CYBER RESILIENCE
AGENCIES SHIFT FOCUS TO CYBER RESILIENCE
In the post-Cyber Sprint era, agencies are taking a more holistic
Iapproach to improving their cyber posture.
N THE LAST 18 months, like never before, federal agencies have come to terms with both the importance and complexity of cyber resilience.
A number of high-profile data breaches in 2015—followed by the Cyber Sprint, a government-wide assessment of
existing security measures—drove home the point that agencies need to think about cybersecurity in new ways.
The traditional focus on preventing attacks, often called perimeter defense, clearly is still necessary, but it is not sufficient. Given the increasing sophistication of cyberattacks, agencies need to integrate security solutions throughout the enterprise.
Agencies also need to recognize that cybersecurity is not
just a product or service category. It is a discipline that must
be integrated throughout an organization and throughout its key processes.
This shift in focus from frontline cyber defense to a more holistic concept of cyber resilience will help agencies become more agile in how they identify, mitigate and, when necessary, recover from attacks.
The case for resilience is urgent. According to the Government Accountability Office (GAO), the number of federal information security incidents increased by more than 1,000 percent between 2006 and 2015. Of particular concern are the attacks on what GAO calls high-impact systems, that is, those holding especially sensitive information.
Those systems are frequent targets, according to GAO. In a recent study, GAO found that 18 major agencies reported more than 2,000 security incidents targeting high-impact systems, including nearly 500 incidents involving the installation of malicious code.
“Increasingly sophisticated threats to information technology systems and the damage that can be generated underscore the importance of managing and protecting them,” the report states.
One challenge is that many existing systems are based on outdated technology, according to the Cybersecurity Strategy and Implementation Plan, which the White House issued at the conclusion of the Cyber Sprint.
SPONSORED CONTENT
Over the years, these systems have grown increasingly complex with the proliferation of hardware and software configurations, “which introduces significant vulnerabilities and opportunities for exploitation,” the plan states.
This concern with legacy systems has prompted several legislative proposals to help agencies fund modernization efforts. A bill introduced by Rep. Will Hurd (R-Tx.) and other lawmakers would allow agencies to create their own working capital funds to upgrade or replace old systems.
Another bill, introduced by Rep. Steny Hoyer (D-Md.) and based on a White House proposal, would create a government- wide $3.1 billion revolving fund for modernization.
Meanwhile, the Office of Management and Budget (OMB) is pushing agencies to change how they monitor the security of their systems.
In its recent revision of Circular A-130, the federal government’s overarching information management policy, OMB directs agencies to move away from “periodic, compliance-driven assessment exercises” and toward “the ongoing monitoring, assessment, and evaluation of federal information resources.”
“In today’s rapidly changing environment, threats and technology are evolving at previously unimagined speeds,” OMB officials wrote in a blog post announcing the new policy. “In such a setting, the government cannot afford to authorize a system and not look at it again for years at a time.”
The administration also is trying to provide agencies
with easier access to security services. There are a
plethora of services available through the General Services Administration’s Schedule 70 contract vehicle, but they can be difficult to find. Under the administration’s Cybersecurity National Action Plan, GSA will create a special item number for such services as network mapping, penetration testing, phishing assessment, and vulnerability scanning.
Unfortunately, modernization and policy changes can only go so far in addressing the vulnerability of federal systems. According to the GAO, some of the most perplexing security threats get through because of human error—employees clicking on malicious links or attachments, or reusing their passwords.
S-10