Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Mobile Device Management
- The Modern Federal Threat Landscape
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- Satellite Communications: Acquiring SATCOM in Tight Times
- Transformative Technology: Desktop Virtualization in Government
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
Cross-agency priorities give cyber an in with non-IT officials
Friday - 10/12/2012, 5:16am EDT
Andy Ozment, senior director in the White House's Cybersecurity Coordinator Office, said Thursday more budget folks understand why cybersecurity matters.
"We are using the cross-agency cybersecurity priority to drive improvements across our three priorities," he said, during a presentation at the Information Security and Privacy Advisory Board meeting in Washington. "We are seeing improvements whether it's with agency CFOs or the Office of Management and Budget's budget folks. They have a more clear understanding and focus of cybersecurity."
Ozment said the cross-agency cybersecurity priority addresses the administration's top three priorities: strong authentication through the use of Homeland Security Presidential Directive-12 smart identification cards, the Trusted Internet Connections initiative and the implementation of continuous monitoring.
14 governmentwide goals
The White House in its fiscal 2013 budget request to Congress outlined 14 cross-agency priorities, ranging from job training to energy efficiency to data center consolidation.
Each has a specific goal agencies are trying to achieve. Under cybersecurity, the administration wants agencies to have implemented critical capabilities across at least 95 percent of their systems by 2014.
By getting the budget folks to recognize the importance of cybersecurity, IT folks can more easily make their cases for spending on specific areas.
Donna Dodson, deputy chief, computer security division, NIST
For instance, one hole in agency cyber programs is in the operating systems they use.
Donna Dodson, the head of the National Institute of Standards and Technology's computer security division, said many are stuck in a Microsoft Windows XP world and aren't taking advantage of the security upgrades built into Windows 7 or Windows 8.
She said many times that decision has to do with a business trade off the agency is making, and getting the budget people to understand why the investment is needed is difficult.
"Sometimes when you put some of these new systems in place, you break critical applications, and these operating systems do need to be thoroughly tested," Dodson said. "Sometimes you need to understand these are the critical applications that will break and it will not work for me, or here are the critical applications that will break, how do I fix them? Or I am going to accept that not everything I have in place today will work."
Rob Carey, the Defense Department's deputy chief information officer, said the military services are using an array of operating systems, ranging from Windows NT to Windows XP. He even recently visited a Navy base where in the classified area they were using green screens, meaning very early computers, with early versions of DOS or Unix-20-to-30 year old technology.
Cloud, mobile complexities
Dodson said the decision to move to a new operating system only becomes more complicated because of cloud computing and mobile devices. She said NIST is trying to help out.
"With things like bring-your-own devices to work and thinking about cloud technology, we are trying to understand not just what that device needs to do, but also the back-end enterprise and what those capabilities need to be from an infrastructure standpoint whether it's cloud or something you have available in your own agency or enterprise today," Dodson said. "In addition, we are looking at technologies related to operating systems, vulnerability management, configuration management and security automation as a strong underpinning for enterprises, for clouds, for mobility that really have an effect that you can support things like continuous monitoring."
NIST also is helping with the technical pieces of the cyber cross agency priority goal in these areas.
Dodson said NIST is developing the update to the HSPD-12 standard.
"We want to give people strong tools that they can use to support both logical and physical access control using those cards," she said. "Today, we have standard reference material agencies can buy for a small fee where you get [HSPD-12] cards and some back end infrastructure so as you are building that capability for use of identity management with logical access control you have the test background in order to make it happen."
Around continuous monitoring, Dodson said NIST is further developing the standards based approach to security automation controls.
"Having those underpinnings in products and having that availability to support continuous monitoring is critical as we move forward," she said.