Kundra Outlines Infosec Priorities

Federal CIO on Creating a Secure, Trusted IT Environment
Kundra Outlines Infosec Priorities
Editor's Note: This article is adapted from testimony delivered by Federal Chief Information Officer Vivek Kundra, whose statutory title is administrator of e-government and IT in the Office of Management and Budget, at a recent hearing of the House Oversight and Government Reform Subcommittee on Government Management, Organization and Procurement.

By Vivek Kundra

Recognizing that the best security is "baked in" to information technology investments and not added in separately or well after the investments have been deployed, the Office of Management and Budget needs to determine where, in the life cycle development of systems, agencies are spending their resources. The information collected for fiscal year 2009 is the beginning of the process of obtaining this crucial cost data.

In the coming years, access to continually refined cost data will allow OMB to evaluate the efficiency of federal expenditures on security. The collection of detailed information, especially when combined with performance-based metrics, will allow OMB and agency management to make informed, risk-based decisions on where to allocate scarce resources.  

Last June, we launched the IT Dashboard, which allows the American people to monitor IT investments across the federal government. Building on the foundation of the dashboard, we launched TechStat Accountability Sessions this past January. A TechStat accountability session is a face-to-face, evidence-based review of an IT program with OMB and agency leadership, powered by the IT Dashboard and input from the American people. TechStat sessions enable the government to turnaround, halt or terminate IT investments that do not produce dividends for the American people. Investments are carefully analyzed with a focus on problem solving that leads to concrete action to improve performance. In particular, we have applied this approach to federal IT security projects. For instance, several of the TechStats conducted to date have focused on security such as agency Homeland Security Presidential Directive 12 implementation efforts. (HSPD-12 is entitled Policy for a Common Identification Standard for Federal Employees and Contractors.)  

To achieve true situational awareness and to fully harness the power of the federal government to address the challenges of cybersecurity, we must take an enterprise approach. We are taking a number of steps to move us forward by improving the effectiveness of the federal cybersecurity, instituting federal identity management, implementing federal identity management security posture, coordinating incident response, leveraging federal purchasing power and employing federal identity management

The White House has formed an interagency working group to establish the National Cybersecurity Education Initiative. This working group defined four tracks of work that are now underway:

  • National awareness campaign led by the Department of Homeland Security;
  • �
  • Formal cybersecurity education program led by the Department of Education;
  • �
  • Federal workforce structure program led by the Office of Personnel Management �and the Department of Defense; and
  • �
  • National workforce training and professional development program led by the Departments of Homeland Security and Defense, and the Office of the Director of National Intelligence.
 

Through initiatives such as the Trusted Internet Connections, or TIC, and the Federal Desktop Core Configuration, or FDCC, we are standardizing good security practices across the federal enterprise. The TIC initiative is composed of two distinct efforts: The first is to reduce the target profile of federal agencies by decreasing the number of external access points. The second is to implement an intrusion detection system using passive sensors to identify when unauthorized users attempt to gain access to those networks.  

The FDCC establishes a consistent security configuration for desktops and laptops running Windows-based software across federal agencies. This configuration includes basic security measures such as turning off ActiveX controls, a common infection vector, by default.  

Coordinate Incident Response

The president's Cyberspace Policy Review identified response and coordination efforts around cyber incidents as a key area for improvement. As a result, the Department of Homeland Security, in coordination with the White House and various stakeholders from government and industry, is developing a new National Cyber Incident Response Plan. The plan will outline key cyber roles and responsibilities across the nation, linking all levels of government and the private sector. It is intended to describe how every day, steady-state cyber incident management activities expand to manage incidents that require a coordinated national response.  

We also are leveraging blanket purchase agreements and other government-wide acquisition vehicles to enable agencies to purchase security tools in an efficient manner. For instance, in the fourth quarter of 2009, a blanket purchase agreement was announced that included tools to help agencies develop an accurate inventory of information resources managed at their agency, and maintain an up-to-date awareness of information regarding cybersecurity threats.  

The ability of federal agencies to accept credentials of other agencies' employees is fundamental to government-wide coordination. As part of this effort, OMB continues to oversee the implementation of the strong federal identity management scheme outlined in HSPD-12, which requires agencies to follow specific standards and business processes for the issuance and use of personal identity verification smartcard credentials. When used in accordance with NIST guidelines, the credentials provide a number of benefits including secure access to federal facilities and disaster response sites, as well as multi-factor authentication, digital signature and encryption capabilities. As of December 1, 2009, over 5 million personal identity verification credentials - 82 percent of those needed - had been issued to the federal workforce, as reported by agencies.  

Moving beyond federal identity management, the Cyberspace Policy Review also calls for development of a "cybersecurity focused identity management vision and strategy." In response to this requirement, the White House has established an effort to develop a National Strategy for Secure Online Transactions. The goal of this effort is to improve the trustworthiness and security of online transactions by facilitating the establishment of interoperable trust frameworks and implementation of improved authentication and authorization technology and processes for all online transaction participants, across federal, civil and private sectors. OMB, in conjunction with the Federal CIO Council, has developed personal identity verification interoperability policy and criteria for acceptance of non-federal credentials.

Integrated Plan for R&D  

The president's Cyberspace Policy Review calls for sharing responsibility for cybersecurity by improving the partnership between the private sector and government; and encouraging innovation in game-changing technologies in coordination with industry and academia. This expands on the goal of the Comprehensive National Cybersecurity Initiative to strengthen the future cybersecurity environment by coordinating and redirecting research and development efforts across the federal government.  

These goals have been embraced under White House leadership. Progress includes:

  • The National Cyber Leap Year, gathering input from more than 300 private sector white papers and a national summit to develop a shared game-changing R&D strategy focused on moving target, tailored trustworthy spaces and cyber economic incentives;
  • A joint financial services sector/government task group, developing a real-traffic cybersecurity test bed; and
  • A working group of industry leaders, university researchers and government representatives formed around cybersecurity insurance as a market force for improved security.
 

The Cybersecurity and Information Assurance Interagency Working Group coordinates R&D activities for unclassified efforts, the Special Cyber Operations Research and Engineering group for classified activities, and the Senior Steering Group for Cybersecurity bridges these groups and provides overall direction and guidance. Research supported under these efforts and conducted in both government and private settings includes cybersecurity metrics, security automation, network protection and defense, secure software engineering, and other areas to create the next generation of cybersecurity capabilities.  

The administration has taken a number of steps to improve cybersecurity across the federal government in the past year. However, security is a journey, not a destination. The threats we face are numerous, evolving faster than our cyber defense, and have the potential to do great harm. We are moving forward. For example, the government has won praise for the work we did to contain Conficker. A representative of the Conficker Working Group said, "For the first time the government is taking the lead in a technical security issue, rather than lagging."  

A secure, trusted computing environment in the federal government is the responsibility of everyone involved from the agency heads to those charged with oversight. It entails employees, contractors and the American people working together to create a culture of vigilance and security to enable us to continue to efficiently leverage the power of technology while respecting the privacy and civil liberties of the American people.

This will not be easy nor will it take place overnight. Our current actions represent important steps towards a stronger federal cyber defense, but we must remain ever-vigilant.

Also see:

Kundra Previews New FISMA Guidance

Kundra Encouraged by Private-Sector Cloud Efforts for Government

The Influencers: Vivek Kundra


About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.