, or creating subnets on networks to protect key assets. Create special monitoring for deviation from the required flow that creates priority alerts. Ideas Pertaining to In-depth Defense for Higher Priority Assets

Content-centric security digital rights management techniques with pre-set boundaries are becoming increasingly important. An adaptive security system can be used to manage and secure all points of engagement, e.g. Human->Apps->Devices->Network->APIs, to prevent and detect and respond to threats. This supports a strong defense-in-depth strategy with security for all layers.

IDEA: Adopt content centric security of data using digital rights management techniques to protect data at the source and track exfiltration of data that depart from pre-set boundaries Keep data encrypted when possible. Take advantage of metadata.

IDEA: Determine criticality, sensitively, and vulnerability of systems and data, prioritize accordingly to achieve an effective, risk-based approach to protecting systems

For example, using current NIST directives and controls, immediately conduct an independent operational risk assessment of all U.S. government infrastructure, applications, and data to determine highest risk across the government and subsequently prioritize and appropriately resource remediation with specific completion dates, and track to expedite closure.

19

IDEA: Use Distributed Corroboration of Service (DCOS)

The DCOS concept is the opposite of the successful Distributed Denial of Service concept. Basically, a product is engineered to that utilizes the concepts of Big Data and Machine Learning. There will be an app loaded on participating servers, which alerts the administrator via dashboard, of successful attacks and the current state of the "Defense in Depth" posture and offer pertinent courses of actions to harden the system. The "machine learning" would use a service, such as http://map.norsecorp.com, to see where attacks are coming from, the types and successes, and alert the community of the attack vectors and assess the current networks ability to sustain the attack. If a member of the community’s machine has been compromised, it will alert the community to ensure their not compromised and perhaps, offer mutual agreements to address the potential attack (denial/corroboration) of service.

Ideas Pertaining to Notification Procedures

It is imperative to escalate security from merely an IT concern to a business risk concern, and provide independence and enabling security decision-making and implementation. For example, the federal government might make permanent a central Administration role, with appropriate authorities and budgetary controls, to direct and oversee cyber activities across the government, including leadership of a cybersecurity “council” for interagency coordination and separating agency Chief Information Security Officer (CISO) functions from Chief Information Officer (CIO) functions. This could establish a mechanism to escalate agency CISO security concerns directly to the department or agency head or central cyber function for adjudication as appropriate. IDEA: Adopt a Whole-of-Nation Strategy as suggested for US critical infrastructure

This includes (a) consolidating several existing cyber capabilities and authorities into one new Federal Government interagency task force operating at the Top Secret level and is specifically devoted to cybersecurity; (b) evolving synergistic public/private collaboration to include critical infrastructure partners within the task force to share the information and best practices necessary for threat vector understanding while also distributing the responsibility to act; (c) defining what must be protected - the "core" meaning "that which is too important to fail"; (d) developing improved cyber defense constructs to protect the "core"; and (e) defining pre-emptive actions. Ideas for Deeper Considerations On Ways to Defend/Exploit/Attack Cyber Threats

Numerous activities warrant more thinking and refinement: two-factor authentication, least privileges, access management, encryption, security intelligence, vulnerability management, risk management, security as a business requirement, DevOps and security life cycle, cyber governance, and isolation of sensitive or critical systems. It is important to modernize security approaches beyond the perimeter-focused “moats and walls” approach, transitioning from a “secure network of systems” to a “network of secured systems” to achieve security in depth and improved resilience. For example, agency security strategies should emphasize detection, identification, protection, response, supply chain transparency, security intelligence, predictive analysis, data encryption, and a “zero trust network” philosophy. New micro segmentation technologies based on cryptographic keys are helping do this.

IDEA: Continue and expand research into methods for immediate breach awareness the minute they occur is a critical component for detection and mitigation

20

Available technology can spot and identify intrusion attempts at the source. IDEA: Prevent and detect API threats

APIs are windows into the Enterprise and need to be secured at every points of engagement between end user (consumer) and Enterprise crown jewels. In the API world, humans and machines seamlessly interact with each other and blend the trust boundaries between customers, partners and service providers. It is becoming increasingly hard to differentiate good human, authorized machine (apps) and cybercriminals who may exploit a threat vector via API, mobile or cloud platform to access crown jewels. A way to address this is:

An adaptive security system to manage and secure all points of engagement

A fine granular authorization capability that is data centric and that supports various levels of access control based on the trust domain of interaction

A data driven security service that combines machine learning to detect patterns of anomalies and that can interface with other security products in the eco-system. e.g. integration with SIEM tools

IDEA: Deploy a lightweight micro-agent which captures metadata about user activities across the enterprise while also protecting requisite privacy

Insider threats represent one of the most vexing problems facing the US Government. Executive Order 13587 seeks significant enhancements to address this threat to organizations critical assets-including employees, contractors and business partners. Theft of IP or classified information or PII via stolen credentials is a mounting challenge given that internal networks are often lacking effective security measures. User activities are baselined to detect anomalies and patterns of good or bad behavior. The four high impact areas are:

Detecting malicious cyber insiders that aren't detectable by other means

Finding cases of compromised credentials that are only detectable by spotting suspicious changes in employee behavior

Tracking, over time, risky behavior across the organization that puts the organization at risk, and taking a data-driven approach to putting in additional cyber security controls

Using security tools to deliver other benefits to the business, such as dramatic savings in IT budgets.

IDEA: “Signature” based detection has to evolve to match the kill-chain model, while at the same time consuming and producing threat intelligence

Big data for cyber security will provide the intelligence to make this model successful once we can define a common ontology, allowing long-term “look-back” of user, host, application and intelligence activity. What we think of as signatures today evolve to algorithmic expressions to inform defenders where attention is needed. Architecturally we imagine each location or site hosting a big data platform locally, with the ability to report to a central console for local and multi-location, agency-wide analytics. The resulting data can be securely communicated to our law enforcement and intelligence communities as an opt-in (allowing those communities to securely query those systems remotely).

IDEA: Every agency or business should have Elite Cyber Protection Teams (ECPT) that rotate from one key function or line of business to another

21

The ECPT creates/revises the Cyber Key Terrain (C-KT) assessment of importance for each business function, analyzes the risk for that function, develops the risk mitigation strategy for that function and works with the enterprise security team to implement it. The ECPT then moves onto the next function or line of business. This strategy maintains focus. Military CPTs are trained using this approach. They create realistic Virtual Clone Networks of an entire Joint Military Base with a synthetic internet, fake users who click on links, do email and whatever other job they normally do, and emulate adversaries. They also create a list of prioritized missions and teach the elite CPTs to define the C-KT and develop risk mitigation strategies. Then the team is tested (using metrics derived from the NIST Cybersecurity Framework) against emulations of real world threat actors. The teams can see how well their risk mitigation strategy would work against APT-28 or Deep Panda or Cyber Snake. They learn how important threat intelligence data is to guide their understanding of the enemy and fully contain and eradicate the adversary.

IDEA: Create Blue Team audits followed by Red Team operations performed by pre-qualified contractors or in-house staff using efficient contract services vehicle managed by GSA

Focus is beyond standard penetration testing and embraces “hunting” tactics largely used by DOD Red Teams to emulate adversaries. This would increase resiliency and enhance capability to address early indicators of Advanced Persistent Threats.

22

CHAPTER 5 SHARING OF THREAT INTELLIGENCE

Challenge/Question: How can agencies and industry implement and sustain threat data sharing and create a robust, timely and systemic sharing environment (more than just incidents) that allows agencies to operate collectively government-wide and with industry and in real time, rather than independently with little peripheral view of threats and responses?

Introduction

The security community has been trying to establish “Information Sharing” since President Clinton directed all the critical sector verticals to share among themselves back in 1998. For lots of reasons, this was hard to do. Arguably, the two best information sharing organizations that have emerged in the last 15 years are the FS-ISAC (Financial Services – Information Sharing and Analysis Center) and the DSIE (Defense Security Information Exchange), but even those organizations are imperfect. When members decide to share some piece of intelligence, they have to package it up, send it to the sharing organization’s security operations center (SOC) for processing, and then the SOC disseminates the intelligence out to the rest of the members. The members then have to read it, decide if they need to take some action, and then deploy the recommended countermeasures as fast as they can. This approach can provide good intelligence, but using it can be cumbersome and slow.

In recent years, the federal government has made great strides in both increasing its ability to share cybersecurity threat information, and promoting greater cybersecurity information sharing with the private sector. These efforts largely stem from Executive Orders 13636 and 13691. As a result, the federal Government has fostered Information Sharing and Analysis Organizations (ISAOs) as well as Information Sharing and Analysis Centers (ISACs). The government has also supported specific programs, such as the Defense Industrial Base (DIB) pilot, the Enhanced Cybersecurity Services (ECS), Critical Infrastructure Cyber Information Sharing and Collaboration Program (CISCP) and Cyber Guardian. An evaluation should be conducted to determine why existing response structures and programs such as these are or are not meeting the need before creating any new ones.

Responses in this area focused on sharing information to minimize risks and enrich threat intelligence.

Ideas Pertaining to Data Sharing to Minimize Overall Risks

Timely, relevant, and meaningful data sharing is not only critical to minimizing overall risk. As in any complex environment, the increase in knowledge of all actors results in better outcomes for the entire system and not for just a few. The old adage that the system is only as strong as its weakest link applies. The Federal Government must continue to increase its own ability to declassify and widely distribute cybersecurity threat information. The Federal Government should also continue to promote private sector information sharing which can accelerate business and national security related risks. IDEA: Use incentives, disincentives, non-attribution rules, and well developed policies to increase the probability and efficacy of such sharing

23

It is important to acknowledge that the incentives for government and industry differ. For example, one government agency wants industry to share and another wants to penalize. An industry knowing that they may be encouraged to share, but could also face penalties will most likely choose not to share. Additionally, industry will be highly averse to sharing if they are penalized financially, which is their lifeline. However, the same is not true for government agencies that are not incentivized or penalized financially like the private sector. Different incentives need to be applied to agencies that are motivational in the government environment. IDEA: Instead of mandating information sharing, both government and industry should look at this issue as one of national security

As an example, if there were a potential for pandemic disease, that information would first be thoroughly investigated by the Center for Disease Control (CDC) and others before being communicated to the broader public in order to prevent unnecessary panic. The challenge with information sharing is that it has the potential to create more noise, weakening already weak signals, and creating more tedious workflows.

IDEA: Focus on more useful and meaningful signals

A key challenge is for consumers/users to get a better sense of reliability, timeliness, and context of threat intelligence. Consider the efforts at Department of Homeland Security (DHS) with Active Cyber Defense as an end-goal, but having that intelligence distributed to each agency and location. Computer Network Defense personnel have the ability to query other locations to understand the prevalence of Government-wide threats. If they see something suspicious, they can contact DHS, the FBI, or others for deeper investigation. Ideas That Enrich Threat Intelligence

DHS and FBI have capabilities to instantiate queries outbound for deeper attribution and the ability to enrich the threat intelligence. Government needs to raise the level of expertise across the board and the best way to do so may be to allow more transparency, enabling Computer Network Defense staff to ask better more informative questions. This could enrich and fortify intelligence and scale expertise. Specific ideas include: IDEA: Broaden use of the Cyber Threat Alliance (CTA)

Through CTA, security vendors share mandatory quantities of zero-day threat intelligence with each other in near-real time by updating the controls within their products without the end user customer getting involved. The CTA is also collaborating to share correlated information about cyber-attack campaigns and specific malicious actors. These efforts by industry show significant steps in the right direction.

IDEA: Better standardize and harmonize threat intelligence sharing processes and practices so that Government and industry increase interoperability and compatibility

Numerous structures and programs exist and yet the persistent perception, if not reality, is that information sharing is not meeting the need.

24

IDEA: Endorse and expand the Structured Threat Information Expression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII) framework so that data breach reporting is more robust and shared widely but in meaningful ways

Operations like the North American Network Operators Group, that shares incidents across most of the major networks in the US, could be emulated and expanded to include a “neighborhood cyber watch” program where companies and citizens could report issues to a shared resource that would then inform appropriate authorities. Sharing alone is not enough. It also requires executing on that knowledge.

25

CHAPTER 6 SOLVING THE CYBER TALENT SEARCH

Challenge/Question: How can government tackle the cybersecurity talent search in a way that strengthens skills, experience, and knowledge, both within government CISO/CIO and partner organizations and externally from contracted services?

Introduction

For a number of years, federal agencies have struggled with being able to recruit and retain qualified individuals to fill cyber security slots in their organization. A limited workforce pool is in high demand for adequate competence and skills. In an environment where strong security is a growing priority and where both commercial and government security breaches make headline news every day; the rush to fill cyber positions pits agency against agency as well as government against commercial industry for the same pool of professionals.

The ideas submitted range from recruiting qualified individuals early (before they graduate from college programs or during initial career stages) to incentivizing cyber managers and staff by empowering them to innovate and create new approaches and techniques. While challenging, retention is equally important to maintain a long term, stable, and seasoned cybersecurity workforce. Ideas also addressed training and building a cyber-aware culture.

Ideas Pertaining to Attraction, Outreach, and Recruitment of Cybersecurity Talent The need for talented cybersecurity defenders in the Federal Government is rapidly increasing with the evolution and sophistication of Cyber attackers. Current security teams are overburdened, causing huge vulnerabilities for organizations and can lead to disastrous events like the recent OPM breach. It is imperative we grow our cybersecurity workforce through aggressive and innovative recruitment methods as soon as possible. Recruiters and managers should target potential cyber workers, starting with high school and college students to those already in the active workforce, acquainting them with the government cyber opportunities and benefits. Broadening the search beyond traditional recruiting practices and implementing unique and innovative methods will help to quickly increase the supply of cybersecurity professionals available for employment. High School and College IDEA: Innovative internship approaches are needed to reach out to high school and college students who are in the early stages of decision making about their career path Create “virtual internships” in addition to on-site internships as a means to have a much broader reach to hundreds of thousands of students. IDEA: Recruiting school faculty will help spread the word about career opportunities and garner interest at an early stage

26

Job offers that include student loan reimbursement plans can be a great way in incentivize student interests in pursuing cyber careers in government. Current Agency Workforces IDEA: Look for cyber-related talent in other parts of the organization The fastest way to get cyberworkers into critical positions is to find qualified employees already working in an agency or elsewhere in government. Two potential “pools” of people to draw upon are (a) the existing IT workforce that understands both the technology and the details of the specific environment and can quickly develop cyber skills (which are in most cases not part of their required KSAs) and (b) existing compliance/authorizing official support staffs who often understand the required controls and the process for risk management decisions, but may not have the detailed technical skills for cyber defense. In addition, risk management, analytical competencies, benefit/cost analysis, performance management are also core to effective cyber solution investments and business cases. Tools can facilitate searches for existing skills and competencies, and pipelines can be automatically built to provide skill gap training to current staff to qualify them for cyber openings. Cyberworkers Outside of Agencies IDEA: Recruit at high profile cyber conferences (e.g., BlackHat, Hackathons, Meetup groups, etc.) Security professionals can be attracted to Federal positions because of the impact and uniqueness of agencies’ missions. IDEA: Don’t rely totally on job fairs; use on-line resources such as Monster.com, CareerBuilder and LinkedIn to proactively find job candidates actively seeking work Even passive candidates with core technology skills can also be identified and contacted to draw them into journeyman positions in the cyber-workforce. Social media and web advertising can also be excellent recruitment channels. IDEA: Use alternative talent management strategies to find employees who have certifications, key knowledge and skills, and leadership experience to assume key management roles (e.g., in-house, military, technical schools, etc.) Seeking professionals in other parts of organizations that could be used by CyberSecurity shops and re-tooling them with skills needed for their specific tasks is a great way to use resources already available and save money. Ideas Related to Eligibility, Assessment, and Selection High performance cybersecurity work often excels in environments that are3:

Multi-functional (i.e., workers have diverse skill sets and can perform multiple roles)

Dynamic (i.e., changing constantly and keeping up with the latest threats)

3 Cybersecurity Workforce Development Toolkit, https://niccs.us-cert.gov/home/cybersecurity-workforce-

development-toolkit

27

Agile

Flexible

Informal (i.e., unconventional working hours, shifting duties, relaxed atmosphere). IDEA: To ensure adaptability to traits of cyber environment, agencies can use eligibility questions to ensure basic requirements are met such as winning a Cyber Patriot competition or attending a USA Cyber Council Camp

Valid documentation would be required and collected. Candidates must pass assessments measuring the standardized knowledge, skills, abilities, and personal characteristics that are required for successful performance in cybersecurity jobs. Related job experiences and engagement in realistic testing scenarios or use cases can also be put into the mix. IDEA: Take advantage of NIST NICE Cyber Workforce Framework leveraging Eligibility and Assessment question methodologies to down select candidates worthy for an interview cycle

Hiring managers need to inspect and respect the candidate’s qualifications to ensure the candidate wants and takes the job/career. This process should mirror supply chain best practices to ensure the approved Talent is available to fill the jobs when they become open and stay with them.

Ideas Pertaining to Position Management/Career Pathing/Retention4

Having clear, comprehensive descriptions of work that must be performed is essential. In the federal government, this is referred to as position management. Cybersecurity work, however, poses special challenges. For example the rapid change in technologies and tactics for exploitation and intrusion makes defining the required talent a tall order. There are key steps needed to define, operationalize, and train for cyber work.

IDEA: Start with the essential skills and traits needed for cyber workers

Specifically focus on job competencies required for effective, and proactive, cyber defense and intrusion response. Equally important: provide a flexible methodology for adding, modifying or removing competencies over time.

IDEA: Establish a framework for an occupational grouping dedicated to the cyber workforce

Include occupational series that are covered in the NICE framework, and devise a coding mechanism for the occupational grouping which enables these cyber workers to be tracked through their careers. As part of this framework, develop alternative Career Paths that reflect the diversity of positions within the occupational grouping, and empower cyber professionals to progress in a non-linear career path – one that can be horizontal, vertical, or diagonal, and includes occupational series or specialties related to their primary experience.

IDEA: Place the Cyber occupational grouping into the Excepted Service

Because of the nature of this work, and its rapid evolution, it is increasingly difficult to evaluate cyber candidates by traditional means. Moreover, some federal agencies already have this flexibility, demonstrating its success.

4 Please note. This discussion only refers to the Cyber Workforce, and not the responsibilities of all workers to

maintain secure systems.

28

Ideas Related to Cyber Learning and Training

A recent study by Brandon Hall Group confirmed that 55% of organizations now have a formalized approach to align learning and development strategies with the goals of the business. Therefore, most organizations grappling with the shortage of cyber personnel are not simply seeking a Cyber certification, rather aspiring to develop a workforce that is competent to execute on their agency or organization’s stated cyber security initiatives.

IDEA: All agency cybersecurity job roles should be clearly defined and aligned with the National Cybersecurity Workforce Framework (NCWF)

Organizationally, each cybersecurity job role should be mapped to a specific set of knowledge, skills and abilities (KSAs). The staff being recruited for these roles should have a full skills assessment against the stated competencies of the job role. The individual/s should then receive the required skills development to address any known gaps. IDEA: Formally institutionalize the acquired best practices into their organizational undercurrent, which includes methodology adoption, process improvements and policy changes

This approach will reinforce the individual disciplines and establish the desired outcome of an engaged community combatting constantly changing threats.

IDEA: Provide an environment of skills-based and performance-based training and assessment where cyber supports the mission through functional assessments, realistic training, and exercise events at appropriate levels for ALL employees

Provide cybersecurity awareness training and practice, appropriately tailored to leadership, management, and staff roles, to enable all employees to have basic cybersecurity awareness, skills, and understanding of how to recognize and report cybersecurity threats, vulnerabilities, and incidents.

For cybersecurity practitioners, move beyond knowledge-based technical training to skills-based training. Ensure they are certified via performance-based assessment to ensure federal employees and contractors have the requisite skills to perform tasks required for their functional roles as described by the NICE National Cybersecurity Workforce Framework. Ideas Pertaining to Building an Aware and Capable Cybersecurity Culture

A successful information security program is dependent on many things not the least of which is the agency culture. This culture should understand the role and value of cybersecurity and how deficiencies can impact mission, accountability, and citizen trust.

IDEA: Agency Chief information Security Officers should be selected not only for their technical background but their proven track records.

CISOs should be able to translate business requirements into secure mission driven solutions and elevating awareness of poor security impacts with tangible, meaningful risk-based illustrations and case studies.

IDEA: Leverage commercial pay scales that are often higher than those of the government.

29

Agencies should take advantage of all available incentive pay mechanisms to recruit, hire and retain critical cyber skills and talent.

30

CHAPTER 7 EXECUTIVE LEADERSHIP-LED RISK MANAGEMENT

Challenge/Question: How can we sustain executive-level attention to this critical issue, and institutionalize cyber as an on-going component of agency risk-management practices, not just a side-bar activity?

Introduction

Risk management is an important component of modern cybersecurity programs. It enables disciplined identification and analysis of the risks an organization faces and informed decision-making on actions, costs, and tradeoffs to mitigate those risks commensurate with their potential impacts. NIST provides a suite of publications on how to apply risk management to Federal information systems. However, many Federal agencies still face challenges in implementing robust, effective risk management practices in their organizations. Anecdotal reports indicate that many decisions are made with incomplete or outdated information and without the benefit of a rigorous, structured, objective analysis. Other reports indicate some agencies attempt to protect all of their information assets at the same level, rather than identifying the highest value assets and investing in them accordingly. This section identifies actions that can be taken to strengthen Federal agencies risk management programs and practices.

Cybersecurity is at the forefront of discussion across almost all Federal agencies today. The challenge for executive leadership is how to address the cyber challenge. As has become obvious over the last year, cyber security is not a “fixable” problem. It is not a technical issue that is implemented and then requires occasional maintenance. The cyber security challenge has moved from a technical issue to a risk management issue, similar to managing for a natural disaster or a loss of critical infrastructure. Senior executives know of the cyber issue, but they do not know how to manage their organizations considering the cyber threat.

The objective of a senior executive is to deliver products and services to his clients, whether they are citizens receiving social security benefits or Government agencies relying on the service to operate. The cyber security threat is a risk that could keep organizations from fulfilling their mission. A common mantra among cyber security professionals is that executives, in both commercial and federal groups, do not pay enough attention to the cyber issue. In reality, the reason for lack of attention is that the cyber issue is often presented as an independent problem, not as a risk to their mission and objectives. For example, the Commissioner of the Social Security Administration’s (SSA) job is not to defeat cyber threats. It is to deliver benefits to the citizens of the United States. Telling the Commissioner to execute cyber activities without the context of how it impacts her mission is not of value.

The solution to this challenge is presenting cyber threats and related actions in the form of risk management directly related to the mission of the executive. Confusion results when the term risk management is used in regard to cybersecurity. Many believe this is related to the risks posed by a cyberattack. True risk management focuses on the impact of a cyberattack on the execution of the mission of the agency or company. The likelihood of the attack must also be considered. For example, if an attack occurred at the SSA that stopped social security checks from being delivered, the impact on the country could be catastrophic. Therefore, evaluating systems and the associated threats that could stop the delivery of checks would be a high priority of the SSA cyber efforts.

The challenge is that this type of mission-focused risk management does not currently exist in most Federal agencies. Executives are briefed on threats and vulnerabilities, but putting these in the context of risk against the agency’s mission is not currently done. Similarly, without risk in the context of the

https://actiaccyberinitiative.ideascale.com/a/ideas/recent/campaigns/14290

31

mission of the agency, visibility at the executive level is difficult. Dashboards of vulnerabilities and attacks, without the associated risks to the organization’s mission, do not provide actionable information.

Many of the ideas submitted recognized that cyber is no longer a problem to be fixed, but rather is inherent in a risk based environment. For this approach to be implemented, some standard risk calculation approach is needed to enable aggregation of risks at different organizational levels. Several ideas called for common risk modeling approaches.

The commercial world is rapidly moving toward a risk management approach, under a Risk Management Officer, that monitors cybersecurity in the same context as other risks like natural disasters, financial failure, or external factors like the loss of a major client. Tools are being developed by the commercial market to measure cyber risk and should be evaluated for government use. The approach being utilized by industries such as the financial and insurance industries should be reviewed.

The ideas submitted can be categorized into two primary areas: risk management and visibility and accountability. The risk management ideas addressed the ability to effectively quantify risk for use in managing the cyber activities of an organization. The visibility and accountability responses primarily focused on regulatory type actions and results such as following the Federal Information Technology Acquisition Reform Act and establishing a similar process to Federal Risk and Authorization Management Program (FedRAMP) for enterprises.

Ideas Related to Risk Management

The ideas submitted that appeared to have the most promise focused on the establishment of common risk management assessments and quantification approaches.

IDEA: Agencies need to transition from a compliance-focused approach to a risk management approach

Viable risk management approaches include a risk model, risk quantitative analysis, and prioritization of risk mitigation. Without a standard risk quantification method, executives are faced with the challenge of trying to monitor the high-risk area of cyber against their primary mission. Without this context, just saying “cyber is a risk” is not enough information for executive level visibility and action.

IDEA: Implement a cybersecurity governance framework that integrates security risk with the organizational business model and aligns IT risk with business goals

Several commercially accepted models exist such as COBIT and FAERS that could be the basis for the standard risk assessment. Governance frameworks such as COBIT can be used to affect the alignment, monitor progress, and control operations. The governance model should be extended to the Inter-Agency Task Force that has been recommended, and executives should be held responsible for the implementation, monitoring, and control of all risk, not just non-security risk.

IDEA: Adopt a security framework and governance model that follows the next version of the NIST Risk management Framework, but also provides a set of standard mandatory tools that can identify misconfigured systems and untrained users in real time, and raise flags

Many organizations do not follow a mature governance framework- executives relegate cybersecurity risk to the CIO and forget about them. The CIO delegates risk to the CISO and the CISO is then blamed when things go wrong. One of the issues with the OMB Risk Management Framework is that it uses

32

assessment of controls along with audits of sample populations to assess systems. There needs to be a balance between compliance with a combination of strict configuration management and mandatory training on the use of systems for all users. Agencies should design networks and systems with a containment strategy that ensures critical resources are not vulnerable to a compromise from a single unpatched system.

Risk management approaches relate to organizational resilience. As enterprises strive to gain value by leveraging technology, the risk associated with digital business is increasing. Isolated approaches to information security, business continuity, and incident response are a thing of the past; today, the urgency of providing continuously available services for customers and business partners in the digital economy requires enterprises to become resilient. A resilient enterprise protects itself from attack, but also recognizes that defense is not the end-all. A resilient enterprise needs to connect protection and recovery to the mission and goals of the enterprise, implementing integrated programs in order to provide sustainability of essential services. C-Suite & Board members need to evaluate the operational risk inherent in digital business and direct management to ensure that the enterprise is more than just protected—it is resilient. Cyber risks need to be aligned with the business/mission goals of the organization including matching value chain risk to identified threats.

IDEA: Move to quantifiable risk based on business functionality

There has been a rather dramatic change in thought in the last nine months or so on this topic, particularly around the question “What is a risk?” Basically, the determination of risk was a measurement of vulnerabilities within the environment and the ability to patch/mitigate them. Risk based on business functionality looks at the business risk, associated dollars to that risk and then looks at the cyber influences on that risk. In other words, it is top down, not bottom up. This approach also requires identification of high value assets, operations, etc. This approach also is much more aligned with C-level discussions. Additionally, under this approach executives need to be given the ability to declare a “cyber state of emergency”.

Ideas Related to Visibility and Accountability

The ideas in this area primarily revolve around stronger compliance with regulatory areas such as FITARA.

IDEA: Create a tighter accountability structure for federal agencies and staff

Some form of consistent measurement is needed to monitor compliance actions and status across the organization on an ongoing basis. The FITARA guidelines could be used to measure each program activity.

IDEA: Solidify the relationships between CISOs and Risk Management Officers (RMO) within organizations.

A common trend in commercial organizations is moving the Chief Information Security Officer under the Risk Management Officer not under the chief Information Officer. This should be a consideration for Federal agencies as well.

33

CHAPTER 8 BUILDING EFFECTIVE SECURITY INTO ACQUISITIONS

Challenge/Question: With the continued and growing dependence of the government on commercially provided IT services, what changes are needed to government acquisition policies and practices to ensure that contractors provide adequate security and privacy protections to government data and information?

Introduction

Federal agency acquisition programs are an essential means to acquire IT solutions they need to fulfill their missions. When executed well, acquisition programs can deliver timely, effective, and cost efficient solutions that leverage private sector capabilities to meet government program mission needs. However, all too often, acquisition programs are blamed for the failure to deliver successful and secure IT solutions. Complaints run the gamut from “the process takes too long” to “the process doesn’t enable us to buy what we need” to “the Federal acquisition process dis-incentivizes many innovative companies from participating”. Some of the concerns appear to reflect misunderstanding and miscommunication rather than actual structural barriers to success. This section addresses ways that the acquisition process can be enhanced and leveraged to improve the success rate on delivering secure IT solutions that meet mission program needs.

Ideas Related to Turbo Charging the Federal Acquisition Process

Successfully delivering Federal programs depends to an ever increasing degree on effective use of information technology. Citizens, businesses, and state, local, tribal and territorial governments all expect the Federal government to use the same kinds of technology and processes to deliver services that they use in their daily lives. A familiar refrain is “why can’t the government work like the best private companies?”. Integrating robust cybersecurity into those services is essential to their success. No one wants their personal data stolen or their business transaction corrupted due to weak security. The success of cybersecurity across the Federal government depends on an acquisition process that is agile, dynamic, and responsive to procure goods, services, and capabilities consistent with the 21st century imperative to “operate at the speed of the web.” Some of today’s Federal cybersecurity challenges can be traced to the gap between solutions in use in Federal agencies versus the best commercially available solutions in use in the private sector. This gap is rooted in the process the government uses to acquire goods and services from the commercial market. The gap has grown over time and these two markets have become increasingly disconnected as indicated by diverging cycle times, inefficiencies, and sub-optimized acquisition outcomes. Unless it is effectively addressed and closed, this gap poses serious ongoing risks to the performance of government mission programs that rely on the use of information technology. Federal CIOs and OMB must deal with the culture of “perfectionitis” to address the interrelated challenges of growing system complexity, foreign supply sources to include counterfeit components, cyber threats and vulnerabilities driven by software dependencies, and cost growth to sustain software intensive systems; all in the era of constrained resources and strong competition for cybersecurity talent. While it is clear that the federal acquisition environment needs to play a role; it is less clear what that role should be given that rules aimed at improving cybersecurity may stifle innovation and

34

adversely impact the competitive marketplace. The following recommendations are purposeful, meaningful steps to refocus and turbo-charge the federal acquisition process: IDEA: Change is not a one-time event, so establish an environment that enables continuous change management

Rather than identifying “perfect” cybersecurity improvements, efforts should be focused on breaking the changes down into discrete small steps to get things moving and create momentum. The following actions should be considered as potential incremental improvements:

o Create cybersecurity dashboards to visualize threats; o Establish a virtual marketplace web store to enable market research and access to tools

and capabilities; o Conduct virtual training workshops; o Establish collaboration sites to share best practices; and o Create a wiki to make cybersecurity resources more readily available;

IDEA: Progress is not possible without change, so emphasize outcomes of the process, not inputs

In unfamiliar situations, like a changing cyber environment, people and organizations take cues from others, which is what makes positive peer pressure so effective. Leverage key influential players to drive change and celebrate success. Recommend leveraging existing award competitions, like the ACT-IAC annual “Acquisition Excellence” competition to recognize high performing cyber initiatives, programs and practices and incentivize others to emulate and adopt them. Consider leveraging this activity to create a “Cyber Best Practices” program to purposefully collect best practices that could be evangelized for broader adoption.

IDEA: Promote market incentives to accelerate Federal cybersecurity innovation

Doing business with the Federal Government requires accepting a plethora of unique regulations, standards and specifications, and often time instituting a separate and unique set of accounting and reporting practices. Certified cost and pricing data, intellectual property concerns, and limited profit margins result in a divide between federally-focused companies and commercially-focused companies. Perceptions that the burden is not worth the potential revenue gain cause some companies to avoid entering the Federal market, preventing potentially valuable capabilities from being available to the government. The adoption of bold new approaches specifically focused on incentives, including nontraditional approaches to promote cyber innovation, could help overcome these barriers. One such concept is a not-for-profit venture capital firm that invests in high-tech companies for the sole purpose of building a pipeline of cutting edge cyber solutions for the federal environment. Without a reasonable prospect of profit or a sizable production program that generates a revenue stream and profits, there is little incentive for a company to risk its own funds.

IDEA: Direct C-level involvement in a consistent cadence

Federal Agencies could be better served by adopting management styles, market practices and metrics closely aligned with those that operate in the commercial world. Defending against cyber threats should be among Federal Agencies’ top priorities. This includes enhancing capabilities to protect and defend its networks and ensure that current and future systems can operate effectively in a cyber-contested environment. Establish Cybersecurity Investment Management Boards that involve the most senior

35

leadership of each Agency that meet regularly. An alternative to a stand-alone board is to integrate cybersecurity as a visible priority consideration in existing IT Investment Management Boards and their business processes. IDEA: Development Operations (DevOps) is the new normal, not an exception

The agile methods concepts and methodology of “DevOps” combines capability development with operational excellence. This approach can be applied directly to the cyber environment to impact mission processes and enterprise decisions. DevOps fundamentally changes the traditional concepts and separation of “acquisition” from “sustainment”. It begins with the mission business (the Ops part of DevOps) with a cadence and structured and disciplined methodology to drive capability development (the Dev part of DevOps) without the “traditional” acquisition constraints. DevOps emphasizes enterprise-level decision making to drive efficiency across both development and operations. This would benefit agencies’ cybersecurity through enhanced collaboration between development and operations staffs. Several attempts have been made recently to establish “agile” acquisition processes that track and support agile development methodologies. These efforts should be evaluated to develop a set of best practices that agencies could use to adapt and institutionalize agile acquisition methods. IDEA: Establish a Dedicated Cyber Innovation Laboratory and Fund for the Federal Government

Cyber-security vulnerabilities are a direct fall-out from the complexity we find ourselves in. Given the ubiquitous cyber threats, IT staffs are already overtaxed and they face even more sophisticated cyber threats in the future. The Federal Government needs to invest in tomorrow’s technology to significantly change the approach. Research is needed to create 21st century solutions with 21st century processes that cut across organizations, agencies and departments. A Cyber Advanced Research Laboratory could formulate and execute research to address a whole new class of vulnerabilities and scaling techniques at machine speed to remove the human from the equation. The immediate focus would be to create a cyber-testbed to evaluate alternative cyber technologies. This capability would provide government agencies a place where they can share expertise, test solutions, and maintain and extend the expertise and skills of their workforce. IDEA: Re-Invent the OMB Dashboard to Address Supply Chain Challenges

The IT Dashboard is a website enabling federal agencies, industry, the general public, and other stakeholders to view details of federal information technology investments. Its purpose is to provide information on the effectiveness of government IT programs and to support decisions regarding the investment and management of resources and is used by the Administration and Congress to make budget and policy decisions. The IT Dashboard could be strengthened to include comprehensive, detailed and reliable quantitative cyber metrics, including cooperation between the Federal Agencies and with the private sector on cybersecurity and supply chain concerns. The Federal IT environment could learn from efforts ongoing within the European Union to establish a visualization tool to provide near real time supply chain and cyber threat information to increase collaboration and to discern the impact of vulnerabilities. As part of effort to identify Cyber Acquisition Best Practices, ACT-IAC hosted a forum with a United Kingdom organization creating a real-time supply chain - cyber management portal with the promise to address the today’s interconnected world with a 21st century solution. Technology has become integral to virtually every sector of the global economy, including banking, communications and the electrical grid that is impacted real-time with changes with cyber threats. The OMB IT Dashboard represents the first step toward creating meaningful change by providing a tool that could

36

share real-time supply chain and cyber information across Federal government. IDEA: Using Certifications Similar to FedRAMP for All IT Acquisitions

This would apply consistent cybersecurity standard requirements across all federal contracts could strengthen the Federal government’s cybersecurity. The Joint Task Force that developed the Risk Management Framework could be leveraged to develop certification criteria for a “CyberRAMP” Program to determine contractors’ products and services compliance with all applicable cybersecurity requirements. This program could be managed by GSA once the certification criteria and requirements were finalized. The CyberRAMP Program would allow for third party certification using the Joint Task Force requirements in the same manner as the FedRAMP Program. The certification criteria could be required either on an acquisition by acquisition basis or for all acquisitions where IT is involved. Given the urgency of improving cyber security hygiene, it could also be an evaluation factor in technical and cost tradeoff evaluations. IDEA: Quickly establish a cybersecurity acquisition portal (GovCAP), similar to a wiki or a GSA Category Management Hallway, open to government and industry to help accelerate sharing, adoption, and implementation of best practices and tools

The GovCAP, like a Hallway, would be a complete knowledge, best practices and exchange of ideas center. This portal could help address inconsistencies in how acquisition policies, rules, and regulation are implemented in the Federal government.

It is suggested that this be managed by GSA, but overseen jointly by DOD, DHS, OMB and NIST.

1) It should include all current and proposed federal government contract requirements, as a minimum. 2) It should include sample acquisition evaluation criteria and evaluation methodologies. 3) It should allow for exchange of best practices, posting of articles, and also include experiences with new contract requirements and evaluation criteria. 4) It should allow for connection to government cybersecurity of excellence centers for government personnel and possibly contractor personnel for help with questions. 5) It should allow for both classified and unclassified cybersecurity intelligence and countermeasures by government and industry acquisition personnel as appropriate and needed.

IDEA: Professionalizing Cyber Risk Management Through Cyber Insurance

The Federal government should develop approaches and incentives to leverage recent developments in cyber insurance and new tools, technologies and concepts that help assign financial values to cybersecurity risks. Agencies should provide analytics that quantify the financial impact on business and the loss of intellectual property.

For those in the Federal Government that think the cyber insurance is years away, think again. Last year the Chief Risk Officer’s (CRO) Forum released a report titled “Cyber Resilience – The Cyber Risk

37

Challenge and the Role of Insurance.” Cyber insurance is a rapidly growing market offering. Sales reportedly doubled between 2013 and 2014 and many insurance providers are swamped with applications. The benefit of insurance is being realized as Target is expected to recover $90 million, of the estimated $250 million loss, from their insurance in the wake of their breach. Cyber insurance provides a new calculus that monetizes adverse cyber impacts so C-level executives no longer are faced with an ethereal concept. So how is this relevant to the Federal Government? New products and services are already hitting the market. New tools using the Factor Analysis of Information Risk (FAIR) industry standard risk model to calculate quantifiable costs are now available. The insurance industry’s codification of risks will be incorporated into similar tools that will quantify risks and enable organizations to calculate what type, and how much, cyber investment is needed for each area. Likewise, Carnegie Mellon Software Engineering Institute (SEI) has developed a CERT® Resilience Management Model that provides a maturity model of an organization’s cyber operations. This model acts similar to the Capability Maturity Model Integration (CMMI) that is used in the software industry to measure an organizations maturity level in developing and managing software. This type of maturity modeling will allow insurers the ability to assess a company’s cyber capabilities against the calculated financial risk. CISOs are being trained at places such as Carnegie Mellon to approach cyber from a risk based approach versus the formal, checklist driven compliance methodology that has been employed in the past. This risk-based approach aligns with the objectives of the insurance industry.

Ideas Related to Using the Acquisition Process To Modernize IT Infrastructures The complexity of the IT infrastructure and associated cyber threats and vulnerabilities has increased exponentially and computer systems are becoming increasingly interconnected and interdependent. Continuing to meet these threats with legacy infrastructure and “bolted on” security is like running a marathon with ankle weights. It can be done, but it is exceedingly difficult, one’s finishing time will be slow, and there’s a big risk of injury. We need to “out-innovate” adversaries on a continuous basis and ensure more resilient systems environments. The outdated IT infrastructure prevalent in many agencies is an impediment to Government cybersecurity. Legacy systems are often managed and secured in a “stovepiped” manner with vendor-specific management stacks. Furthermore, they generally require more manual activity, which means slower response time, as well as being more expensive and error-prone. IDEA: Agencies should use new development, capital renewal cycles, and service contract transitions as opportunities to migrate to shared, virtualized and software-driven infrastructures

There are multiple potential security benefits from shared services (see http://federalnewsradio.com/commentary/2015/07/shared-services-key-part-21st-century-federal-cyber-strategy/). For one, technologies like Software Defined Networking and Network Function Virtualization can improve security by automating the propagation of security policies across the network infrastructure, implementing advanced security with service chaining, and dynamically changing network topology due to detected threats and intrusion. Modern IT will make other security measures, such as encrypting data at rest, easier to implement. With shared services, there would be fewer, more centrally managed systems. Lastly, and perhaps most importantly, shared and cloud services can provide cost advantages for both capital expenditures and operational expenses. With less

http://federalnewsradio.com/commentary/2015/07/shared-services-key-part-21st-century-federal-cyber-strategy/

http://federalnewsradio.com/commentary/2015/07/shared-services-key-part-21st-century-federal-cyber-strategy/

38

cost and focus on procuring and operating and maintaining expensive obsolete infrastructures, agencies could allocate more resources and focus on cybersecurity.

Of course, shared, virtualized and software-driven infrastructures also carry some of their own security risks, which must be recognized and mitigated. For example, networking Operating Support Systems) must be modernized and include end-to-end orchestration capabilities to automate the provisioning, testing, upgrading and configuring of IT. Components such as a Software Defined Network controller must be considered high-value assets, safeguarded appropriately, and provisions made for rapid incident recovery. And cloud computing can be insecure without adequate controls. For example, the ease by which Virtual Machines are created, transported and used can increase their vulnerability to exploitation by malicious software. There are clear advantages of procuring IT and networking infrastructure as an outsourced or managed service. Standardizing processes and supporting technology can improve security effectiveness and efficiency by reducing variation in security controls and eliminating duplication of security work and reporting. By standardizing technology, e.g. moving to a common financial shared services platform, agencies can significantly reduce the number of system setups, interfaces, security profiles, and manual workarounds, all of which streamline security control design and testing. In all cases, the Government must contractually require and ensure the service provider employs appropriate security provisions.

IDEA: Instituting a Cybersecurity Requirements Baseline for the Acquisition Lifecycle

Given the increasing susceptibility of networks, systems and applications to cyber breaches and attacks, the government needs to ensure cybersecurity requirements and standards are integrated throughout the entire acquisition lifecycle. In addition, acquisition personnel need to be adequately trained on those requirements to ensure they are correctly included.

IDEA: Integration of cybersecurity requirements is essential

From the establishment of the initial analysis for choosing a concept for an acquisition program or system, to the release of a solicitation and ultimately to the operations phase, integrating cybersecurity requirements is essential. Requirements developers and acquisition personnel determine which baseline requirements and performance measures should be included. The requirements should come from a cybersecurity reference guide that details the requisite technical elements necessary at each stage of the acquisition lifecycle (requirements, development, authorization and operations) depending on the type of acquisition. As an example, the FedRAMP baseline identifies a government-wide consensus on the cybersecurity control standards for cloud computing platforms. A reference guide could be modelled after the DoD Program Manager’s Guidebook for Integrating the Cybersecurity Risk Management Framework into the System Acquisition Lifecycle Version 1.0 which specifies in detail the requirements needed at each phase of the lifecycle. A standard set of requirements can help ensure that cybersecurity protections are included throughout the acquisition process. It can also assist solution providers in understanding and successfully fulfilling the government’s requirements. Model cybersecurity contract requirements language could be developed to accelerate adoption and improve consistency across programs and agencies. This language could also address secure supply-chain and system integration and interconnection issues.

39

IDEA: The government should limit sources to Original Equipment Manufacturers (OEMs), authorized resellers, and trusted suppliers, and the qualification should be incorporated into the full acquisition and sustainment life cycles, starting with requirements definition, acquisition planning, and market research

The 2013 DoD-GSA Report entitled “Improving Cyber security and Resilience Through Acquisition,” recommends this approach for high risk acquisitions. The report states that purchasing only from such “trusted sources” is the best approach to reducing the risk of receiving inauthentic or otherwise nonconforming items. These directions are a result of the President’s Executive Order 13636 of February 12, 2013, “Improving Critical Infrastructure Cyber Security.” OPM is applying these standards to all of their procurements.

IDEAS Related to Improving IT Acquisition Training for Acquisition Professionals

IDEA: Acquisition personnel should be trained on cybersecurity best practices, standards and baselines as they apply to the acquisition lifecycle

Requirements need to be well thought out and specific to an acquisition, therefore acquisition professionals need to be knowledgeable and well trained in the cybersecurity requirements and standards to ensure there is no ambiguity in the requirements requested. Adequate training ensures that these requirements are accurately included in the acquisition process and reduces time and money caused by contractor questions during the solicitation process and the subsequent myriad of change amendments created. Acquisition officials do not need to be experts in cybersecurity, but they must be able to recognize what types of requirements are needed for acquisitions that pose a cyber-risk.

IDEA: Cyber Security skills-based and performance-based awareness, training, education and certification must include program and project managers; system and data owners; contracting officers (COs) and contracting officers representatives (CORs); configuration managers and the employees and executives of vendors offering or providing the IT services

IT certifications are an excellent approach to demonstrate professional competency in a certain aspect of technology. Certifications often follow some assessment, education or review. One difference with certifications in IT is that they are often vendor-specific. Integration and interconnection of disparate systems often distorts or modifies system boundaries that were originally accredited and authorized. During the initiation phase of any IT project, a basic cyber security awareness module should be developed that focuses procurement personnel on the requirements to include cyber security protections in all phases of the system development life cycle. Awareness will serve as a reminder of the basics. Training should provide the “how to” of the process of understanding and incorporating cyber security into the actual procurement process. Cyber security training modules are recommended for addition procurement, project and program management personnel training. There are many procurement manager and officer, purchasing manager, sourcing and supply chain management certifications. Many of these disciplines include IT acquisition. The initiative should begin to reach out to the certifying programs to include cyber security in the certification curricula. It is recommended that the cyber community widely adopt NIST Special Publication 800-128, Guide to Security-Focused Configuration Management of Information Systems.

40

CONCLUSIONS AND NEXT STEPS

Information technology is intricately woven into the fabric of government, commerce, and our daily lives. We have come to rely on and take advantage of technology’s potential to do things better, faster, cheaper and easier than ever before. Technology and its uses continue to evolve and expand rapidly.

However, every technology has strengths and weaknesses. Hackers, criminals, and nation states with malicious intentions all attempt to exploit weaknesses to their own advantage. If technology is to serve as an integral part of society and the economy, then we need to do a much better job at cybersecurity. For this reason, ACT-IAC conducted an open call for ideas and produced this report, to leverage the potential benefits of technology while simultaneously improving the security of government information and systems.

An impressive array of experts and organizations offered ideas for consideration in this report. Some of the ideas are relatively easy to implement, others are more difficult. Some can be done quickly and at low cost, others would take more time and resources. The ideas offer policy makers, decision makers, and practitioners new ways to tackle challenging cyber issues.

As a sign of the importance of this issue, many members of the community who contributed to this report have asked “what happens next?” and expressed interest in continuing to work on this issue. ACT-IAC and its Community of Interest groups will review next steps, particularly as it relates to sharing more actionable details around how to implement many of the excellent ideas shared in through this cyber ideation initiative. In the meantime, we hope the readers of this report will consider these ideas, adopt ones where they see value, and share the results.

As a reminder, for a complete listing of the ideas submitted, go to: https://www.actiac.org/sites/default/files/cybersecurity-innovation-ideas.xls

https://www.actiac.org/sites/default/files/cybersecurity-innovation-ideas.xls

41

APPENDIX 1 AUTHORS AND CONTRIBUTORS

Project Co-Chairs:

Dave McClure, Veris Group, LLC

Mike Howell, ACT-IAC

Major Contributors

Dan Chenok, IBM

Ed Silva, Centerpoint

Melinda Rogers, Department of Justice

Don Arnold, Quantified Perception

Ken Adams, KPMG

Christine Andrews, HP

Edward Liebig, Unisys

Mike Riley, Department of State

Katie Thatcher, US Cyber Command

John Bird, System 1

Tom Baughan, Monster Government Solutions

Rory Schultz, Department of Agriculture

Natalie Carey, Valiant Solutions

Bob Clarke, Monster Government Solutions

Joseph Cudby, Level 3 Communications

Brian Green, Learning Tree International

Debra Tomchek, ICF International

Jim Williams, Schambach & Williams

Don Johnson, Department of Defense

Kevin Gallo, General Services Administration

Cynthia Shelton, CenturyLink

Barry Wasser, U.S. Department of Agriculture

Angela Smith, General Services Administration

42

Chip Block, Evolver

Maria Roat, Department of Transportation

Christy Sanders, Knight Point Systems

Narpender Bawa, REI Systems

Ronald Banks, U.S. Air Force

Barry Chapman, Maximus

Mike Ligas, Lookout Mobil Security

Mike Palmer, Office of Management and Budget

Lou Kerestesy, GovInnovators

Johan Bos-Biejer, General Services Administration

John O’Conner, PWC

Kevin McPeak, Symantec

Brad Nix, Department of Homeland Security

Bridgit Griffin, U.S. Air Force

Alye VIllani, Lockheed Martin

Dean Abrams, Unisys

Arnold Webster

Esteve Mede, Federal Election Commission

Lee Kelly, Environmental Protection Agency

Ken Durbin, Symantec

Mathew Neuman, Crossmatch

Banyat Adipat

Mark Orndorff, Suss Consulting

Documents

Strengthening Federal Cybersecurity: Results of the Cyber ...cs.brown.edu/.../lectures/readings/lecture1/cybersecurity_inno.pdf · Cybersecurity Innovation Initiative _ that collected