The White House’s Office of Management and Budget released its long-awaited Cybersecurity Implementation Plan Friday, charting out a series of mandatory actions and deadlines for federal civilian agencies, designed to improve the protection of their data and IT networks.
The five-point plan builds off the 30-day cybersecurity sprint launched in the wake of the data breach at the Office of Personnel Management that affected more than 22 million current and retired federal employees.
The long-awaited plan focuses on five areas that OMB will lead or oversee over the course of next year in order to secure federal systems:
- Prioritized identification and protection of high-value assets and information;
- Timely detection of and rapid response to cyber incidents;
- Rapid recovery from incidents when they occur and accelerated adoption of lessons learned from the sprint assessment;
- Recruitment and retention of the most highly-qualified cybersecurity workforce talent the federal government can bring to bear; and
- Efficient and effective acquisition and deployment of existing and emerging technology
“As cyber threats become increasingly sophisticated and persistent, so must our actions to tackle them,” Federal CIO Tony Scott wrote in a blog post. “From the public sector to private industry, we can best do this by properly funding cybersecurity investments, strengthening processes for developing, implementing and institutionalizing best practices; developing and retaining the cybersecurity workforce; and collaborating between public and private sector research and development communities to leverage the best of existing, new, and emerging technology and talent to enhance federal cybersecurity.”
The plan imposes a series of deadlines that require federal agencies to rapidly ramp up their cybersecurity.
Right off the bat, agencies have just two weeks to determine which data and systems on their networks should be considered a high-value asset, reporting back to OMB by Nov. 13. From there, the director of national intelligence will determine by the end of the year which of those assets are most likely to be attacked, with the Defense Department, Department of Homeland Security and intelligence agencies continuously diagnosing and mitigating the risks facing the assets.
Over the course of the next year, the plan holds agencies to a number of deadlines surrounding the following: the implementation of the second phase of DHS’s Continuous Diagnostics and Monitoring Program, the increased use of PIV cards for both privileged and nonprivileged users, guides to help agencies recover from major cyber incidents, an acceleration of hiring specifically to boost the federal government’s cyber workforce, and new procurement capabilities that will allow the government to quickly purchase new and emerging cybersecurity technology.
In addition to the plan, OMB released guidance to agencies on how to comply with new regulations issued after last year’s rewrite of the Federal Information Security Management Act. One of the biggest additions to the FISMA guidance is a definition of a “major cybersecurity incident,” along with a new requirement that any agency which suffers such an incident is to report it to Congress within seven days.
Other parts of the FISMA guidance cover the federal adoption of the NIST Cybersecurity Framework, increased focus on CyberStat review sessions, and additional face-to-face privacy program reviews for agencies.
Over 100 experts from across the government and private industry helped craft this plan in the wake of the cybersecurity sprint, telling Scott that he needed to “double down” on some of the already-crafted plans laid out by the federal government that were intended to overhaul federal IT.
We must acknowledge the modern reality that the work of addressing cyber risks is never finished and is ever changing,” Scott wrote. “There are no one-shot silver bullets. Cyber threats cannot be eliminated entirely, but they can be managed much more effectively. [The Cybersecurity Implementation Plan] helps get our current Federal house in order, but it does not re-architect the house.”
You can read the full implementation plan and FISMA guidelines below.
Cybersecurity Implementation Plan by Greg Otto
FISMA guidance by Greg Otto