ADAPTIVE RESPONSE
    Over the next year, you’ll see a full integration of privacy
into all our FISMA pubs. It’s going to stand side-by-side with security as an equal partner, every bit as important as security.
with the screen, and you are running the apps and all that. I call that the above-the- waterline view. It’s like you are in the ocean, and half of you is above the waterline looking around having a good old time. Meanwhile, below the waterline, there are sharks.
The average person is not really concerned about what’s going on below the waterline because that’s not where their world view is. They’re dealing with the application level. Meanwhile, incredibly complex software, hardware, firmware and systems are below the waterline. That complexity is where the adversary is attacking every day. That’s the part we have to start to fix.
Sometimes there are things you know you have to do but you never do them. Even with all this danger out there, the culture still drives us to more technology, more apps, more smartphones and more tablets. I think we are literally addicted to that whole world because of social media and all the technology. It’s doing things we never imagined it could do.
We’re going to have to create more resiliency. And “adaptive cybersecurity strategies” may be an appropriate term to capture that whole new world we’re moving into.
How does adaptive cybersecurity fit into IT modernization plans?
We can just go ahead and modernize
like we always do, or we can start to take advantage of some new things. One is moving additional federal applications and systems to the cloud. Everything’s not going to go to the cloud, but FedRAMP gives you some confidence that you can move certain of your applications and maybe even reconfigure or redesign some of the systems to take better advantage of cloud technology.
The second one is to develop more shared services. In other words, how many HR or payroll systems does the federal government need? If you could combine them and have one service that all the agencies can use, then think how much cost you can eliminate. And you can then turn that cost savings into greater protection for that shared service.
Whatever’s left might be termed high- value assets. After the Office of Personnel Management breach, the Department of Homeland Security started looking at everything we consider a high-value asset. It’s looking at what those systems do, why they’re critical, what they’re connected to
— either a direct connection or through secondary or tertiary connections. That’s how adversaries tend to get in, through those transitive connections. By looking at those things, we can say, “OK, if we move a lot of stuff to the cloud and we move stuff to shared services, then we can really focus like a laser beam on
those high-value assets.”
And we can apply some of the security
engineering guidance that NIST is producing with greater strength, including some of the security controls that are more difficult but necessary, to help protect those high-value assets. We can focus on that instead of trying to do everything and not doing a good job at it.
We also want to make sure that we protect all the data that the citizens expect us to protect, so we’re integrating privacy into our guidance.
We’re modernizing five publications that have been around since the original Federal Information Security Management
Act — including 800-53, the security and privacy controls catalog, and 800-37, the Risk Management Framework.
That framework traditionally focused only on security risk management. The new 800-37 Revision 2 is going to focus on managing risks for security and privacy.
Over the next year, you’ll see a full integration of privacy into all our FISMA pubs. It’s going to stand side-by-side with security as an equal partner, every bit as important as security.
I’ve never been busier in my 20 years at NIST. I should have retired a year ago, but I can’t seem to pull the trigger because there’s still too much to do. And I just want to see this problem solved once and for all.
 SPONSORED CONTENT | S-77