FCWPerspectives What’s next for
cybersecurity?
Ninety days after the Trump administration’s executive order,
FCW sat down with agency cyber leaders to discuss what’s changing
When the White House issued its long-awaited executive order on cybersecurity in May, it formalized what many in government had long argued was necessary: adopting the National Institute of Standards and Technology’s Cybersecurity Framework and embracing enterprise risk management at every agency.
FCW gathered cybersecurity leaders on Aug. 9 — 90 days after the cyber order was issued and the date by which agencies were required to submit a written response to the Office
of Management and Budget regarding their new risk assessments — and asked them to discuss their experiences to date. The discussion was on the record but not for individual attribution (see Page 32 for a list of participants), and the quotes included below have been edited for length and clarify. Here’s what the group had to say.
Big changes or paving the cowpaths?
Most participants said President Don- ald Trump’s May 11 executive order didn’t tell them anything they didn’t already know, but they still praised it for making cybersecurity’s importance clear governmentwide.
“We had already codified things such as the security framework as to ways we were moving forward,” one security executive said. “We’ve had maybe vali- dation but no impact from the execu- tive order at this time.”
She added that “we were already moving down that path. Because of that, I fully endorse what they’re doing.”
Another participant, whose agency was perhaps not quite so far along, agreed that “most people who were doing strategic planning within their agencies were fully cognizant” that dif- ferent approaches were needed.
“Whether you talk about the need to prioritize cyber investments based on high-value assets or some other algorithm,” he said, “it was becoming very obvious because the number of dollars needed is ginormous. And agen- cies have mission activities that they need to do, so you can only compete so much for those funds.”
He added that “the recognition that we need to modernize the network structure is kind of also a self-evident truth. This is a core, systemic problem
that exists, and...it is now recognized that modernizing the infrastructure is absolutely critical in order to solve our cyber problems because we can’t keep patching.... That was also intuitively obvious, but many things that are intui- tively obvious aren’t really intuitively obvious until someone puts them into a formal document and says, ‘This is what’s going on.’”
That affirmation of generally held best practices also poses a bit of a risk for agencies that have already embraced them.
“What I see in the order is a lot of the same things that we’ve seen in the past, just stated in a different way,” one executive said. And like most guid- ance, the executive order and OMB’s implementation memo came with the unspoken assumption that “you weren’t doing it before.”
That executive’s agency — a Cabi- net-level department — took care to establish a clear baseline for each of the five core activities in the Cyberse- curity Framework. In its submissions to OMB, the agency showed “where we have made significant accom- plishments in the past,” he said. “And because of those accomplishments, we’re going to move and build on those to move to the future.”
He added that “we do not want to give anybody, especially OMB, the impression that...we’re not continually
29
September 15, 2017
FCW.COM