Strengthening Federal Cybersecurity:
Results of the Cyber Innovation
Ideation Initiative
December 2015
3040 Williams Drive, Suite 500, Fairfax, VA 22031
www.actgov.org ● (p) 703.208.4800 ● (f) 703.208.4805
ACT-IAC: Advancing Government Through Collaboration, Education and Action
BACKGROUND
By all accounts, cybersecurity is a great concern across the federal government. Recent events, such as
the OPM data breach, underscore the need to reinforce cyber fundamentals and introduce new,
innovative ways to promote cyber resilience in an ever changing threat ecosystem. OMB and the
Federal CIO have issued new cyber guidance designed to improve the security posture across agencies,
immediately and over time.
To help government address today’s cybersecurity challenges with real and practical solutions, the
American Council for Technology and Industry Advisory Council (ACT-IAC) initiated a “Community
Cybersecurity Innovation Initiative” that collected perspectives and recommendations from industry,
government and academia that could significantly enhance cybersecurity posture across Federal
agencies. The initiative solicited a broad array of ideas that address technical, policy, legal, operational,
managerial, acquisition, funding and research and development issues, each of which points to
opportunities for bolstering Federal cybersecurity. ACT-IAC did not solicit or accept information on
specific products or services.
ACT-IAC asked those contributing ideas to pay special attention to underutilized or new approaches that
have real potential to improve the government’s operational cybersecurity on a day-to-day basis – new
and plausible action steps that can bear near-term positive impact. Nearly 200 ideas were submitted
during the span of two months. ACT-IAC also cross-walked similar ideas contained in reports from other
associations, including ITAPS (the Information Technology Alliance for the Public Sector) and ISACA
(formerly the Information Systems Audit and Control Association) as well as other reports on cyber
acquisition and human capital needs.
Based on this information, we are providing this report to OMB ‘s Federal Chief Information Officer and
the Federal CIO Council. The report showcases major ideas received through this initiative as well as key
themes permeating across multiple challenge topic areas. The report is also publically available online
at https://www.actiac.org/sites/default/files/cybersecurity-innovation.pdf.
3040 Williams Drive, Suite 500, Fairfax, VA 22031
www.actgov.org ● (p) 703.208.4800 ● (f) 703.208.4805
ACT-IAC: Advancing Government Through Collaboration, Education and Action
ACT-IAC: ADVANCING GOVERNMENT THROUGH COLLABORATION, EDUCATION AND ACTION
The American Council for Technology-Industry Advisory Council (ACT-IAC) is a 501(c)3 non-profit, publicprivate partnership established to improve government through the effective, efficient and innovative
use of technologies. ACT-IAC provides an objective, trusted, and vendor-neutral forum where
government and industry executives are working together to improve the delivery of services to the
public and the operations of government. Membership in ACT-IAC is open to all government
employees, private companies and educational institutions who share the organization’s commitment to
collaboration and better government. For additional information about ACT-IAC, visit the website at
www.actiac.org.
Disclaimer
This document is the result of a collaborative process that included a wide diversity of perspectives.
The views expressed in this document do not necessarily represent the official views of the individuals
and organizations that participated in its development. Every effort has been made to present accurate
and reliable information in this report. However, ACT-IAC assumes no responsibility for consequences
resulting from the use of the information herein.
Copyright
©American Council for Technology, 2015. This document may not be quoted, reproduced and/or
distributed unless credit is given to the American Council for Technology-Industry Advisory Council.
Further Information
For further information, contact the American Council for Technology-Industry Advisory Council at (703)
208-4800 or www.actiac.org.
3040 Williams Drive, Suite 500, Fairfax, VA 22031
www.actgov.org ● (p) 703.208.4800 ● (f) 703.208.4805
ACT-IAC: Advancing Government Through Collaboration, Education and Action
12/14/2015
Tony Scott
Federal Chief Information Officer (CIO) and Chair, Federal CIO Council
The Office of Management and Budget
725 17th Street NW
Washington, DC 20503
Dear Mr. Scott:
Subject: Improving Cybersecurity Through Innovation
I have the honor of submitting to you the attached report “Strengthening Federal Cybersecurity: Results
of the Cyber Innovation Ideation Initiative”, which has benefited greatly from ongoing discussions with
you and your staff. As you are aware, we developed this report from ideas provided by government and
industry members of ACT-IAC as well as submissions from non-members.
We hope that you and the members of the Federal CIO Council find the report and the ideas it contains
useful in framing sound cybersecurity policies and processes for the government. We plan to post a copy
of the report on our public web site in a couple of weeks. We have received several expressions of
interest in continuing this effort beyond the report and inquiries about “what happens next?”. We
would like to meet with you and your staff if possible to answer questions, get feedback on the report,
and discuss opportunities for ACT-IAC to continue to help address this important topic in the future.
KENNETH B. ALLEN
Executive Director
American Council for Technology-Industry Advisory Council
3040 Williams Drive, Suite 500, Fairfax, VA 22031
www.actgov.org ● (p) 703.208.4800 ● (f) 703.208.4805
ACT-IAC: Advancing Government Through Collaboration, Education and Action
TABLE OF CONTENTS
Page
Executive Summary
1
Project Overview
5
Chapter 1: Addressing Cybersecurity Fundamentals
6
Chapter 2: Business Initiated Vulnerabilities
11
Chapter 3: Breach-to-Response Acceleration
14
Chapter 4: Adopting a Threat Aware Proactive Defense
17
Chapter 5: Sharing of Threat Intelligence
22
Chapter 6: Solving the Cyber Talent Search
25
Chapter 7: Executive Leadership-led Risk Management
30
Chapter 8: Building Effective Security into Acquisitions
33
Conclusions and Next Steps
40
Appendix 1: Authors/Contributors
41
3040 Williams Drive, Suite 500, Fairfax, VA 22031
www.actgov.org ● (p) 703.208.4800 ● (f) 703.208.4805
ACT-IAC: Advancing Government Through Collaboration, Education and Action
EXECUTIVE SUMMARY
Information technology (IT) is an integral part life for millions of Americans and IT permeates nearly
every aspect of our society, economy, and national security. New technologies provide for radical
improvements in efficiency, productivity and analytical capabilities. However, every technology has both
inherent value and inherent risks; sound cybersecurity can help address risks associated with the
business or mission use of IT.
Despite decades of law and policy that requires government to improve its security and privacy, many
Federal agencies still struggle to effectively defend themselves against a torrent of cybersecurity
vulnerabilities and threats. The cyber risk ecosystem grows more complex and turbulent every day.
Agencies have reported millions of attempts to penetrate their networks, and multiple major data
breaches have resulted in the theft of billions of dollars in intellectual property and millions of personal
identities. Until actions are taken that effectively counter these kinds of threats systematically across the
government, agencies risk losing public confidence and trust in on-line activity that are key to delivering
citizen and business services more efficiently through the use of technology.
Given the importance of cybersecurity to achieving Federal missions, and breadth and depth of
knowledge that exists in both the private and public sectors regarding potential cyber solutions, ACT-IAC
developed an innovation management platform to catalogue promising practices for improving
government cybersecurity. The ACT-IAC “Community Cybersecurity Innovation Initiative” report
identifies constructive pathways that agencies could adopt to strengthen their cybersecurity programs.
The report is based upon 127 individual submissions, many of which contained multiple ideas, via the
collaborative on-line platform, addressing eight topical challenge areas:
1.
2.
3.
4.
5.
6.
7.
8.
Addressing Cybersecurity Fundamentals
Business Initiated Vulnerabilities
Breach-to-Response Acceleration
Adopting a Threat Aware Proactive Defense
Sharing of Threat Intelligence
Solving the Cyber Talent Search
Executive Leadership-led Risk Management
Building Effective Security into Acquisitions
Similar issues emerged within several of the categories; this illustrates both the integrated and complex
nature of cybersecurity. We discovered five key themes cutting across the eight topical challenge areas
created for our cybersecurity innovation ideation exercise:
 Much of what is required, expected or even possible in cybersecurity management is known to
cybersecurity professionals, but not fully or properly implemented across the government. As
such, many of the ideas submitted across the different challenge areas reinforce existing
requirements and approaches that still work (e.g. cyber governance and accountability, basic
risk management approaches, and fundamental security hygiene).
 Cybersecurity professionals and agency business executives need to communicate with each
other more directly and diligently about the connection between cybersecurity and mission
success.
 As agencies increase attention on executive level risk management, including the introduction of
Chief Risk Officers and Chief Data Officers, these executives would benefit from greater
1


interactions and engagement with Chief Information Officers and Chief Information Security
Officers for cybersecurity approaches to be effective.
Cybersecurity related training in government is largely deficient. Greater emphasis is needed on
competencies, practice sessions and drills, and shared cyber knowledge management.
Enhanced and timely operational information sharing (threats, incidents, and
solutions/responses) between industry and government is essential to future cybersecurity
improvements and overall threat detection, response, and prevention success.
Key themes also emerged in each of the individual challenge areas that are summarized below by report
chapter topic.
Addressing Cybersecurity Fundamentals
Too often, agencies lack clear responsibility and accountability for cybersecurity from the highest to the
lowest levels of every agency. Cybersecurity needs to be part of everyone’s job everyday – once-a-year
training is not sufficient to sustain necessary vigilance. Leaders of effective cybersecurity programs have
accurate, continuously maintained inventories of their IT assets and their security controls. They
understand and communicate risks to the agencies’ programs in nontechnical, mission centric terms.
And they rely on accurate assessments to make risk-based decisions.
Business Initiated Vulnerabilities
The press of business and lack of awareness of potential cyber vulnerabilities and threats can drive
agency managers to implement technologies in ways that open greater risks. Increasing awareness,
improving asset management and access controls across business systems, and building security into
system and application development processes can reduce those risks. Providing agency business
program managers greater awareness and understanding of cyber risks in their day to day operations is
an essential element of improving government’s cyber posture.
Breach to Response Acceleration
Cyber breaches often go undetected for months (205 days is a combined industry/government average).
In some cases, agencies only discover breaches from third parties after the fact, rather than detecting
the breaches immediately and directly. Many agencies do not have proven, effective breach response
plans and procedures in place. Breach to detection to response time frames need significant
improvement. In addition to “signature-based” techniques, breach detection approaches where special
penetration teams mimic hackers using their tactics to spot threats based on pattern anomalies in web
traffic are growing in importance. Alternatively, software packages can rapidly analyze alerts against
threat probabilities for possible weaknesses in the system. While breach awareness technologies could
benefit from more research and development, technology alone cannot provide a total solution.
Shortening response time requires a combination of technology, threat knowledge, and the evolving skill
sets of cybersecurity practitioners.
2
Adopting a Threat Aware Proactive Defense
Government still focuses primarily on perimeter defense and incomplete defense-in-depth strategies. By
modernizing security approaches beyond the perimeter-focused “moats and walls” approach, agencies
can transition to a “network of secured systems” to achieve multi-layered security and improve
resilience in the face of incidents that are bound to occur even with the best defense. Ideas submitted
encouraged refocusing on the right threat information, not trying to act on every small bit of low-risk
data. This entails creating competency models of adversaries and their techniques, and must be
followed by a focused data analysis, situational awareness, meaningful metrics, and relevant business
context to understand the threat and identify risk-based actions. In addition, Blue Team audits followed
by Red Team operations could be performed by in-house staff or pre-qualified contractors using
efficient government-wide contract services managed by the General Services Administration (GSA).
Sharing of Threat Intelligence
A good first step would be an evaluation to determine whether existing response structures and
programs for information sharing are too cumbersome and slow, or are otherwise meeting the need,
before creating any new ones. Broadening the use of the Cyber Threat Alliance (CTA), where security
vendors share zero-day threat intelligence with each other in near-real time by updating the controls
within their products without the end user customer getting involved, shows real promise. Ongoing
efforts also show promise on which to build; for example, the government might endorse and expand
the Structured Threat Information Expression (STIX) and Trusted Automated eXchange of Indicator
Information (TAXII) framework so that data breach reporting is more robust and shared widely across a
broad range of public and private sector users.
Solving the Cyber Talent Search
Qualified cybersecurity professionals are scarce and in high demand. Attracting, developing and
retaining a highly skilled cybersecurity workforce requires new approaches. Agencies need to recruit
earlier and more broadly, tap nontraditional pools of expertise, provide clear career paths and
professional development opportunities, and leverage available financial incentives to compete for top
talent effectively in this highly competitive market. Creating an elite Cybersecurity Corps made up of
industry expert volunteers or top college graduates with cybersecurity related degrees warrants
consideration.
Executive Leadership-led Risk Management
Effective risk management enables organizations to make informed decisions and prioritize scarce
resources to maximum effect. While most Federal agencies are aware of the concepts, many struggle to
implement effective, professional risk management. Adopting a standardized risk management
methodology that incorporates cybersecurity as a key element, teaching people how to use such a
framework, and engaging the most senior leaders to lead implementation and accountability for results
can improve the effectiveness of agency risk management programs. Implementing a framework that
emphasizes risks from cyberattacks to agency missions, as opposed to general cyber risks, is essential to
combat cyber threats and improve response effectiveness.
3
Building Effective Security into Acquisitions
Federal agencies use the acquisition process to buy a large percentage of the IT goods and services they
need to support their programs from the private sector. However, Federal acquisition processes are
generally slow and IT programs too often fail to deliver the technology and cybersecurity that agencies
need. Re-engineering acquisition business processes to make them more adaptive and agile, adopting
new service models, enhancing market incentives, and increasing the skill level of the IT acquisition
workforce could help overcome these barriers and enable agencies to acquire effective technology and
sound cybersecurity.
For a complete listing of the ideas submitted on-line, go to:
https://www.actiac.org/sites/default/files/cybersecurity-innovation-ideas.xls
4
PROJECT OVERVIEW
To facilitate the collection of ideas designed to improve cybersecurity in government, ACT-IAC used an
ideation approach designed to facilitate an open, public discussion of fresh approaches and techniques.
Using the services of a commercial ideation platform services provider (IdeaScale), ACT-IAC created a
web-site pre-populated with eight challenge topics. Once registered on the site, participants in the
ideation exercise could contribute ideas, comment on other people’s ideas, and vote for those they
found compelling and most useful. We received ideas across the eight challenge questions from a
diverse group of industry, government, non-profits, academia, and industry associations.
A snapshot of the website appears in Figure 1 below.
Figure 1: Cybersecurity Ideation Website
5
CHAPTER 1
ADDRESSING CYBERSECURITY FUNDAMENTALS
Challenge/Question: How do we move from inconsistent security/privacy protection control approaches
to solid fundamentals that address most basic risks faced by agencies?
Introduction
While sophisticated cybersecurity threats and threat actors need to be addressed, there is also a
compelling case for practicing good cyber fundamentals as the foundation for an effective cybersecurity
program. Too often, post-incident analyses have determined that longstanding, widely known
vulnerabilities, with readily available solutions, were exploited. Reports over multiple years identify
continuing exploitation of known (but unmitigated) vulnerabilities with known solutions as the source of
the majority of cybersecurity incidents.
Despite widespread media coverage, numerous GAO and Inspectors General reports, training, and
policies, procedures and guidance that could help counteract this weakness; many Federal agencies still
do not have solid cybersecurity fundamentals in place. Reasons offered range from costs and resource
constraints, to impeding mission programs, to user inconvenience, to technical complexity and lack of
understanding. Mandates to improve cybersecurity have languished and fallen short for many years. In
September 2015, GAO reported1:
“Persistent weaknesses at 24 federal agencies illustrate the challenges they face in effectively
applying information security policies and practices. Most agencies continue to have
weaknesses in (1) limiting, preventing, and detecting inappropriate access to computer
resources; (2) managing the configuration of software and hardware; (3) segregating duties to
ensure that a single individual does not have control over all key aspects of a computer-related
operation; (4) planning for continuity of operations in the event of a disaster or disruption; and
(5) implementing agency-wide security management programs that are critical to identifying
control deficiencies, resolving problems, and managing risks on an ongoing basis. These
deficiencies place critical information and information systems used to support the operations,
assets, and personnel of federal agencies at risk, and can impair agencies' efforts to fully
implement effective information security programs. In prior reports, GAO and inspectors general
have made hundreds of recommendations to agencies to address deficiencies in their
information security controls and weaknesses in their programs, but many of these
recommendations remain unimplemented.”
A more methodical, deliberate approach to cybersecurity is needed. There is often a lack of
accountability, knowledge, and awareness from an organizational and personnel perspective. At the
organization level, security standards and regulations need to be more closely adhered to and
compliance strengthened and audited by an independent organization, such as the Inspectors General.
Departments and agencies need to have a better understanding of their IT portfolios and which of those
systems hold the highest priority during a cyber-crisis. On the personnel level, better training and
awareness is necessary. There is a need for increased accountability at all levels.
Recommended approaches to address these concerns include:
1
FEDERAL INFORMATION SECURITY Agencies Need to Correct Weaknesses and Fully Implement Security Programs,
http://www.gao.gov/assets/680/672801.pdf
6

Inventory, assess risks, and prioritize all IT and information assets.

Link vulnerabilities and threats directly to mission/business risks and impacts.

Make personnel more accountable for cybersecurity events.

Provide more frequent, in-depth cybersecurity awareness training for personnel.

Apply and enforce cyber standards such as FISMA and the NIST Cybersecurity Framework at the
department/agency level.

Conduct independent cyber assessment of organizations.

Make ongoing cybersecurity less personnel-dependent and easier to implement.
The ideas submitted suggested five categories of action: People, IT Asset Prioritization, Assessments,
Operations, and Legislation/Regulation. The major ideas in each category are discussed below.
People-Focused Ideas
IDEA: Take a Behavior-Based Approach
Identify and describe the current activities which need to change e.g. leaving a device connected to a
secure network unattended; writing down passwords and leaving them public, visiting unauthorized
websites, etc. Identify each issue which needs to be corrected and why. Identify and document new
processes and desired behavior which will correct the issues. Identify the people and organizations
responsible for maintaining the process and the incentives and disincentives required to ensure the
desired behaviors and outcomes.
IDEA: Increase Leadership Accountability
No real accountability exists today for executives in regards to cybersecurity failures. Accountability
should exist in cases where known security program weaknesses, including those identified in audits and
continuous monitoring, existed before an incident and executives failed to address them.
Unsubstantiated risk acceptance should not be an acceptable excuse for failing to address security gaps.
IDEA: Make Cybersecurity Everyone’s Responsibility
The biggest cybersecurity threat is people, whether intentional or unintentional. Cybersecurity should
become a core aspect of organizational culture to encourage broader awareness and understanding for
what security initiatives are striving to achieve. To address this issue:
a. Heads of departments/agencies should emphasize importance of security.
b. Individuals should be held accountable for security.
c. Cybersecurity training should be more frequent.
d.
Well documented policies should be provided with consistent enforcement
IDEA: Increase Continuous Awareness
Use a “Cyber Tip of the Day” to systematically improve knowledge and awareness. Establish “white hat”
teams that test employees through phishing and spear-phishing intrusion testing. Change enterprise
7
email policy to only allow plain text, preventing unintentional click-through threats. Similar to the
“Cybersecurity Tip of the Day” concept, establish a “Cybersecurity Blunder of the Day” program.
IT Asset Prioritization Ideas
IDEA: Strengthen Governance and Accountability
Implement an outcome-focused governance framework that covers all aspects of the enterprise,
resulting in effective direction setting, decision-making, oversight, transparency, and accountability. The
framework should optimize governance processes by reducing or eliminating review steps that do not
add value, resulting in improved security management effectiveness. Escalate security from merely an IT
concern to a business risk concern; providing independence and enabling security decision-making and
implementation. Provide for the escalation of risk-based decisions through senior leadership if critical
security recommendations are rejected by owners of business lines or applications, ensuring critical
security decisions are not made in isolation. Adopt approaches that emphasize cross-organizational
collaboration, transparency, accountability, and integration; reducing costs, minimizing operational
risks, and driving continuous improvement. Align investments of networks and security entities that
often buy overlapping technology in isolation from each other, resulting in coordinated and consistent
approaches across an organization.
IDEA: Strengthen Cybersecurity Investment Management Practices
Institute a Cyber Investment Management Board to engage senior management, align resources with
highest priority assets and greatest risks and impacts. Prioritize funding through budget alignment and
accountability using a publicly accessible scorecard.
IDEA: Strengthen Risk Management
Specific actions include (1) determining criticality of systems and data and prioritize accordingly to
achieve an effective, risk-based approach to protecting systems; (2) keeping systems on most up-to-date
or secure versions and mitigate risk posed by those systems that cannot be immediately updated; (3)
evolving beyond the “moats and walls”, “secure network of systems” approach, to a “network of
secured systems” to achieve security in depth and improved resilience; (4) using industry-accepted
approaches, standards, and lexicon to allow for improved, consistent understanding and communication
about security, both across the organization and with vendors.
In addition, the actions above must be supported by critical tasks that include:
1. Producing an accurate IT asset inventory
2. Analyzing risk based on business impact of critical assets
3. Prioritizing risks and address in accordance with that prioritization (not everything at once)
4. Implementing security intelligence based on predictive cyber threat analytics
5. Implementing a continuous cyber improvement plan
8
Assessment-Focused Ideas
IDEA: Change to Independent Assessments
Create a cyber-assessment standard with independent assessment of agencies by an assessment board
composed of government and industry experts rather than relying on current self-assessment practices.
IDEA: Use a Security Self-Audit Checklist
Employ a self-audit checklist to regularly assess security capabilities. Leverage the self-audit capability of
the SEC as guidance for other agencies.2
IDEA: Transform Audits into Real-time Situational Awareness
Rethink the notion of an audit from something that happens periodically to something that can be
continuously analyzed at will, in real-time. Use big data tools and automated analytical processes to
defend networks and provide real time threat intelligence and patch management. Having this level of
visibility opens opportunity for much improved analytics (i.e. big data for security (not Security
Information and Event Management), to visualize and investigate unusual activity over extended
periods, at different locations and/or missions. Being able to collect details about known attempts and
successes, quickly identify and remediate malicious activity, and understand where else they are present
would provide superior attribution and improve intelligence. This would make security measurable in
near real-time.
Operations Focused Idea
IDEA: Improving Detection, Remediation, and Investigation Capabilities
Cyber attacker’s techniques, skills and tools have evolved faster than the cyber defenders’. Incident
response teams must use tools and practices that enable them to respond more quickly across
distributed networks, distributed clouds, and operating system platforms. Organizations at every level
remain highly vulnerable to cyberattacks and are struggling to implement even basic protections. To
address this issue, security engineering and data architecture teams need to focus on shrinking
organizations’ attack surfaces, especially in ways that can prevent an intrusion from spreading from an
initial entry point to more valuable assets. To address this issue, operations teams need to focus on
shrinking organizations’ attack surfaces. The key is to be able to issue critical security patches rapidly
throughout the entire network and enforce ongoing security hygiene at scale to ensure the status of
every connected device is known and available at all times. Organizations need to adequately resource
threat intelligence activities and vulnerability analyses, automate incident detection, investigation, and
remediation and not rely on unreliable, slow manual processes. They need to gather data and conduct
breach investigations in minutes and seconds, remediate intrusions, and maintain desired security
configurations to ensure a high-level of cybersecurity readiness.
2
OCIE’s 2015 Cybersecurity Examination Initiative,
https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf
9
Legislation/Regulation-Focused Ideas
IDEA: Hold Agencies Accountable to NIST Cybersecurity Framework
Hold agencies accountable to NIST Cybersecurity Framework by implementing metrics for the
Framework and assessing agency capabilities by independent evaluation.
10
CHAPTER 2
BUSINESS INITIATED VULNERABILITIES
Challenge/Question: How can agencies sharpen focus on vulnerabilities created by (or exposed by)
uninformed business/program users and the array of technology solutions embedded in service delivery
that does not account for cyber?
Introduction
Government business program managers are under continuous pressure to deliver new and better
products and services to their customers and stakeholders. They face high expectations, resource and
time constraints, and pressure to adopt commercially available technology that is familiar to their
customers. Many program managers readily admit they are not experts in information technology or
cybersecurity, but they have to acquire new technologies anyway to meet those needs. They often have
sufficient resources and autonomy to acquire technologies outside of formal investment management
processes which are criticized as slow, bureaucratic, and unresponsive to programs’ and customers’
needs. These actions can introduce vulnerabilities into agencies’ IT systems that increase their risks of
being attacked and having their systems compromised. This section focuses on ways to increase the
awareness of these vulnerabilities and their consequences and improve the way government programs
manages those vulnerabilities to reduce their risks.
The ideas submitted that appeared to have the most promise focused on reinforcing existing
management practices and applying a quantitative approach to highlighting business initiated
vulnerabilities. They are grouped into three categories – increasing risk awareness and improving
decision making, implementing asset management and access controls, and building security into
system development lifecycles.
Ideas to Increase Risk Awareness and Improve Decision Making
IDEA: Cybersecurity needs to be escalated from being treated as an IT concern to a business risk
concern
Cybersecurity decisions should involve senior leaders of an organization to enable informed risk and
security based decision-making and implementation. Incorporating a risk-based approach at the
executive level through the governance process enables realignment of authorities, responsibilities and
accountability. This includes instituting a risk-based, analytical approach using quantifiable risk measures
so mission business projects, investments, and systems are properly vetted, using realistic “what-if”
scenarios to provide insight into potential risks and impacts resulting from vulnerabilities.
IDEA: Agencies should provide broad-based education to improve awareness of the risks of businessinitiated vulnerabilities
Cybersecurity and risks should be described in business-oriented terms to ensure business owners’
understanding of the impact of decisions.
11
IDEA: Make a data-driven, threat visualization dashboard available to business owners
Simple, intuitive dashboards can help inform and educate them, and sustain awareness of the scope of
threats in today’s environment.
IDEA: Hold personnel at all levels accountable for complying with security policies
Agency managers and staff must fulfill their assigned cybersecurity roles and responsibilities. This can
be strengthened by adding accountability to job descriptions, personnel evaluations, and service
contracts with appropriate incentives and disincentives.
Ideas to Implement Asset Management and Access Controls
IDEA: Achieving and maintaining a thorough, accurate inventory of information and technology assets
Departments and agencies must actively manage access to their critical assets can improve visibility and
management of vulnerabilities. A well-defined business environment should include understanding
where critical data are located, the risk involved with that data, and control access based on area of
responsibility or job function. Organizations need to carefully adopt technologies that are capable of
accurately producing a complete inventory and audit of every IT asset at any scale very quickly. This
agility through speed at scale is important in order to effectively monitor and rapidly respond to
unforeseen business-initiated vulnerabilities, which can come in virtually any form at any time.
Achieving these capabilities could involve significant time and cost depending on the existing situation in
any specific case.
IDEA: Implementing new or reinforcing existing access controls
In addition to the controls, there is merit in emphasizing existing audit functions and processes – all of
which can further reduce vulnerabilities. Users should be granted access to information (particularly
sensitive information), using attributes for roles and attributes associated with data, to limit access to
data they “need to know”. Strong authentication and identity management practices (such as Personal
Identity Verification cards) are foundational for successful access controls. External entities should be
treated as higher-risk by default.
Ideas to Build Security Into the System Development Lifecycle
IDEA: Cybersecurity should be explicitly integrated into the entire system development life cycle
Building in cybersecurity elements early can enable developers to build more secure software, address
security compliance requirements, and potentially reduce total costs.
IDEA: Integrate and use existing guidance and best practices from NIST and other sources into the
system development lifecycle
Regardless of whether waterfall or agile methodologies are used, doing so can establish consistent,
predictable processes and requirements. This can help developers learn, plan in advance, and
successfully execute practices that produce more secure solutions more reliably and more often. Since
agile methods focus on rapidly creating features that satisfy customers’ direct needs, and security is a
customer need, it’s important that it not be overlooked. Moreover, system development would be
12
greatly improved by using tested and secure baselines in a Platform as a Service-like approach where
secured and approved baselines are pulled from trusted sources and reused. Starting from a secure
platform reduces the burden on system developers, reduces the authorization process workload, and
also simplifies the work needed to maintain secure systems.
IDEA: A government-wide security maven program would help tear down the existing "expertise" and
"contractual" barriers between security, development, and the business side
Walmart reported achieving a 92% reduction in security defects by creating a "Security Maven" role to
drive security best practices into their software development teams that greatly outnumbered their
security teams. Development teams are likely to be interested in a maven program because the
adoption of continuous integration and DevOps is driving automated regression testing that is creating
much wider appreciation of reliability as a means for deploying features faster.
13
CHAPTER 3
BREACH-TO-RESPONSE ACCELERATION
Challenge/Question: How can agencies effectively address current time lags with detection of and
response to vulnerabilities and threats that will significantly compress breach-to-detection-to-response
times? Please include ideas on how government agencies can expand capabilities beyond reacting to
known threats through programs like Einstein, to identify new threats and zero-day exploits in near realtime.
Introduction
Breach to response times are becoming greater as adversaries are increasing the level of sophistication
used to gain and maintain access to critical Government systems that contributes to data theft of
sensitive information. There are multiple reports of breaches going undetected for months and of
agencies only finding out from third parties afterward that they had been breached rather than
detecting the breaches themselves. Agencies must shorten response times using a combination of
cybersecurity technology and skills.
There are two complementary approaches to detecting intrusions, knowledge-based approaches and
behavior-based approaches (see https://www.sans.org/security-resources/idfaq/behavior_based.php).
Most tools rely upon knowledge-based approaches and internal IT staffs to look at and manually
respond to all of the alerts. The knowledge-based approaches’ weakness is that they allow the Network
or Security staffs to turn the “Security Alerts” to “Normal” to avoid looking at them because there are so
many of them and they rely on the known “signatures” of the attacks. The behavior-based approaches
mimic\ hackers by collecting data and saving them in a database. There is a program that will read this
data and analyze them against the probabilities database for possible weaknesses in the system. Many
commercial tools are using machine learning to find allowed behavior that is actually bad.
Agencies must plan for success. Shortening response time requires a combination of technology, threat
knowledge, and the evolving skill sets of cybersecurity practitioners. Lag time exists because
organizations are unable to effectively integrate practitioner skills, threat knowledge, and technology.
Although agencies are in possession of effective tools (e.g. Einstein and Continuous Diagnostics and
Mitigation) that collect indicators and signatures of malicious traffic, many cybersecurity professionals
lack the requisite skills to understand the cyber threat environment and employ the tools to successfully
ensure agency cyber resiliency in the face of rapidly evolving threats.
Numerous published research studies have concluded that this growing problem is attributable to
insufficient training, threat understanding, and a lack fundamental knowledge essential to effectively
use these tools. Reaction time can only be reduced if cybersecurity professionals hone their skills by
training and exercising in a range environment where skill-based training and performance-based
assessment can provide them with the requisite skills to rapidly employ their defensive cyber tools
against an evolving threat. This training would significantly enhance organizational incident response
preparedness.
A variety of ideas were offered to speed time from breach to response.
14
Ideas Related to Breach-to-Response Acceleration
IDEA: Tools and techniques must be ready and team members must be well trained and practiced
before effective response efforts can be made when there are computer incidents
The training should be realistic and incorporate exercises and drills that simulate incidents where
organizational play/run books are utilized. Also, agency policies, procedures, and guidelines for response
need to be in place. Personnel responsible for implementing those policies, procedures and guidelines
should regularly practice them in realistic environments and scenarios to improve their preparedness to
respond effectively to real incidents.
IDEA: Top management from all business units and external parties (e.g., managed service providers)
should be required to participate in incident response exercises
This fosters better communication between security operations and management.
IDEA: Properly identify the incident
Is the event simply an unusual but benign activity, or can it be identified as suspicious and requiring
further analysis and/or corrective countermeasures? If so, what are the surrounding activities?
• Respond to contain the incident and its effects.
• Recover and remove/quarantine the issue as soon as it is realistically possible.
• Return the infected system to operational use as soon as feasible.
• Follow up with responders for improvements to the processes as documented in the play/run books.
IDEA: Expand research into methods for immediate breach awareness the moment they occur
Technology is available that can identify intrusion attempts at the source. Many private companies offer
excellent cyber products and managed services to reduce the risk of successful cyber-attack. OPM and
others had been breached long before there was a discovery of intrusion. Much remains to be
accomplished toward protection of key assets by creating mechanisms for immediate intrusion
detection and perpetrator identification. It's bad enough when breaches happen, it’s even worse when
they are not detected for long periods of time.
IDEA: All agency employees should be educated and trained on general incident response planning
concepts and any related responsibilities
This should include how to notify response organizations, the information to report, and other relevant
activities. Employees are a great source of tips on abnormal events.
IDEA: All incidents, exercises, and general activities offer opportunities to learn and improve planning
Observation and evaluation should be key components of any incident response structure, including the
planning cycle. All personnel should be provided the opportunity to provide feedback on plans, training,
and exercises. Share these lessons learned with peer agencies.
IDEA: Exercise evaluation activities should be managed independently of the response organization,
as there is a potential conflict of interest if the reviewing entity resides within or is subordinate to the
operational entity
To illustrate, US-CERT should not self-evaluate participation in exercises like Cyber-Storm. Instead,
independent evaluation personnel with the appropriate expertise, like those available from the Federal
Emergency Management Agency (FEMA) National Exercise Division, should be used.
15
IDEA: After-action reports should be accompanied by improvement plans that clearly identify the
responsible implementer of improvement actions
A clearly defined action plan should be put into place that tracks status of implementation. As
evaluation programs mature and organizational planning processes increasingly integrate disciplines and
functions (e.g., response, development, operations, business units, etc.), evaluation and learning should
take place on a continual, parallel basis with regular opportunities to improve processes and protocols,
rather than as a step or phase in a process or sequence.
IDEA: Both Einstein and Continuous Diagnostic and Mitigation tools should use behavior-based
approaches that take advantage of computer systems to analyze events rather than relying on human
analysis
It is faster for computers to analyze than a network engineer or security engineer. The security engineer
builds logic for the system (unless, the vendor can provide that), to include provisions for the preventive
or corrective actions. When such a behavior-based system sends alerts, the probability that a cyberincident is occurring is high, meaning actions should be taken in near real-time to halt the cyber event.
Management needs to provide direction and focus limited 24/7/365 resources against risk prioritized
threats. Security metrics can help to capture the effectiveness of the security team. There are a lot of
advantages to using behavior-based approaches as long as your probabilities logic/database is
frequently updated to adapt to our adversaries’ most recent methods. The system keeps the same
information as the hackers would while casing the target systems/networks. The data collected will be
analyzed before the hackers can do theirs and the organization can plan to prevent or collect the
evidences for prosecution.
16
CHAPTER 4
ADOPTING A THREAT-AWARE PROACTIVE DEFENSE
Challenge/Question: How should the government expand beyond its emphasis on perimeter defense
and even defense-in-depth, and instead put more relative resources toward combining actionable threat
intelligence with robust response and resiliency strategies and architectures that account for the
adversary’s point of view?
Introduction
Today, governments are in constant contact with the enemy - and the form of conflict has changed. The
expansion of the Internet globally is being accompanied by an explosion of cyber threats. Nation-state
adversaries, terrorists, and criminals exploit our weakly secured technology. The United States
principally relies on technology for a competitive advantage across the globe. Now, thanks to the
Internet and cyberspace, malevolent cyber actors erode that advantage by routinely and consistently
targeting American industries and critical infrastructure (CI) sectors with rising success.
Despite this elevated threat environment, the government is still fixated on perimeter defense and
shallow defense-in-depth strategies. The problem centers on an enterprise security architecture that is
designed to usually protect the entire network with equal priority and risk, thus thinly spreading
network defense resources. Consequently, agencies often fail to focus on effectively protecting data
and tracking data exfiltrations. By being proactive, government agencies can significantly reduce the
risk posed by threat and reap economic benefits by avoiding or minimizing real and opportunity costs
that security inactions create.
Improvements to threat awareness and measures to put a more proactive cyber defense posture in
place cannot all be done overnight. A more plausible approach would be to segment improvement
activities into impact timeframes. For example, quick wins (impact or results seen in 1-3 months) could
include activities such as having reinforcements and alternative plans ready for implementation when
attacks are recognized or using audits and penetration tests to find low to mid-level cyber weaknesses.
Mid-term wins (impact or results achievable in 3-12 months) could include activities such as taking
concrete steps to create a more priority-focused defense grounded in risks associated with key assets.
Longer term wins (impact or results in 12+ months) could be activities such as enhancing awareness and
shared incident/response reporting jointly across government and industry.
Responses to this challenge focus in four areas: prioritizing cyber defense, providing in-depth defense
for high-priority assets, notification, and thinking deeply about exploiting and attacking cyber threats.
Ideas Pertaining to Priority-Focused Cyber-Defense
A priority focused cyber defense starts with defining the “core” of what must be protected and
subsequently preparing pre-emptive action requirements. Once inside a system, successful intruders
often make lateral movements to and from less defended assets which can be thwarted by architecting
and engineering greater data separation. Mission impact models are built for each system that shows
all the assets that function depends on (e.g., what servers, data bases, routers, computers, users).
17
Competency models of adversaries are also created including information on the techniques and skills
they use to be successful. Technology research into capabilities used to identify intrusions becomes
paramount. Risky-behavior across the organization that creates risks is defined and targeted.
IDEA: Focus on the right threat information, not everything
Create competency models of adversaries and the techniques they use. Then focus data analysis,
situational awareness, meaningful metrics, and relevant business context to understand the threat and
identify the risk-based actions to take.
IDEA: Ensure existing vulnerabilities and risks are identified and remediated immediately
US-CERT, vendors, vulnerability and penetration scans, incidents, and US Gov’t Cyber Board, etc. may be
sources. In addition, escalate open residual risks (vulnerabilities, open Plans of Action and Milestones,
etc.) to the highest levels (Department/Agency head, OMB, Cyber Board, etc.) for prioritization and risk
acceptance as appropriate.
IDEA: Tailor defenses and shape network flows to what is needed, making it harder for an adversary
to be successful.
It is important to create a threat-aware proactive defense based on an understanding of the Cyber Key
Terrain (C-KT) to manage the risks to each line of business or agency function. Applying the C-KT
concepts can help identify the most important lines of business, functions, and information assets to
help prioritize protections. All information assets need to be locatable on network maps for an effective
cyber-protection strategy (e.g., risk mitigation strategy) to be developed. Actions can be planned from
an assessment based on a RISK = Criticality*Vulnerability*Recoverability*Threat analysis, e.g. limiting
access to certain types of users over limited protocols, locking down certain databases, applying
encryption, or creating subnets on networks to protect key assets. Create special monitoring for
deviation from the required flow that creates priority alerts.
Ideas Pertaining to In-depth Defense for Higher Priority Assets
Content-centric security digital rights management techniques with pre-set boundaries are becoming
increasingly important. An adaptive security system can be used to manage and secure all points of
engagement, e.g. Human->Apps->Devices->Network->APIs, to prevent and detect and respond to
threats. This supports a strong defense-in-depth strategy with security for all layers.
IDEA: Adopt content centric security of data using digital rights management techniques to protect
data at the source and track exfiltration of data that depart from pre-set boundaries
Keep data encrypted when possible. Take advantage of metadata.
IDEA: Determine criticality, sensitively, and vulnerability of systems and data, prioritize accordingly to
achieve an effective, risk-based approach to protecting systems
For example, using current NIST directives and controls, immediately conduct an independent
operational risk assessment of all U.S. government infrastructure, applications, and data to determine
highest risk across the government and subsequently prioritize and appropriately resource remediation
with specific completion dates, and track to expedite closure.
18
IDEA: Use Distributed Corroboration of Service (DCOS)
The DCOS concept is the opposite of the successful Distributed Denial of Service concept. Basically, a
product is engineered to that utilizes the concepts of Big Data and Machine Learning. There will be an
app loaded on participating servers, which alerts the administrator via dashboard, of successful attacks
and the current state of the "Defense in Depth" posture and offer pertinent courses of actions to harden
the system. The "machine learning" would use a service, such as http://map.norsecorp.com, to see
where attacks are coming from, the types and successes, and alert the community of the attack vectors
and assess the current networks ability to sustain the attack. If a member of the community’s machine
has been compromised, it will alert the community to ensure their not compromised and perhaps, offer
mutual agreements to address the potential attack (denial/corroboration) of service.
Ideas Pertaining to Notification Procedures
It is imperative to escalate security from merely an IT concern to a business risk concern, and provide
independence and enabling security decision-making and implementation. For example, the federal
government might make permanent a central Administration role, with appropriate authorities and
budgetary controls, to direct and oversee cyber activities across the government, including leadership of
a cybersecurity “council” for interagency coordination and separating agency Chief Information Security
Officer (CISO) functions from Chief Information Officer (CIO) functions. This could establish a
mechanism to escalate agency CISO security concerns directly to the department or agency head or
central cyber function for adjudication as appropriate.
IDEA: Adopt a Whole-of-Nation Strategy as suggested for US critical infrastructure
This includes (a) consolidating several existing cyber capabilities and authorities into one new Federal
Government interagency task force operating at the Top Secret level and is specifically devoted to
cybersecurity; (b) evolving synergistic public/private collaboration to include critical infrastructure
partners within the task force to share the information and best practices necessary for threat vector
understanding while also distributing the responsibility to act; (c) defining what must be protected - the
"core" meaning "that which is too important to fail"; (d) developing improved cyber defense constructs
to protect the "core"; and (e) defining pre-emptive actions.
Ideas for Deeper Considerations On Ways to Defend/Exploit/Attack Cyber Threats
Numerous activities warrant more thinking and refinement: two-factor authentication, least privileges,
access management, encryption, security intelligence, vulnerability management, risk management,
security as a business requirement, DevOps and security life cycle, cyber governance, and isolation of
sensitive or critical systems. It is important to modernize security approaches beyond the perimeterfocused “moats and walls” approach, transitioning from a “secure network of systems” to a “network of
secured systems” to achieve security in depth and improved resilience. For example, agency security
strategies should emphasize detection, identification, protection, response, supply chain transparency,
security intelligence, predictive analysis, data encryption, and a “zero trust network” philosophy. New
micro segmentation technologies based on cryptographic keys are helping do this.
IDEA: Continue and expand research into methods for immediate breach awareness the minute they
occur is a critical component for detection and mitigation
19
Available technology can spot and identify intrusion attempts at the source.
IDEA: Prevent and detect API threats
APIs are windows into the Enterprise and need to be secured at every points of engagement between
end user (consumer) and Enterprise crown jewels. In the API world, humans and machines seamlessly
interact with each other and blend the trust boundaries between customers, partners and service
providers. It is becoming increasingly hard to differentiate good human, authorized machine (apps) and
cybercriminals who may exploit a threat vector via API, mobile or cloud platform to access crown jewels.
A way to address this is:
 An adaptive security system to manage and secure all points of engagement
 A fine granular authorization capability that is data centric and that supports various levels
of access control based on the trust domain of interaction
 A data driven security service that combines machine learning to detect patterns of
anomalies and that can interface with other security products in the eco-system. e.g.
integration with SIEM tools
IDEA: Deploy a lightweight micro-agent which captures metadata about user activities across the
enterprise while also protecting requisite privacy
Insider threats represent one of the most vexing problems facing the US Government. Executive Order
13587 seeks significant enhancements to address this threat to organizations critical assets-including
employees, contractors and business partners. Theft of IP or classified information or PII via stolen
credentials is a mounting challenge given that internal networks are often lacking effective security
measures. User activities are baselined to detect anomalies and patterns of good or bad behavior. The
four high impact areas are:
 Detecting malicious cyber insiders that aren't detectable by other means
 Finding cases of compromised credentials that are only detectable by spotting
suspicious changes in employee behavior
 Tracking, over time, risky behavior across the organization that puts the organization at
risk, and taking a data-driven approach to putting in additional cyber security controls
 Using security tools to deliver other benefits to the business, such as dramatic savings in
IT budgets.
IDEA: “Signature” based detection has to evolve to match the kill-chain model, while at the same time
consuming and producing threat intelligence
Big data for cyber security will provide the intelligence to make this model successful once we can define
a common ontology, allowing long-term “look-back” of user, host, application and intelligence activity.
What we think of as signatures today evolve to algorithmic expressions to inform defenders where
attention is needed. Architecturally we imagine each location or site hosting a big data platform locally,
with the ability to report to a central console for local and multi-location, agency-wide analytics. The
resulting data can be securely communicated to our law enforcement and intelligence communities as
an opt-in (allowing those communities to securely query those systems remotely).
IDEA: Every agency or business should have Elite Cyber Protection Teams (ECPT) that rotate from one
key function or line of business to another
20
The ECPT creates/revises the Cyber Key Terrain (C-KT) assessment of importance for each business
function, analyzes the risk for that function, develops the risk mitigation strategy for that function and
works with the enterprise security team to implement it. The ECPT then moves onto the next function
or line of business. This strategy maintains focus. Military CPTs are trained using this approach. They
create realistic Virtual Clone Networks of an entire Joint Military Base with a synthetic internet, fake
users who click on links, do email and whatever other job they normally do, and emulate adversaries.
They also create a list of prioritized missions and teach the elite CPTs to define the C-KT and develop risk
mitigation strategies. Then the team is tested (using metrics derived from the NIST Cybersecurity
Framework) against emulations of real world threat actors. The teams can see how well their risk
mitigation strategy would work against APT-28 or Deep Panda or Cyber Snake. They learn how
important threat intelligence data is to guide their understanding of the enemy and fully contain and
eradicate the adversary.
IDEA: Create Blue Team audits followed by Red Team operations performed by pre-qualified
contractors or in-house staff using efficient contract services vehicle managed by GSA
Focus is beyond standard penetration testing and embraces “hunting” tactics largely used by DOD Red
Teams to emulate adversaries. This would increase resiliency and enhance capability to address early
indicators of Advanced Persistent Threats.
21
CHAPTER 5
SHARING OF THREAT INTELLIGENCE
Challenge/Question: How can agencies and industry implement and sustain threat data sharing and
create a robust, timely and systemic sharing environment (more than just incidents) that allows agencies
to operate collectively government-wide and with industry and in real time, rather than independently
with little peripheral view of threats and responses?
Introduction
The security community has been trying to establish “Information Sharing” since President Clinton
directed all the critical sector verticals to share among themselves back in 1998. For lots of reasons, this
was hard to do. Arguably, the two best information sharing organizations that have emerged in the last
15 years are the FS-ISAC (Financial Services – Information Sharing and Analysis Center) and the DSIE
(Defense Security Information Exchange), but even those organizations are imperfect. When members
decide to share some piece of intelligence, they have to package it up, send it to the sharing
organization’s security operations center (SOC) for processing, and then the SOC disseminates the
intelligence out to the rest of the members. The members then have to read it, decide if they need to
take some action, and then deploy the recommended countermeasures as fast as they can. This
approach can provide good intelligence, but using it can be cumbersome and slow.
In recent years, the federal government has made great strides in both increasing its ability to share
cybersecurity threat information, and promoting greater cybersecurity information sharing with the
private sector. These efforts largely stem from Executive Orders 13636 and 13691. As a result, the
federal Government has fostered Information Sharing and Analysis Organizations (ISAOs) as well as
Information Sharing and Analysis Centers (ISACs). The government has also supported specific
programs, such as the Defense Industrial Base (DIB) pilot, the Enhanced Cybersecurity Services (ECS),
Critical Infrastructure Cyber Information Sharing and Collaboration Program (CISCP) and Cyber Guardian.
An evaluation should be conducted to determine why existing response structures and programs such as
these are or are not meeting the need before creating any new ones.
Responses in this area focused on sharing information to minimize risks and enrich threat intelligence.
Ideas Pertaining to Data Sharing to Minimize Overall Risks
Timely, relevant, and meaningful data sharing is not only critical to minimizing overall risk. As in any
complex environment, the increase in knowledge of all actors results in better outcomes for the entire
system and not for just a few. The old adage that the system is only as strong as its weakest link applies.
The Federal Government must continue to increase its own ability to declassify and widely distribute
cybersecurity threat information. The Federal Government should also continue to promote private
sector information sharing which can accelerate business and national security related risks.
IDEA: Use incentives, disincentives, non-attribution rules, and well developed policies to increase the
probability and efficacy of such sharing
22
It is important to acknowledge that the incentives for government and industry differ. For example, one
government agency wants industry to share and another wants to penalize. An industry knowing that
they may be encouraged to share, but could also face penalties will most likely choose not to share.
Additionally, industry will be highly averse to sharing if they are penalized financially, which is their
lifeline. However, the same is not true for government agencies that are not incentivized or penalized
financially like the private sector. Different incentives need to be applied to agencies that are
motivational in the government environment.
IDEA: Instead of mandating information sharing, both government and industry should look at this
issue as one of national security
As an example, if there were a potential for pandemic disease, that information would first be
thoroughly investigated by the Center for Disease Control (CDC) and others before being communicated
to the broader public in order to prevent unnecessary panic. The challenge with information sharing is
that it has the potential to create more noise, weakening already weak signals, and creating more
tedious workflows.
IDEA: Focus on more useful and meaningful signals
A key challenge is for consumers/users to get a better sense of reliability, timeliness, and context of
threat intelligence. Consider the efforts at Department of Homeland Security (DHS) with Active Cyber
Defense as an end-goal, but having that intelligence distributed to each agency and location. Computer
Network Defense personnel have the ability to query other locations to understand the prevalence of
Government-wide threats. If they see something suspicious, they can contact DHS, the FBI, or others for
deeper investigation.
Ideas That Enrich Threat Intelligence
DHS and FBI have capabilities to instantiate queries outbound for deeper attribution and the ability to
enrich the threat intelligence. Government needs to raise the level of expertise across the board and the
best way to do so may be to allow more transparency, enabling Computer Network Defense staff to ask
better more informative questions. This could enrich and fortify intelligence and scale expertise.
Specific ideas include:
IDEA: Broaden use of the Cyber Threat Alliance (CTA)
Through CTA, security vendors share mandatory quantities of zero-day threat intelligence with each
other in near-real time by updating the controls within their products without the end user customer
getting involved. The CTA is also collaborating to share correlated information about cyber-attack
campaigns and specific malicious actors. These efforts by industry show significant steps in the right
direction.
IDEA: Better standardize and harmonize threat intelligence sharing processes and practices so that
Government and industry increase interoperability and compatibility
Numerous structures and programs exist and yet the persistent perception, if not reality, is that
information sharing is not meeting the need.
23
IDEA: Endorse and expand the Structured Threat Information Expression (STIX) and Trusted
Automated eXchange of Indicator Information (TAXII) framework so that data breach reporting is
more robust and shared widely but in meaningful ways
Operations like the North American Network Operators Group, that shares incidents across most of the
major networks in the US, could be emulated and expanded to include a “neighborhood cyber watch”
program where companies and citizens could report issues to a shared resource that would then inform
appropriate authorities. Sharing alone is not enough. It also requires executing on that knowledge.
24
CHAPTER 6
SOLVING THE CYBER TALENT SEARCH
Challenge/Question: How can government tackle the cybersecurity talent search in a way that
strengthens skills, experience, and knowledge, both within government CISO/CIO and partner
organizations and externally from contracted services?
Introduction
For a number of years, federal agencies have struggled with being able to recruit and retain qualified
individuals to fill cyber security slots in their organization. A limited workforce pool is in high demand
for adequate competence and skills. In an environment where strong security is a growing priority and
where both commercial and government security breaches make headline news every day; the rush to
fill cyber positions pits agency against agency as well as government against commercial industry for the
same pool of professionals.
The ideas submitted range from recruiting qualified individuals early (before they graduate from college
programs or during initial career stages) to incentivizing cyber managers and staff by empowering them
to innovate and create new approaches and techniques. While challenging, retention is equally
important to maintain a long term, stable, and seasoned cybersecurity workforce. Ideas also addressed
training and building a cyber-aware culture.
Ideas Pertaining to Attraction, Outreach, and Recruitment of Cybersecurity Talent
The need for talented cybersecurity defenders in the Federal Government is rapidly increasing with the
evolution and sophistication of Cyber attackers. Current security teams are overburdened, causing huge
vulnerabilities for organizations and can lead to disastrous events like the recent OPM breach. It is
imperative we grow our cybersecurity workforce through aggressive and innovative recruitment
methods as soon as possible.
Recruiters and managers should target potential cyber workers, starting with high school and college
students to those already in the active workforce, acquainting them with the government cyber
opportunities and benefits. Broadening the search beyond traditional recruiting practices and
implementing unique and innovative methods will help to quickly increase the supply of cybersecurity
professionals available for employment.
High School and College
IDEA: Innovative internship approaches are needed to reach out to high school and college students
who are in the early stages of decision making about their career path
Create “virtual internships” in addition to on-site internships as a means to have a much broader reach
to hundreds of thousands of students.
IDEA: Recruiting school faculty will help spread the word about career opportunities and garner
interest at an early stage
25
Job offers that include student loan reimbursement plans can be a great way in incentivize student
interests in pursuing cyber careers in government.
Current Agency Workforces
IDEA: Look for cyber-related talent in other parts of the organization
The fastest way to get cyberworkers into critical positions is to find qualified employees already working
in an agency or elsewhere in government. Two potential “pools” of people to draw upon are (a) the
existing IT workforce that understands both the technology and the details of the specific environment
and can quickly develop cyber skills (which are in most cases not part of their required KSAs) and (b)
existing compliance/authorizing official support staffs who often understand the required controls and
the process for risk management decisions, but may not have the detailed technical skills for cyber
defense. In addition, risk management, analytical competencies, benefit/cost analysis, performance
management are also core to effective cyber solution investments and business cases. Tools can
facilitate searches for existing skills and competencies, and pipelines can be automatically built to
provide skill gap training to current staff to qualify them for cyber openings.
Cyberworkers Outside of Agencies
IDEA: Recruit at high profile cyber conferences (e.g., BlackHat, Hackathons, Meetup groups, etc.)
Security professionals can be attracted to Federal positions because of the impact and uniqueness of
agencies’ missions.
IDEA: Don’t rely totally on job fairs; use on-line resources such as Monster.com, CareerBuilder and
LinkedIn to proactively find job candidates actively seeking work
Even passive candidates with core technology skills can also be identified and contacted to draw them
into journeyman positions in the cyber-workforce. Social media and web advertising can also be
excellent recruitment channels.
IDEA: Use alternative talent management strategies to find employees who have certifications, key
knowledge and skills, and leadership experience to assume key management roles (e.g., in-house,
military, technical schools, etc.)
Seeking professionals in other parts of organizations that could be used by CyberSecurity shops and retooling them with skills needed for their specific tasks is a great way to use resources already available
and save money.
Ideas Related to Eligibility, Assessment, and Selection
High performance cybersecurity work often excels in environments that are3:
 Multi-functional (i.e., workers have diverse skill sets and can perform multiple roles)
 Dynamic (i.e., changing constantly and keeping up with the latest threats)
3
Cybersecurity Workforce Development Toolkit, https://niccs.us-cert.gov/home/cybersecurity-workforce-
development-toolkit
26



Agile
Flexible
Informal (i.e., unconventional working hours, shifting duties, relaxed atmosphere).
IDEA: To ensure adaptability to traits of cyber environment, agencies can use eligibility questions to
ensure basic requirements are met such as winning a Cyber Patriot competition or attending a USA
Cyber Council Camp
Valid documentation would be required and collected. Candidates must pass assessments measuring
the standardized knowledge, skills, abilities, and personal characteristics that are required for successful
performance in cybersecurity jobs. Related job experiences and engagement in realistic testing
scenarios or use cases can also be put into the mix.
IDEA: Take advantage of NIST NICE Cyber Workforce Framework leveraging Eligibility and Assessment
question methodologies to down select candidates worthy for an interview cycle
Hiring managers need to inspect and respect the candidate’s qualifications to ensure the candidate
wants and takes the job/career. This process should mirror supply chain best practices to ensure the
approved Talent is available to fill the jobs when they become open and stay with them.
Ideas Pertaining to Position Management/Career Pathing/Retention4
Having clear, comprehensive descriptions of work that must be performed is essential. In the federal
government, this is referred to as position management. Cybersecurity work, however, poses special
challenges. For example the rapid change in technologies and tactics for exploitation and intrusion
makes defining the required talent a tall order. There are key steps needed to define, operationalize,
and train for cyber work.
IDEA: Start with the essential skills and traits needed for cyber workers
Specifically focus on job competencies required for effective, and proactive, cyber defense and intrusion
response. Equally important: provide a flexible methodology for adding, modifying or removing
competencies over time.
IDEA: Establish a framework for an occupational grouping dedicated to the cyber workforce
Include occupational series that are covered in the NICE framework, and devise a coding mechanism for
the occupational grouping which enables these cyber workers to be tracked through their careers. As
part of this framework, develop alternative Career Paths that reflect the diversity of positions within the
occupational grouping, and empower cyber professionals to progress in a non-linear career path – one
that can be horizontal, vertical, or diagonal, and includes occupational series or specialties related to
their primary experience.
IDEA: Place the Cyber occupational grouping into the Excepted Service
Because of the nature of this work, and its rapid evolution, it is increasingly difficult to evaluate cyber
candidates by traditional means. Moreover, some federal agencies already have this flexibility,
demonstrating its success.
4
Please note. This discussion only refers to the Cyber Workforce, and not the responsibilities of all workers to
maintain secure systems.
27
Ideas Related to Cyber Learning and Training
A recent study by Brandon Hall Group confirmed that 55% of organizations now have a formalized
approach to align learning and development strategies with the goals of the business. Therefore, most
organizations grappling with the shortage of cyber personnel are not simply seeking a Cyber
certification, rather aspiring to develop a workforce that is competent to execute on their agency or
organization’s stated cyber security initiatives.
IDEA: All agency cybersecurity job roles should be clearly defined and aligned with the National
Cybersecurity Workforce Framework (NCWF)
Organizationally, each cybersecurity job role should be mapped to a specific set of knowledge, skills and
abilities (KSAs). The staff being recruited for these roles should have a full skills assessment against the
stated competencies of the job role. The individual/s should then receive the required skills
development to address any known gaps.
IDEA: Formally institutionalize the acquired best practices into their organizational undercurrent,
which includes methodology adoption, process improvements and policy changes
This approach will reinforce the individual disciplines and establish the desired outcome of an engaged
community combatting constantly changing threats.
IDEA: Provide an environment of skills-based and performance-based training and assessment where
cyber supports the mission through functional assessments, realistic training, and exercise events at
appropriate levels for ALL employees
Provide cybersecurity awareness training and practice, appropriately tailored to leadership,
management, and staff roles, to enable all employees to have basic cybersecurity awareness, skills, and
understanding of how to recognize and report cybersecurity threats, vulnerabilities, and incidents.
For cybersecurity practitioners, move beyond knowledge-based technical training to skills-based
training. Ensure they are certified via performance-based assessment to ensure federal employees and
contractors have the requisite skills to perform tasks required for their functional roles as described by
the NICE National Cybersecurity Workforce Framework.
Ideas Pertaining to Building an Aware and Capable Cybersecurity Culture
A successful information security program is dependent on many things not the least of which is the
agency culture. This culture should understand the role and value of cybersecurity and how deficiencies
can impact mission, accountability, and citizen trust.
IDEA: Agency Chief information Security Officers should be selected not only for their technical
background but their proven track records.
CISOs should be able to translate business requirements into secure mission driven solutions and
elevating awareness of poor security impacts with tangible, meaningful risk-based illustrations and case
studies.
IDEA: Leverage commercial pay scales that are often higher than those of the government.
28
Agencies should take advantage of all available incentive pay mechanisms to recruit, hire and retain
critical cyber skills and talent.
29
CHAPTER 7
EXECUTIVE LEADERSHIP-LED RISK MANAGEMENT
Challenge/Question: How can we sustain executive-level attention to this critical issue, and
institutionalize cyber as an on-going component of agency risk-management practices, not just a sidebar activity?
Introduction
Risk management is an important component of modern cybersecurity programs. It enables disciplined
identification and analysis of the risks an organization faces and informed decision-making on actions,
costs, and tradeoffs to mitigate those risks commensurate with their potential impacts. NIST provides a
suite of publications on how to apply risk management to Federal information systems. However, many
Federal agencies still face challenges in implementing robust, effective risk management practices in
their organizations. Anecdotal reports indicate that many decisions are made with incomplete or
outdated information and without the benefit of a rigorous, structured, objective analysis. Other reports
indicate some agencies attempt to protect all of their information assets at the same level, rather than
identifying the highest value assets and investing in them accordingly. This section identifies actions that
can be taken to strengthen Federal agencies risk management programs and practices.
Cybersecurity is at the forefront of discussion across almost all Federal agencies today. The challenge for
executive leadership is how to address the cyber challenge. As has become obvious over the last year,
cyber security is not a “fixable” problem. It is not a technical issue that is implemented and then
requires occasional maintenance. The cyber security challenge has moved from a technical issue to a risk
management issue, similar to managing for a natural disaster or a loss of critical infrastructure. Senior
executives know of the cyber issue, but they do not know how to manage their organizations
considering the cyber threat.
The objective of a senior executive is to deliver products and services to his clients, whether they are
citizens receiving social security benefits or Government agencies relying on the service to operate. The
cyber security threat is a risk that could keep organizations from fulfilling their mission. A common
mantra among cyber security professionals is that executives, in both commercial and federal groups, do
not pay enough attention to the cyber issue. In reality, the reason for lack of attention is that the cyber
issue is often presented as an independent problem, not as a risk to their mission and objectives. For
example, the Commissioner of the Social Security Administration’s (SSA) job is not to defeat cyber
threats. It is to deliver benefits to the citizens of the United States. Telling the Commissioner to execute
cyber activities without the context of how it impacts her mission is not of value.
The solution to this challenge is presenting cyber threats and related actions in the form of risk
management directly related to the mission of the executive. Confusion results when the term risk
management is used in regard to cybersecurity. Many believe this is related to the risks posed by a
cyberattack. True risk management focuses on the impact of a cyberattack on the execution of the
mission of the agency or company. The likelihood of the attack must also be considered. For example, if
an attack occurred at the SSA that stopped social security checks from being delivered, the impact on
the country could be catastrophic. Therefore, evaluating systems and the associated threats that could
stop the delivery of checks would be a high priority of the SSA cyber efforts.
The challenge is that this type of mission-focused risk management does not currently exist in most
Federal agencies. Executives are briefed on threats and vulnerabilities, but putting these in the context
of risk against the agency’s mission is not currently done. Similarly, without risk in the context of the
30
mission of the agency, visibility at the executive level is difficult. Dashboards of vulnerabilities and
attacks, without the associated risks to the organization’s mission, do not provide actionable
information.
Many of the ideas submitted recognized that cyber is no longer a problem to be fixed, but rather is
inherent in a risk based environment. For this approach to be implemented, some standard risk
calculation approach is needed to enable aggregation of risks at different organizational levels. Several
ideas called for common risk modeling approaches.
The commercial world is rapidly moving toward a risk management approach, under a Risk Management
Officer, that monitors cybersecurity in the same context as other risks like natural disasters, financial
failure, or external factors like the loss of a major client. Tools are being developed by the commercial
market to measure cyber risk and should be evaluated for government use. The approach being utilized
by industries such as the financial and insurance industries should be reviewed.
The ideas submitted can be categorized into two primary areas: risk management and visibility and
accountability. The risk management ideas addressed the ability to effectively quantify risk for use in
managing the cyber activities of an organization. The visibility and accountability responses primarily
focused on regulatory type actions and results such as following the Federal Information Technology
Acquisition Reform Act and establishing a similar process to Federal Risk and Authorization Management
Program (FedRAMP) for enterprises.
Ideas Related to Risk Management
The ideas submitted that appeared to have the most promise focused on the establishment of common
risk management assessments and quantification approaches.
IDEA: Agencies need to transition from a compliance-focused approach to a risk management
approach
Viable risk management approaches include a risk model, risk quantitative analysis, and prioritization of
risk mitigation. Without a standard risk quantification method, executives are faced with the challenge
of trying to monitor the high-risk area of cyber against their primary mission. Without this context, just
saying “cyber is a risk” is not enough information for executive level visibility and action.
IDEA: Implement a cybersecurity governance framework that integrates security risk with the
organizational business model and aligns IT risk with business goals
Several commercially accepted models exist such as COBIT and FAERS that could be the basis for the
standard risk assessment. Governance frameworks such as COBIT can be used to affect the alignment,
monitor progress, and control operations. The governance model should be extended to the InterAgency Task Force that has been recommended, and executives should be held responsible for the
implementation, monitoring, and control of all risk, not just non-security risk.
IDEA: Adopt a security framework and governance model that follows the next version of the NIST
Risk management Framework, but also provides a set of standard mandatory tools that can identify
misconfigured systems and untrained users in real time, and raise flags
Many organizations do not follow a mature governance framework- executives relegate cybersecurity
risk to the CIO and forget about them. The CIO delegates risk to the CISO and the CISO is then blamed
when things go wrong. One of the issues with the OMB Risk Management Framework is that it uses
31
assessment of controls along with audits of sample populations to assess systems. There needs to be a
balance between compliance with a combination of strict configuration management and mandatory
training on the use of systems for all users. Agencies should design networks and systems with a
containment strategy that ensures critical resources are not vulnerable to a compromise from a single
unpatched system.
Risk management approaches relate to organizational resilience. As enterprises strive to gain value by
leveraging technology, the risk associated with digital business is increasing. Isolated approaches to
information security, business continuity, and incident response are a thing of the past; today, the
urgency of providing continuously available services for customers and business partners in the digital
economy requires enterprises to become resilient. A resilient enterprise protects itself from attack, but
also recognizes that defense is not the end-all. A resilient enterprise needs to connect protection and
recovery to the mission and goals of the enterprise, implementing integrated programs in order to
provide sustainability of essential services. C-Suite & Board members need to evaluate the operational
risk inherent in digital business and direct management to ensure that the enterprise is more than just
protected—it is resilient. Cyber risks need to be aligned with the business/mission goals of the
organization including matching value chain risk to identified threats.
IDEA: Move to quantifiable risk based on business functionality
There has been a rather dramatic change in thought in the last nine months or so on this topic,
particularly around the question “What is a risk?” Basically, the determination of risk was a
measurement of vulnerabilities within the environment and the ability to patch/mitigate them. Risk
based on business functionality looks at the business risk, associated dollars to that risk and then looks
at the cyber influences on that risk. In other words, it is top down, not bottom up. This approach also
requires identification of high value assets, operations, etc. This approach also is much more aligned
with C-level discussions. Additionally, under this approach executives need to be given the ability to
declare a “cyber state of emergency”.
Ideas Related to Visibility and Accountability
The ideas in this area primarily revolve around stronger compliance with regulatory areas such as
FITARA.
IDEA: Create a tighter accountability structure for federal agencies and staff
Some form of consistent measurement is needed to monitor compliance actions and status across the
organization on an ongoing basis. The FITARA guidelines could be used to measure each program
activity.
IDEA: Solidify the relationships between CISOs and Risk Management Officers (RMO) within
organizations.
A common trend in commercial organizations is moving the Chief Information Security Officer under the
Risk Management Officer not under the chief Information Officer. This should be a consideration for
Federal agencies as well.
32
CHAPTER 8
BUILDING EFFECTIVE SECURITY INTO ACQUISITIONS
Challenge/Question: With the continued and growing dependence of the government on commercially
provided IT services, what changes are needed to government acquisition policies and practices to ensure
that contractors provide adequate security and privacy protections to government data and
information?
Introduction
Federal agency acquisition programs are an essential means to acquire IT solutions they need to fulfill
their missions. When executed well, acquisition programs can deliver timely, effective, and cost efficient
solutions that leverage private sector capabilities to meet government program mission needs.
However, all too often, acquisition programs are blamed for the failure to deliver successful and secure
IT solutions. Complaints run the gamut from “the process takes too long” to “the process doesn’t enable
us to buy what we need” to “the Federal acquisition process dis-incentivizes many innovative companies
from participating”. Some of the concerns appear to reflect misunderstanding and miscommunication
rather than actual structural barriers to success. This section addresses ways that the acquisition process
can be enhanced and leveraged to improve the success rate on delivering secure IT solutions that meet
mission program needs.
Ideas Related to Turbo Charging the Federal Acquisition Process
Successfully delivering Federal programs depends to an ever increasing degree on effective use of
information technology. Citizens, businesses, and state, local, tribal and territorial governments all
expect the Federal government to use the same kinds of technology and processes to deliver services
that they use in their daily lives. A familiar refrain is “why can’t the government work like the best
private companies?”. Integrating robust cybersecurity into those services is essential to their success. No
one wants their personal data stolen or their business transaction corrupted due to weak security.
The success of cybersecurity across the Federal government depends on an acquisition process that is
agile, dynamic, and responsive to procure goods, services, and capabilities consistent with the 21st
century imperative to “operate at the speed of the web.” Some of today’s Federal cybersecurity
challenges can be traced to the gap between solutions in use in Federal agencies versus the best
commercially available solutions in use in the private sector. This gap is rooted in the process the
government uses to acquire goods and services from the commercial market. The gap has grown over
time and these two markets have become increasingly disconnected as indicated by diverging cycle
times, inefficiencies, and sub-optimized acquisition outcomes. Unless it is effectively addressed and
closed, this gap poses serious ongoing risks to the performance of government mission programs that
rely on the use of information technology.
Federal CIOs and OMB must deal with the culture of “perfectionitis” to address the interrelated
challenges of growing system complexity, foreign supply sources to include counterfeit components,
cyber threats and vulnerabilities driven by software dependencies, and cost growth to sustain software
intensive systems; all in the era of constrained resources and strong competition for cybersecurity
talent. While it is clear that the federal acquisition environment needs to play a role; it is less clear
what that role should be given that rules aimed at improving cybersecurity may stifle innovation and
33
adversely impact the competitive marketplace. The following recommendations are purposeful,
meaningful steps to refocus and turbo-charge the federal acquisition process:
IDEA: Change is not a one-time event, so establish an environment that enables continuous change
management
Rather than identifying “perfect” cybersecurity improvements, efforts should be focused on breaking
the changes down into discrete small steps to get things moving and create momentum. The following
actions should be considered as potential incremental improvements:
o Create cybersecurity dashboards to visualize threats;
o Establish a virtual marketplace web store to enable market research and access to tools
and capabilities;
o Conduct virtual training workshops;
o Establish collaboration sites to share best practices; and
o Create a wiki to make cybersecurity resources more readily available;
IDEA: Progress is not possible without change, so emphasize outcomes of the process, not inputs
In unfamiliar situations, like a changing cyber environment, people and organizations take cues from
others, which is what makes positive peer pressure so effective. Leverage key influential players to drive
change and celebrate success. Recommend leveraging existing award competitions, like the ACT-IAC
annual “Acquisition Excellence” competition to recognize high performing cyber initiatives, programs
and practices and incentivize others to emulate and adopt them. Consider leveraging this activity to
create a “Cyber Best Practices” program to purposefully collect best practices that could be evangelized
for broader adoption.
IDEA: Promote market incentives to accelerate Federal cybersecurity innovation
Doing business with the Federal Government requires accepting a plethora of unique regulations,
standards and specifications, and often time instituting a separate and unique set of accounting and
reporting practices. Certified cost and pricing data, intellectual property concerns, and limited profit
margins result in a divide between federally-focused companies and commercially-focused companies.
Perceptions that the burden is not worth the potential revenue gain cause some companies to avoid
entering the Federal market, preventing potentially valuable capabilities from being available to the
government. The adoption of bold new approaches specifically focused on incentives, including
nontraditional approaches to promote cyber innovation, could help overcome these barriers. One such
concept is a not-for-profit venture capital firm that invests in high-tech companies for the sole purpose
of building a pipeline of cutting edge cyber solutions for the federal environment. Without a reasonable
prospect of profit or a sizable production program that generates a revenue stream and profits, there is
little incentive for a company to risk its own funds.
IDEA: Direct C-level involvement in a consistent cadence
Federal Agencies could be better served by adopting management styles, market practices and metrics
closely aligned with those that operate in the commercial world. Defending against cyber threats should
be among Federal Agencies’ top priorities. This includes enhancing capabilities to protect and defend its
networks and ensure that current and future systems can operate effectively in a cyber-contested
environment. Establish Cybersecurity Investment Management Boards that involve the most senior
34
leadership of each Agency that meet regularly. An alternative to a stand-alone board is to integrate
cybersecurity as a visible priority consideration in existing IT Investment Management Boards and their
business processes.
IDEA: Development Operations (DevOps) is the new normal, not an exception
The agile methods concepts and methodology of “DevOps” combines capability development with
operational excellence. This approach can be applied directly to the cyber environment to impact
mission processes and enterprise decisions. DevOps fundamentally changes the traditional concepts and
separation of “acquisition” from “sustainment”. It begins with the mission business (the Ops part of
DevOps) with a cadence and structured and disciplined methodology to drive capability development
(the Dev part of DevOps) without the “traditional” acquisition constraints. DevOps emphasizes
enterprise-level decision making to drive efficiency across both development and operations. This would
benefit agencies’ cybersecurity through enhanced collaboration between development and operations
staffs. Several attempts have been made recently to establish “agile” acquisition processes that track
and support agile development methodologies. These efforts should be evaluated to develop a set of
best practices that agencies could use to adapt and institutionalize agile acquisition methods.
IDEA: Establish a Dedicated Cyber Innovation Laboratory and Fund for the Federal Government
Cyber-security vulnerabilities are a direct fall-out from the complexity we find ourselves in. Given the
ubiquitous cyber threats, IT staffs are already overtaxed and they face even more sophisticated cyber
threats in the future. The Federal Government needs to invest in tomorrow’s technology to significantly
change the approach. Research is needed to create 21st century solutions with 21st century processes
that cut across organizations, agencies and departments. A Cyber Advanced Research Laboratory could
formulate and execute research to address a whole new class of vulnerabilities and scaling techniques at
machine speed to remove the human from the equation. The immediate focus would be to create a
cyber-testbed to evaluate alternative cyber technologies. This capability would provide government
agencies a place where they can share expertise, test solutions, and maintain and extend the expertise
and skills of their workforce.
IDEA: Re-Invent the OMB Dashboard to Address Supply Chain Challenges
The IT Dashboard is a website enabling federal agencies, industry, the general public, and other
stakeholders to view details of federal information technology investments. Its purpose is to provide
information on the effectiveness of government IT programs and to support decisions regarding the
investment and management of resources and is used by the Administration and Congress to make
budget and policy decisions. The IT Dashboard could be strengthened to include comprehensive,
detailed and reliable quantitative cyber metrics, including cooperation between the Federal Agencies
and with the private sector on cybersecurity and supply chain concerns. The Federal IT environment
could learn from efforts ongoing within the European Union to establish a visualization tool to provide
near real time supply chain and cyber threat information to increase collaboration and to discern the
impact of vulnerabilities. As part of effort to identify Cyber Acquisition Best Practices, ACT-IAC hosted a
forum with a United Kingdom organization creating a real-time supply chain - cyber management portal
with the promise to address the today’s interconnected world with a 21st century solution. Technology
has become integral to virtually every sector of the global economy, including banking, communications
and the electrical grid that is impacted real-time with changes with cyber threats. The OMB IT
Dashboard represents the first step toward creating meaningful change by providing a tool that could
35
share real-time supply chain and cyber information across Federal government.
IDEA: Using Certifications Similar to FedRAMP for All IT Acquisitions
This would apply consistent cybersecurity standard requirements across all federal contracts could
strengthen the Federal government’s cybersecurity. The Joint Task Force that developed the Risk
Management Framework could be leveraged to develop certification criteria for a “CyberRAMP”
Program to determine contractors’ products and services compliance with all applicable cybersecurity
requirements. This program could be managed by GSA once the certification criteria and requirements
were finalized. The CyberRAMP Program would allow for third party certification using the Joint Task
Force requirements in the same manner as the FedRAMP Program. The certification criteria could be
required either on an acquisition by acquisition basis or for all acquisitions where IT is involved. Given
the urgency of improving cyber security hygiene, it could also be an evaluation factor in technical and
cost tradeoff evaluations.
IDEA: Quickly establish a cybersecurity acquisition portal (GovCAP), similar to a wiki or a GSA
Category Management Hallway, open to government and industry to help accelerate sharing,
adoption, and implementation of best practices and tools
The GovCAP, like a Hallway, would be a complete knowledge, best practices and exchange of ideas
center. This portal could help address inconsistencies in how acquisition policies, rules, and regulation
are implemented in the Federal government.
It is suggested that this be managed by GSA, but overseen jointly by DOD, DHS, OMB and NIST.
1) It should include all current and proposed federal government contract requirements, as a
minimum.
2) It should include sample acquisition evaluation criteria and evaluation methodologies.
3) It should allow for exchange of best practices, posting of articles, and also include experiences
with new contract requirements and evaluation criteria.
4) It should allow for connection to government cybersecurity of excellence centers for
government personnel and possibly contractor personnel for help with questions.
5) It should allow for both classified and unclassified cybersecurity intelligence and
countermeasures by government and industry acquisition personnel as appropriate and needed.
IDEA: Professionalizing Cyber Risk Management Through Cyber Insurance
The Federal government should develop approaches and incentives to leverage recent developments in
cyber insurance and new tools, technologies and concepts that help assign financial values to
cybersecurity risks. Agencies should provide analytics that quantify the financial impact on business
and the loss of intellectual property.
For those in the Federal Government that think the cyber insurance is years away, think again. Last year
the Chief Risk Officer’s (CRO) Forum released a report titled “Cyber Resilience – The Cyber Risk
36
Challenge and the Role of Insurance.” Cyber insurance is a rapidly growing market offering. Sales
reportedly doubled between 2013 and 2014 and many insurance providers are swamped with
applications. The benefit of insurance is being realized as Target is expected to recover $90 million, of
the estimated $250 million loss, from their insurance in the wake of their breach. Cyber insurance
provides a new calculus that monetizes adverse cyber impacts so C-level executives no longer are faced
with an ethereal concept.
So how is this relevant to the Federal Government? New products and services are already hitting the
market. New tools using the Factor Analysis of Information Risk (FAIR) industry standard risk model to
calculate quantifiable costs are now available. The insurance industry’s codification of risks will be
incorporated into similar tools that will quantify risks and enable organizations to calculate what type,
and how much, cyber investment is needed for each area.
Likewise, Carnegie Mellon Software Engineering Institute (SEI) has developed a CERT® Resilience
Management Model that provides a maturity model of an organization’s cyber operations. This model
acts similar to the Capability Maturity Model Integration (CMMI) that is used in the software industry to
measure an organizations maturity level in developing and managing software. This type of maturity
modeling will allow insurers the ability to assess a company’s cyber capabilities against the calculated
financial risk. CISOs are being trained at places such as Carnegie Mellon to approach cyber from a risk
based approach versus the formal, checklist driven compliance methodology that has been employed in
the past. This risk-based approach aligns with the objectives of the insurance industry.
Ideas Related to Using the Acquisition Process To Modernize IT Infrastructures
The complexity of the IT infrastructure and associated cyber threats and vulnerabilities has increased
exponentially and computer systems are becoming increasingly interconnected and interdependent.
Continuing to meet these threats with legacy infrastructure and “bolted on” security is like running a
marathon with ankle weights. It can be done, but it is exceedingly difficult, one’s finishing time will be
slow, and there’s a big risk of injury. We need to “out-innovate” adversaries on a continuous basis and
ensure more resilient systems environments. The outdated IT infrastructure prevalent in many agencies
is an impediment to Government cybersecurity. Legacy systems are often managed and secured in a
“stovepiped” manner with vendor-specific management stacks. Furthermore, they generally require
more manual activity, which means slower response time, as well as being more expensive and errorprone.
IDEA: Agencies should use new development, capital renewal cycles, and service contract transitions
as opportunities to migrate to shared, virtualized and software-driven infrastructures
There are multiple potential security benefits from shared services (see
http://federalnewsradio.com/commentary/2015/07/shared-services-key-part-21st-century-federalcyber-strategy/). For one, technologies like Software Defined Networking and Network Function
Virtualization can improve security by automating the propagation of security policies across the
network infrastructure, implementing advanced security with service chaining, and dynamically
changing network topology due to detected threats and intrusion. Modern IT will make other security
measures, such as encrypting data at rest, easier to implement. With shared services, there would be
fewer, more centrally managed systems. Lastly, and perhaps most importantly, shared and cloud
services can provide cost advantages for both capital expenditures and operational expenses. With less
37
cost and focus on procuring and operating and maintaining expensive obsolete infrastructures, agencies
could allocate more resources and focus on cybersecurity.
Of course, shared, virtualized and software-driven infrastructures also carry some of their own security
risks, which must be recognized and mitigated. For example, networking Operating Support Systems)
must be modernized and include end-to-end orchestration capabilities to automate the provisioning,
testing, upgrading and configuring of IT. Components such as a Software Defined Network controller
must be considered high-value assets, safeguarded appropriately, and provisions made for rapid
incident recovery. And cloud computing can be insecure without adequate controls. For example, the
ease by which Virtual Machines are created, transported and used can increase their vulnerability to
exploitation by malicious software. There are clear advantages of procuring IT and networking
infrastructure as an outsourced or managed service. Standardizing processes and supporting technology
can improve security effectiveness and efficiency by reducing variation in security controls and
eliminating duplication of security work and reporting. By standardizing technology, e.g. moving to a
common financial shared services platform, agencies can significantly reduce the number of system
setups, interfaces, security profiles, and manual workarounds, all of which streamline security control
design and testing. In all cases, the Government must contractually require and ensure the service
provider employs appropriate security provisions.
IDEA: Instituting a Cybersecurity Requirements Baseline for the Acquisition Lifecycle
Given the increasing susceptibility of networks, systems and applications to cyber breaches and attacks,
the government needs to ensure cybersecurity requirements and standards are integrated throughout
the entire acquisition lifecycle. In addition, acquisition personnel need to be adequately trained on
those requirements to ensure they are correctly included.
IDEA: Integration of cybersecurity requirements is essential
From the establishment of the initial analysis for choosing a concept for an acquisition program or
system, to the release of a solicitation and ultimately to the operations phase, integrating cybersecurity
requirements is essential. Requirements developers and acquisition personnel determine which
baseline requirements and performance measures should be included. The requirements should come
from a cybersecurity reference guide that details the requisite technical elements necessary at each
stage of the acquisition lifecycle (requirements, development, authorization and operations) depending
on the type of acquisition. As an example, the FedRAMP baseline identifies a government-wide
consensus on the cybersecurity control standards for cloud computing platforms. A reference guide
could be modelled after the DoD Program Manager’s Guidebook for Integrating the Cybersecurity Risk
Management Framework into the System Acquisition Lifecycle Version 1.0 which specifies in detail the
requirements needed at each phase of the lifecycle. A standard set of requirements can help ensure that
cybersecurity protections are included throughout the acquisition process. It can also assist solution
providers in understanding and successfully fulfilling the government’s requirements. Model
cybersecurity contract requirements language could be developed to accelerate adoption and improve
consistency across programs and agencies. This language could also address secure supply-chain and
system integration and interconnection issues.
38
IDEA: The government should limit sources to Original Equipment Manufacturers (OEMs), authorized
resellers, and trusted suppliers, and the qualification should be incorporated into the full acquisition
and sustainment life cycles, starting with requirements definition, acquisition planning, and market
research
The 2013 DoD-GSA Report entitled “Improving Cyber security and Resilience Through Acquisition,”
recommends this approach for high risk acquisitions. The report states that purchasing only from such
“trusted sources” is the best approach to reducing the risk of receiving inauthentic or otherwise
nonconforming items. These directions are a result of the President’s Executive Order 13636 of
February 12, 2013, “Improving Critical Infrastructure Cyber Security.” OPM is applying these standards
to all of their procurements.
IDEAS Related to Improving IT Acquisition Training for Acquisition Professionals
IDEA: Acquisition personnel should be trained on cybersecurity best practices, standards and
baselines as they apply to the acquisition lifecycle
Requirements need to be well thought out and specific to an acquisition, therefore acquisition
professionals need to be knowledgeable and well trained in the cybersecurity requirements and
standards to ensure there is no ambiguity in the requirements requested. Adequate training ensures
that these requirements are accurately included in the acquisition process and reduces time and money
caused by contractor questions during the solicitation process and the subsequent myriad of change
amendments created. Acquisition officials do not need to be experts in cybersecurity, but they must be
able to recognize what types of requirements are needed for acquisitions that pose a cyber-risk.
IDEA: Cyber Security skills-based and performance-based awareness, training, education and
certification must include program and project managers; system and data owners; contracting
officers (COs) and contracting officers representatives (CORs); configuration managers and the
employees and executives of vendors offering or providing the IT services
IT certifications are an excellent approach to demonstrate professional competency in a certain aspect
of technology. Certifications often follow some assessment, education or review. One difference with
certifications in IT is that they are often vendor-specific. Integration and interconnection of disparate
systems often distorts or modifies system boundaries that were originally accredited and authorized.
During the initiation phase of any IT project, a basic cyber security awareness module should be
developed that focuses procurement personnel on the requirements to include cyber security
protections in all phases of the system development life cycle. Awareness will serve as a reminder of
the basics. Training should provide the “how to” of the process of understanding and incorporating
cyber security into the actual procurement process. Cyber security training modules are recommended
for addition procurement, project and program management personnel training. There are many
procurement manager and officer, purchasing manager, sourcing and supply chain management
certifications. Many of these disciplines include IT acquisition. The initiative should begin to reach out
to the certifying programs to include cyber security in the certification curricula. It is recommended that
the cyber community widely adopt NIST Special Publication 800-128, Guide to Security-Focused
Configuration Management of Information Systems.
39
CONCLUSIONS AND NEXT STEPS
Information technology is intricately woven into the fabric of government, commerce, and our daily
lives. We have come to rely on and take advantage of technology’s potential to do things better, faster,
cheaper and easier than ever before. Technology and its uses continue to evolve and expand rapidly.
However, every technology has strengths and weaknesses. Hackers, criminals, and nation states with
malicious intentions all attempt to exploit weaknesses to their own advantage. If technology is to serve
as an integral part of society and the economy, then we need to do a much better job at cybersecurity.
For this reason, ACT-IAC conducted an open call for ideas and produced this report, to leverage the
potential benefits of technology while simultaneously improving the security of government information
and systems.
An impressive array of experts and organizations offered ideas for consideration in this report. Some of
the ideas are relatively easy to implement, others are more difficult. Some can be done quickly and at
low cost, others would take more time and resources. The ideas offer policy makers, decision makers,
and practitioners new ways to tackle challenging cyber issues.
As a sign of the importance of this issue, many members of the community who contributed to this
report have asked “what happens next?” and expressed interest in continuing to work on this issue.
ACT-IAC and its Community of Interest groups will review next steps, particularly as it relates to sharing
more actionable details around how to implement many of the excellent ideas shared in through this
cyber ideation initiative. In the meantime, we hope the readers of this report will consider these ideas,
adopt ones where they see value, and share the results.
As a reminder, for a complete listing of the ideas submitted, go to:
https://www.actiac.org/sites/default/files/cybersecurity-innovation-ideas.xls
40
APPENDIX 1
AUTHORS AND CONTRIBUTORS
Project Co-Chairs:
Dave McClure, Veris Group, LLC
Mike Howell, ACT-IAC
Major Contributors
Dan Chenok, IBM
Ed Silva, Centerpoint
Melinda Rogers, Department of Justice
Don Arnold, Quantified Perception
Ken Adams, KPMG
Christine Andrews, HP
Edward Liebig, Unisys
Mike Riley, Department of State
Katie Thatcher, US Cyber Command
John Bird, System 1
Tom Baughan, Monster Government Solutions
Rory Schultz, Department of Agriculture
Natalie Carey, Valiant Solutions
Bob Clarke, Monster Government Solutions
Joseph Cudby, Level 3 Communications
Brian Green, Learning Tree International
Debra Tomchek, ICF International
Jim Williams, Schambach & Williams
Don Johnson, Department of Defense
Kevin Gallo, General Services Administration
Cynthia Shelton, CenturyLink
Barry Wasser, U.S. Department of Agriculture
Angela Smith, General Services Administration
41
Chip Block, Evolver
Maria Roat, Department of Transportation
Christy Sanders, Knight Point Systems
Narpender Bawa, REI Systems
Ronald Banks, U.S. Air Force
Barry Chapman, Maximus
Mike Ligas, Lookout Mobil Security
Mike Palmer, Office of Management and Budget
Lou Kerestesy, GovInnovators
Johan Bos-Biejer, General Services Administration
John O’Conner, PWC
Kevin McPeak, Symantec
Brad Nix, Department of Homeland Security
Bridgit Griffin, U.S. Air Force
Alye VIllani, Lockheed Martin
Dean Abrams, Unisys
Arnold Webster
Esteve Mede, Federal Election Commission
Lee Kelly, Environmental Protection Agency
Ken Durbin, Symantec
Mathew Neuman, Crossmatch
Banyat Adipat
Mark Orndorff, Suss Consulting
42