{ "version" : "https://jsonfeed.org/version/1", "content" : "news", "type" : "single", "title" : "Modernizing Federal Cybersecurity |Digital.gov", "description": "Modernizing Federal Cybersecurity", "home_page_url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/","feed_url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/2015/11/02/modernizing-federal-cybersecurity/index.json","item" : [ {"title" :"Modernizing Federal Cybersecurity","summary" : "Summary: Today, the Administration directed a series of actions to continue strengthening Federal cybersecurity & modernizing the government’s technology infrastructure. Strengthening the cybersecurity of Federal networks, systems, and data is one of the most important challenges we face as a Nation. Every day, public and private sector leaders—my team included—are directing significant resources to address","date" : "2015-11-02T13:00:34-04:00","date_modified" : "2025-01-27T19:42:55-05:00","authors" : {"tony-scott" : "Tony Scott"},"topics" : { "product-and-project-management" : "Product and project management" },"branch" : "bc-archive-content-3", "filename" :"2015-11-02-modernizing-federal-cybersecurity.md", "filepath" :"news/2015/11/2015-11-02-modernizing-federal-cybersecurity.md", "filepathURL" :"https://github.com/GSA/digitalgov.gov/blob/bc-archive-content-3/content/news/2015/11/2015-11-02-modernizing-federal-cybersecurity.md", "editpathURL" :"https://github.com/GSA/digitalgov.gov/edit/bc-archive-content-3/content/news/2015/11/2015-11-02-modernizing-federal-cybersecurity.md","slug" : "modernizing-federal-cybersecurity","url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/2015/11/02/modernizing-federal-cybersecurity/","content" :"\u003cblockquote\u003e\n\u003cp\u003eSummary: Today, the Administration directed a series of actions to continue strengthening Federal cybersecurity \u0026amp; modernizing the government’s technology infrastructure.\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003cp\u003eStrengthening the cybersecurity of Federal networks, systems, and data is one of the most important challenges we face as a Nation. Every day, public and private sector leaders—my team included—are directing significant resources to address this ever-growing problem. Yet as cyber threats increase in severity, so does the pace of this Administration’s efforts. Since 2009, the U.S. Government has implemented a wide range of policies, both domestic and international, to improve our cyber defenses, enhance our response capabilities, and upgrade our incident management tools by:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDirecting a comprehensive \u003ca href=\"https://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf\"\u003eCyberspace Policy Review\u003c/a\u003e in order to assess U.S. policies and structures for cybersecurity;\u003c/li\u003e\n\u003cli\u003eMaking cybersecurity one of the Administration’s first cross-agency priority management \u003ca href=\"http://www.performance.gov/node/3401/view?view=public#overview\"\u003egoals\u003c/a\u003e;\u003c/li\u003e\n\u003cli\u003eSpurring information sharing through the President’s executive order to encourage the development of Information Sharing and Analysis Organizations (ISAOs) to serve as the hubs for sharing critical cybersecurity information and promoting collaboration for analyzing this information both within and across industry sectors;\u003c/li\u003e\n\u003cli\u003eLeveraging cutting edge tools like the Department of Homeland Security’s (DHS) EINSTEIN and Continuous Diagnostics \u0026amp; Mitigation (CDM) program; and,\u003c/li\u003e\n\u003cli\u003eProposing \u003ca href=\"https://www.whitehouse.gov/sites/default/files/omb/budget/fy2016/assets/fact_sheets/cybersecurity-updated.pdf\"\u003etargeted investments\u003c/a\u003e across a range of Federal departments and agencies that improve cybersecurity and protect government networks from cyber-threats.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eEarlier this year, \u003cstrong\u003ethe White House Office of Management and Budget (OMB) launched a \u003cem\u003e\u003ca href=\"https://www.whitehouse.gov/sites/default/files/omb/budget/fy2016/assets/fact_sheets/enhancing-strengthening-federal-government-cybersecurity.pdf\"\u003e30-day Cybersecurity Sprint\u003c/a\u003e\u003c/em\u003e, building upon the Administration’s whole-of-government strategy\u003c/strong\u003e, to assess and improve the health of all Federal information technology (IT) assets and networks, both civilian and military. As part of the Sprint, OMB directed agencies to immediately patch critical vulnerabilities, identify high-value assets, review and tightly limit the number of privileged users with access to authorized systems, and dramatically accelerate the use of Personal Identity Verification (PIV) cards or an alternative form of strong authentication for accessing networks and systems. \u003cstrong\u003eWe saw significant progress in these areas\u003c/strong\u003e. During the course of the Sprint, Federal Civilian agencies increased their use of strong authentication for all users from 42 percent to 72 percent—\u003cstrong\u003ean increase of 30 percent\u003c/strong\u003e. And \u003cstrong\u003etoday, agencies have increased their use of strong authentication to over 80%\u003c/strong\u003e.\u003c/p\u003e\n\u003cdiv class=\"image\"\u003e\n \u003cimg\n src=\"https://s3.amazonaws.com/digitalgov/_legacy-img/2015/11/600-x-442-CSIP_0-Cross-Agency-Priority-CAP-Goal-Progress-with-Cybersecurity-Sprint-Results.jpg\"\n alt=\"Cross Agency Priority (CAP) Goal Progress with Cybersecurity Sprint Results\"/\u003e\u003c/div\u003e\n\n\n\u003cp\u003eWhile these statistics demonstrate marked improvement in identifying and closing the gaps in the Federal cyber infrastructure, \u003cstrong\u003ewe still have more work to do\u003c/strong\u003e. We must acknowledge the modern reality that \u003cstrong\u003ethe work of addressing cyber risks is never finished and is ever changing\u003c/strong\u003e.\u003c/p\u003e\n\u003cblockquote\u003e\n\u003cp\u003eAgencies have increased their use of strong authentication to 80%—an increase of nearly 40% this year.\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003cp\u003eAs part of the Sprint, a team of over 100 experts from across the government and private industry led a comprehensive review of the Federal Government’s cybersecurity policies, procedures, and practices. The team’s review made clear that we must continue to double down on this Administration’s broad strategy to enhance Federal cybersecurity and \u003cstrong\u003efundamentally overhaul information security practices, policies, and governance\u003c/strong\u003e. That is why we recently \u003ca href=\"https://www.whitehouse.gov/blog/2015/10/20/modernizing-federal-information-policy\"\u003eproposed for the first time in 15 years\u003c/a\u003e revisions to the Federal Government’s governing document establishing policies for the management of Federal information resources, and specifically, guidance on how agencies should take a coordinated approach to information security and privacy when protecting Federal information resources. And that’s why we issued for public feedback proposed guidance to agencies implementing strengthened \u003ca href=\"https://policy.cio.gov/\"\u003ecybersecurity protections in Federal acquisitions\u003c/a\u003e to ensure the government’s systems and networks are modern and can adapt to rapid industry changes and emerging technologies. These policies, along with future policies and guidance, are written to complement each other as we lock in the progress.\u003c/p\u003e\n\u003cp\u003eToday, as part of the Sprint team’s recommendations, and building upon the Administration’s broader efforts to bolster Federal cybersecurity, we are directing a series of actions to further secure Federal information systems through the \u003cem\u003e\u003ca href=\"https://www.whitehouse.gov/sites/default/files/omb/memoranda/2016/m-16-04.pdf\"\u003eCybersecurity Strategy Implementation Plan (CSIP)\u003c/a\u003e\u003c/em\u003e for Federal Civilian agencies.\u003c/p\u003e\n\u003cp\u003eThe CSIP focuses on strengthening Federal civilian cybersecurity through the following five objectives:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003ePrioritized Identification\u003c/strong\u003e and \u003cstrong\u003eProtection\u003c/strong\u003e of high-value assets and information;\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTimely Detection of\u003c/strong\u003e and \u003cstrong\u003eRapid Response\u003c/strong\u003e to cyber incidents;\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRapid Recovery\u003c/strong\u003e from incidents when they occur and \u003cstrong\u003eAccelerated Adoption\u003c/strong\u003e of lessons learned from the Sprint assessment;\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRecruitment and Retention\u003c/strong\u003e of the most highly-qualified \u003cstrong\u003eCybersecurity Workforce\u003c/strong\u003e talent the Federal Government can bring to bear; and\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEfficient and Effective Acquisition\u003c/strong\u003e and \u003cstrong\u003eDeployment\u003c/strong\u003e of \u003cstrong\u003eExisting and Emerging Technology\u003c/strong\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eAcross the Federal Government, a broad surface area of legacy systems with thousands of different hardware and software configurations contains vulnerabilities and opportunities for exploitation. Additionally, each Federal agency is responsible for managing its own IT systems, which, due to varying levels of cybersecurity expertise and capacity, generates inconsistencies in capability across government.\u003c/p\u003e\n\u003cblockquote\u003e\n\u003cp\u003eCSIP acknowledges the current landscape of Federal cybersecurity by emphasizing the need for a defense in depth approach that relies on the layering of people, processes, technologies, and operations to achieve more secure Federal information systems.\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003cp\u003eCSIP directs a series of actions to improve capabilities for identifying and detecting vulnerabilities and threats, enhance protections of government assets and information, and further develop robust response and recovery capabilities to ensure readiness and resilience when incidents inevitably occur.\u003c/p\u003e\n\u003cp\u003eToday, the state of Federal cybersecurity is stronger than ever before. Agencies are utilizing significant resources to protect our Nation’s critical infrastructure and to improve performance in this critical area. However, \u003cstrong\u003ethere are no one-shot silver bullets. Cyber threats cannot be eliminated entirely, but they can be managed much more effectively. CSIP helps get our current Federal house in order, but it does not re-architect the house. Alongside today’s CSIP release, we are also issuing \u003ca href=\"https://www.whitehouse.gov/sites/default/files/omb/memoranda/2016/m-16-03.pdf\"\u003eguidance\u003c/a\u003e to agencies on Fiscal Year 2015-2016 Federal Information Security Modernization Act (FISMA) and Privacy Management\u003c/strong\u003e. Since 2002, FISMA has required OMB to report to Congress on agency compliance with, and implementation of, information security policies and procedures. With Congress support through the passage of FISMA 2014 legislation, my team was helped greatly in our continued work with agencies to implement increasingly resilient information technology security and privacy management programs. Among annual reporting requirements, this year’s FISMA guidance for the first time defines a “major incident” and directs agencies to report incidents designated as “major” to Congress within seven (7) days. Additionally, OMB will be meeting with Federal agencies to conduct evidence-based reviews of the agencies’ privacy programs to ensure compliance with privacy requirements and assist agencies in developing targeted plans for improving their privacy program management.\u003c/p\u003e\n\u003cp\u003eAs cyber threats become increasingly sophisticated and persistent, so must our actions to tackle them. From the public sector to private industry, we can best do this by properly funding cybersecurity investments, strengthening processes for developing, implementing and institutionalizing best practices; developing and retaining the cybersecurity workforce; and collaborating between public and private sector research and development communities to leverage the best of existing, new, and emerging technology and talent to enhance Federal cybersecurity.\u003cem\u003eThis post was originally published on the \u003ca href=\"https://www.whitehouse.gov/blog\"\u003eOMB blog\u003c/a\u003e by Tony Scott, the U.S. Chief Information Officer.\u003c/em\u003e\u003c/p\u003e\n"} ] }