Governance & Risk Management , Risk Assessments

Federal Cybersecurity Strategy Revised

30-Day Sprint Leads to New Information Security Implementation Plan

Federal CIO Tony Scott

The so-called 30-day cybersecurity sprint championed by Federal CIO Tony Scott has resulted in a cybersecurity strategy and implementation plan, or CSIP, for federal government civilian agencies that focuses on a defense-in-depth approach to IT security.

See Also: Live Webinar | Leveraging AI in Next Generation Cybersecurity

The White House Office of Management and Budget on Oct. 30 issued the CSIP that relies on the layering of people, processes, technologies and operations to achieve more secure federal information systems.

"There are no one-shot silver bullets; cyberthreats cannot be eliminated entirely, but they can be managed much more effectively," Scott says in a blog. "CSIP helps get our current federal house in order, but it does not re-architect the house."

The CSIP's five objectives include:

Prioritized identification and protection of high-value assets and information; Timely detection of and rapid response to cyber incidents; Rapid recovery from incidents when they occur and accelerated adoption of lessons learned from the sprint assessment; Recruitment and retention of the most highly-qualified cybersecurity workforce talent the federal government can bring to bear; and Efficient and effective acquisition and deployment of existing and emerging technology.

Seeking Sophisticated Defenses

"As cyberthreats become increasingly sophisticated and persistent, so must our actions to tackle them," Scott says. "From the public sector to private industry, we can best do this by properly funding cybersecurity investments, strengthening processes for developing, implementing and institutionalizing best practices; developing and retaining the cybersecurity workforce; and collaborating between public and private sector research and development communities to leverage the best of existing, new and emerging technology and talent to enhance federal cybersecurity."

In June, the Office of Management and Budget - where Scott's office is situated - launched the sprint to assess and improve the health of federal information assets and networks (see Ramping Up Agency Security, Yet Again). As part of the sprint, OMB directed agencies to further protect federal information, improve the resilience of its networks and report on their successes and challenges.

OMB specifically instructed agencies to immediately patch critical vulnerabilities, review and tightly limit the number of privileged users with access to authorized systems and dramatically accelerate the use of strong authentication, especially for privileged users.

In August, Scott reported that federal civilian agencies increased their use of strong authentication for privileged and unprivileged users. Specifically, he said federal civilian agencies increased their use of strong authentication for privileged users from 33 percent to nearly 75 percent - an increase of more than 40 percentage points since agencies last reported their quarterly data on Performance.gov. This was accomplished mostly through the use of personal identity verification cards, which can be used as a second factor to access government IT.