Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Building the Hybrid Cloud
- Connected Government: How to Build and Procure Network Services for the Future
- Continuing Diagnostics and Mitigation: Discussion of Progress and Next Steps
- Federal Executive Forum
- Federal Tech Talk
- The Future of Government Data Centers
- The Future of IT: How CIOs Can Enable the Service-Oriented Enterprise
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- The New Generation of Database
- Satellite Communications: Acquiring SATCOM in Tight Times
- Targeting Advanced Threats: Proven Methods from Detection through Remediation
- Transformative Technology: Desktop Virtualization in Government
- The Truth About IT Opex and Software Defined Networking
- Value of Health IT
- Air Traffic Management Transformation Report
- Cloud First Report
- General Dynamics IT Enterprise Center
- Gov Cloud Minute
- Government in Technology Series
- Homeland Security Cybersecurity Market Report
- National Cybersecurity Awareness Month
- Technology Insights
- The Cyber Security Report
- The Next Generation Cyber Security Experts
Shows & Panels
White House grading agency cyber progress
Friday - 10/28/2011, 5:50am EDT
The Office of Management and Budget, the Homeland Security Department and the White House cyber coordinator's office gave deputy secretaries a high-level scorecard highlighting their agency's current status against goals for Trusted Internet Connections, implementing continuous monitoring and using secured identity cards to log on to computer networks.
Howard Schmidt, the White House cyber coordinator, said DHS developed the scorecard from the CyberStat sessions that have been held with agencies. During the sessions, DHS, OMB and Schmidt's office reviewed agency progress in securing computers and networks.
White House cybersecurity coordinator Howard Schmidt. (Photo: Veni Markovski)
The administration issued the first scorecard earlier this summer during a meeting of the President's Management Council, which is made up of agency deputy secretaries.
"The scorecard is something that is at their level," he said. "The more technical things go through the CyberStat working with the departments and agencies. Clearly this is something the deputy secretaries through their senior management role can then focus on."
One member of ISPAB described the four areas of the report card:
- Continuous monitoring: How agencies are prepared to do it? Do they have an update-to-date IT inventory? Can they do configuration scans and vulnerability scans?
Trusted Internet Connections initiative:
- What percentage of the agency's network traffic is going through the TIC?
- What percentage of the TIC reference architecture is in place?
- HSPD-12 or secure identity cards: What percentage of the agency's employees are using the secure identity card to log on to the computer network?
Additionally, the administration mandated that agencies implement continuous monitoring by the end of fiscal 2012. OMB also required agencies to use the CyberScope tool to submit standard data on the health of their IT systems by Sept. 30.
The idea of a scorecard isn't new. The Obama administration uses a red, yellow and green dashboard to measure several initiatives from open government and regulatory reform to IT spending. The Bush administration used a similar color-coded scorecard to measure about 10 governmentwide initiatives.
Jacob Olcott, a principal with Good Harbor Consulting, said a high level scorecard does two things to improve oversight.
"It's hard to say whether the problem has been that senior managers weren't aware of the programs before or if these things are complicated technical and policy issues that could explain the delay in implementation," he said. "I don't think there is anything inherently wrong with creating scorecards and letting senior managers know what's happening on their systems and with their networks. The other positive aspect is it really provides the legislative branch with a little more access into what's happening on agency systems so they can begin to have a more complete understanding."
Olcott, who recently left the Hill as a former counsel for Chairman of the Senate Commerce committee Sen. Jay Rockefeller (D-W.Va.), worked on the cyber legislation that is currently going through Congress.
Having a high-level scorecard could also get senior officials to put more emphasis, including people and financial resources, into these programs to either meet the deadlines or at least show progress to OMB and DHS, Olcott added.
Along with these four initiatives, Schmidt said his office is considering creating governmentwide security controls.
Schmidt said agencies are using different tools with varying levels of effectiveness. He said a set of governmentwide controls would set the baseline for what the software must do to secure the network. This is similar to the way OMB, the National Institute of Standards and Technology and the National Security Agency developed the Federal Desktop Core Configuration, or what is now called the U.S. Government Configuration Baseline. This baseline provides agencies with a minimum set of standards for the Microsoft operating system.
As part of the continuous monitoring effort, DHS is working with the Justice Department on the legal issues to implement Einstein 2 and pave the way for Einstein 3. Einstein is software that helps secure agency networks by collecting data about the traffic on agency networks and funneling it to a central location where DHS can identify trends. Einstein 2 is focused on intrusion detection, whiel Einstein 3 is focused on intrusion prevention and will give DHS the ability to automatically detect and disrupt malicious cyber activity.
While there still is plenty to be done this year, Schmidt said plans for 2012 are starting to come together.
"We looking back through the 2003 National Strategy to Secure Cyberspace, The Comprehensive National Cybersecurity Initiative and the Cyberspace Policy Review to see where things are and where they need to go," Schmidt said. "What are the things we have defined process now? Whether it's coordination across all of government, bringing in the law enforcement community, the homeland security remediation, the intelligence and defense communities, we now have a process that when something bad happens we have group that comes together making sure we are all working together. That's institutionalized ... Part A is done and what are the next things we put on the schedules? Yes, we need to make progress on these. What are they? What are the milestones? Who's involved? Who has a stick on this?"
Among the areas that likely will be on the 2012 plan is mobile computing and identity management, Schmidt added.
Also among the 2012 outlook is the renewed push for comprehensive cyber legislation.
Schmidt met with members of Congress last week to discuss the administration's cyber proposal and answer questions.
"Anytime you look at something on paper, there oftentimes followed behind it 'What is the intent of this? Why did you use this particular phrase instead of something else?'" Schmidt said describing the conversation on the Hill. "That was a very positive discussion."
The data breach notification proposal was one of the biggest areas lawmakers and staff had questions about, he said.
Optimistic on cyber bill
Schmidt said lawmakers have a strong commitment to move forward and he remains optimistic.
But Olcott said getting the comprehensive cyber bill through both houses of Congress depends on time — of which there is little — and Congress still has a lot to get done.
"There is a lot of common ground when you think about information sharing and roles and responsibilities of certain federal agencies, and certainly reforming the Federal Information Security Management Act," he said. "The devil is always in the details. That is where members and staff have been spending their time trying to figure out how to write the legislation and reflect their priorities."
The House and Senate are taking different paths to a final bill, Olcott said. The House formed a cyber task force and has been holding hearings and investigations.
Congressman Mac Thornberry (R-Texas) issued the task force's cybersecurity legislative recommendations.
Olcott said each House committee with jurisdiction over cyber likely will come up with their own legislation that will have to be worked through the committee process.
The Senate, however, is further along. The upper chamber's lawmakers are closer to a comprehensive bill.
"We ended the meeting with the theme that we have to move forward with a bill," Schmidt said of his meetings on the Hill. "There was a strong commitment to move forward."