Some details about the White House’s governmentwide Cybersecurity Implementation Plan dribbled out Wednesday ahead of the strategy’s official release, expected any day now.
An official with the White House’s Office of Management and Budget gave some details on the forthcoming plan, which will look to extend the Cybersecurity Sprint called for by federal CIO Tony Scott in the wake of the massive OPM hack and other data breaches across the federal government.
Chris DeRusha, a senior analyst with OMB’s Cyber and National Security Unit, called the plan a “broad, comprehensive document” that will give agencies an idea of what they can do to immediately improve their cybersecurity stance as well as what needs to implemented over the next six to 12 months.
“There is some strategic overlay of the direction we are headed, and some discussion on why we are headed that way, but this is an action plan,” DeRusha said during a meeting of the National Institute of Standards and Technology’s Information Security and Privacy Advisory Board.
DeRusha highlighted five “high-priority areas” that the plan will address:
- Prioritizing identification verification and protection of high-value information and assets.
- Timely detection and rapid response to cyberthreats.
- Rapid recovery for incidents when they occur, and acceleration of adoption of lessons learned.
- Recruitment and retention of the most high-qualified cybersecurity workforce talent.
- Efficient and effective acquisition, and deployment of existing and emerging technologies.
He said that more attention was given to the last two bullet points. Those sections are filled with ways the government can “connect resources, make things clearer to agencies, tell agencies what they can do and how they can do it.”
The plan will also have more details on what agencies accomplished during this past summer’s cybersecurity sprint. Initially, Scott said federal agencies have greatly increased their use of strong authentication measures for network users. From April to the end of July, there was a 30 percent increase (from 42 to 72 percent) in the use of authentication for privileged and unprivileged users. Privileged users saw a 40 percent jump (from 33 to 75 percent).
DeRusha said measures like this are about prioritizing the weakest points in federal systems while also trying to change the security approach to one focused on risk assessment.
“We are focused on where we think all of those high priority areas are and then fill the further gaps that are going to take further efforts to close,” he told the board. “It’s not about not needing to do everything at once, it’s about getting things done. Sometimes you just need to pick things to do them.”
As for the plan’s release, DeRusha offered no other time table than to say it would be out “very soon.”
But given that a team of 100 experts from across the government and private industry helped craft the plan, he expects agencies to grasp its importance.
“I know that’s hard to believe for folks who have been in this space for 30 years, but people really understand this is something they need to focus on from a corporate level,” DeRusha said. “You see that in boards, you see that in C-suites, and you certainly see it in cabinet-level leadership. I don’t think there’s a problem anymore of convincing people they need to focus on this.”