“Strengthening the cybersecurity of Federal networks, systems, and data is one of the most important challenges we face as a Nation.”
That statement is extremely pertinent, especially since each federal government agency is responsible for managing their own IT systems with no true consistency on how to maintain the infrastructure or protect data. Additionally, a broad surface area of legacy systems with thousands of different hardware and software configurations (containing many vulnerable points for exploitation) potentially compromise the federal eco-system even further. All a hacker has to do is find an agency with a weak security posture, gain entrance, and move from system to system to exfiltrate sensitive information without anyone being the wiser.
On the heels of the OPM breach in 2015, the Office of Management and Budget (OMB) created the Cybersecurity Sprint. “Sprint’s” main directive is to build upon the administration’s strategy by assessing and improving the health of all federal IT assets and networks – both civilian and military.
The government was fairly aggressive in taking immediate security measures while the “Sprint” was being conducted. Agencies were directed to identify high-value assets, patch critical vulnerabilities, limit privileged users, and accelerate the use of PIV cards. As a result of OMB’s directive, federal civilian agencies increased their use of strong authentication for all users by 30 percent and, today, agencies have increased their use of strong authentication to more than 80 percent.
After a comprehensive 60-day review of the government’s cyber-security policies, procedures, and practices by 100 experts from across the government and private industry, the CSIP was born, and it looks a lot like the NIST Cybersecurity Framework – which is a good thing.
“The CSIP acknowledges the current landscape of Federal cybersecurity by emphasizing the need for a ‘defense in depth’ approach, which relies on the layering of people, processes, technologies, and operations to achieve more secure Federal information systems.”
Constantly under attack, the government has to implement measures that will ensure readiness and resilience when incidents inexorably occur and prevent further incidents from happening.
Similar to other regulations and standards, the CSIP provides the framework for achieving these goals by:
- Improving capabilities that enhance protections of assets and information.
- Identifying and detecting vulnerabilities, threats, and patterns of behavior.
- Developing stronger response and recovery capabilities.
- Sharing threats throughout their information eco-system.
The feds got some quick security wins with the immediate actions executed during the “Sprint” review and, because of its willingness to move swiftly in adopting the security measures outlined in the CSIP, will certainly gain a few more, but in the words of Federal CIO Tony Scott, “Cybersecurity is never finished and is ever changing.”
Obstacle 1 – Acquiring and deploying technologies
The fifth objective in the CSIP speaks to the government’s need to effectively acquire and deploy technologies. It’s no secret that the procurement process in the federal government is frustratingly complicated and lengthy. Considering the rapidly changing landscape, will the government be able to move quickly enough to deploy solutions before the landscape shifts again and said solution becomes obsolete?
Obstacle 2 – Adhering the patching requirements
CSIP recommends patching critical software vulnerabilities immediately or within 30 days of availability (whichever aligns with best practices.) The Federal Times noted that 75 percent of the $80 billion spent annually by the federal government on IT focuses on operating and maintaining legacy systems that can be more than two decades old. Often, these systems do not support “modern” security or current regulatory standards.
Obstacle 3 – What about the endpoint?
There is still much left to address if the ultimate goal is truly a continuous, active security posture. For example, the language in CSIP still strongly focuses on protecting the perimeter. This may be a big red flag, particularly after reading “SANS 2016 State of Endpoint Security,” where it was reported that desktops and laptops (endpoints) represented the most breached systems and inevitably involved even more widespread compromise.
Obstacle 4 – Skilled security folks
The private sector is having trouble hiring and retaining skilled-security talent. If that’s the case, where does that leave the government’s talent-retention efforts?
The federal government will continue to be an attractive and high-value target for cyber criminals and the best way for it to defend against cyber threats will be its continuing effort to strengthen and mature its cyber-security posture.
Is it too optimistic to believe that the CSIP will be the magic bullet that helps the government obtain a higher level of security for their systems? Probably, but it’s certainly a good start. The onus of responsibility now rests with to government to maintain the initial enthusiasm seen after introducing policies and guidelines designed to strengthen the industry.