• The threat vector has dramatically changed at the same time that laws are changing that put penalties on not securing your data. More is changing in this environment than is staying the same.
• Some security practitioners have dropped the word “advanced” from the description of advanced persistent threat (APT) because they observe the vast majority of attackers using common attack approaches – the “open door” rather than “breaking a window.” The disparity in security capabilities is greater than the disparity in threat.
• Mobility – The number of new mobile vulnerabilities being detected is growing almost exponentially each year, making mobility the biggest growing threat vector.
• Cyber arms race is unlike any other arms race in history because it is frictionless. For example, it took 3 days for Stuxnet to be reverse-engineered, reproduced, and propagated. It taught everybody how to attack a SCADA system. It has also given rise to the private cyber arms manufacturer – people who build cyber-attack capabilities and sell them on the black market.
• Personnel training to avoid risky behavior is the most important element of cybersecurity. NSA statistics show that 80 percent of exploitable vulnerabilities are a result of poor cyber hygiene. The other 20% is the APT.
• Social engineering is a growing threat because, among other things, it gives the attackers a deeper understanding of how users and organizations behave, respond and think.
• Growing cyber threats in the aviation sector target in-flight operations, ground support operations, air traffic managements systems, etc.

• Some agencies are moving to cloud services because of financial constraints, knowing of security risks and hoping security will follow soon afterward.
• Some key challenges in effectively implementing Cloud include:
  • Contract structuring: How do you structure a contact offering when you don’t own the asset? How do agencies (GSA, etc.) effectively strengthen cloud acquisition policy and build in security into SLAs?
  • Clearance: what types of clearance levels are needed for people around the world who are supporting agencies or have access to their data, but are not necessarily part of a secure sector? Information sharing on threats, etc. is sensitive.
  • Incident response: When there is an incident, who do I call? The Cloud Service Provider (CSP) or the agency? 

• Information sharing is not an ends, it’s a means to an ends. In this context, it is needed to gain an effective shared situational awareness among shared stakeholders.
• One challenge to information sharing stems from a sense of human preservation. We have a culture of not sharing information, while hackers have a culture of sharing widely.
• Electricity Sector Information Sharing and Analysis Center (ES-ISAC) – Allows electric providers to share information in a non-compliance framework and encourages free flow of information without fear of compliance threat hanging over you. Effective sharing requires the freedom from the threat of sharing.
• Cyber Federated Model (CFM) – the warfighter has great command and control (C2) information and the CFM intends to enable C2 for cyber indicator information. For example, an infected site is sent into the CFM and within a few minutes all other sites within the CFM get the information. Some sites have automated updates and the information sharer gets to control with whom they share.
• One key to effective sharing includes the ability to be able to do it securely, i.e. share with assurance. Also, data must be anonymized to be shared, especially if the data is classified, sensitive or contains private information. Sensitive but unclassified information will need cooperative agreement between government and industry to set the boundaries for what each can do with the information they receive.
• Automated information sharing should focus on machine-readable threat indicators to automate data flow and get people out of loop where possible. Currently, high-priority threat-level information is XML-based, but going forward organizations will need more visual analytics.

• SCADA (supervisory control and data acquisition) systems, and other industrial control systems (ICS) were never designed for networking, but they have been extensively. So we are now building monitoring capabilities in an attempt to detect and defend against attacks on systems that were never designed to withstand such attacks. 
• Attacks like Stuxnet and Shamoon targeted energy sector systems and disclosed SCADA system vulnerabilities.
• The patching treadmill – These control systems were never designed to be patched and/or shut down regularly. This patching can mean an entire plant must be shut down to complete the patch. This has the potential for unforeseen domino effects and implications for supply interruptions and other complexities.
• Different organizations and unrelated sectors currently have different architectures and protocols for collecting and sharing threat information. What is needed is a common open-standards XML schema to communicate attacks in industrial control and other systems.

• There is not currently a consensus on how to proceed with administering cyber- and critical infrastructure protections, with significant polarization existing between competing regulatory/compliance and collaboration/incentive approaches. 
• Comprehensive legislation (Lieberman-Collins, and others) that failed in the Senate included new and expanded regulatory and compliant elements over the private infrastructure community.
• Some industries, like nuclear energy, have very mature regulatory environments and some assert that the success in this area is an example of positive regulation that should serve as a prototype for other infrastructure industries.
• Public-private partnerships are essential. The Critical Infrastructure Partnership Advisory Council (CIPAC) and HSPD-7 were the predecessors to the latest Executive Order (EO) and Presidential Policy Directive (PPD-21).

 

• Non Cyber – Non Cyber is used for filing all reports of Personally Identifiable Information (PII) spillages or possible mishandling of PII which involve hard copies or printed material as opposed to digital records.
  
  
• Policy Violation – This subset of Improper Usage is primarily used to categorize incidents of mishandling data in storage or transit, such as digital PII records or procurement sensitive information found unsecured or PII being emailed without proper encryption.
  
  
• Malicious Code – Used for all successful executions or installations of malicious software which are not immediately quarantined and cleaned by preventative measures such as anti-virus tools.
  
  
• Equipment – This subset of Unauthorized Access is used for all incidents involving lost, stolen or confiscated equipment, including mobile devices, laptops, backup disks or removable media.
  
  
• Suspicious Network Activity – This category is primarily utilized for incident reports and notifications created from EINSTEIN and EINSTEIN 2 data analyzed by US-CERT.
  
  

These top 5 categories account for 87% of all incidents reported by federal agencies. Factoring out the Non Cyber category, the remaining top 4 make up nearly 60% of all reported federal security incidents. (See chart below.) 

Delving into the data a bit further shows where these incidents are most widely occurring among the 15 departments spending the most on their IT security, according to their FISMA submissions. (See table below.)

Implications

While a data comparison among categories and agencies has its limitations, it does lead us to ask further questions and draw some possible conclusions. The most obvious to me is noticing the clustering of incidents within categories that relate to internal behaviors.

Combining the frequency of Policy Violations, lost or stolen Equipment, and Non-Cyber (non-digital) incidents consisting of the physical spillage or mishandling of PII in paper form drives home that there appears to be much left to do in the area of cybersecurity training for IT users at these departments. If the Malicious Code category accounts for much in the way of code insertion through unsafe user practices then that incident frequency too underscores the ongoing training need. OMB notes in the report that federal agencies spent less than 1% of their IT security budgets in FY 2012 on training. In previous FISMA reports training accounted for roughly 2.5% in FY 2010 and FY 2011, but according to OMB, the DOD portion of the data for those years was incomplete so adjusting for DOD might show that 1% is consistent across all of these years.

The sheer number of departments in the top 15 above that list Policy Violations and/or Equipment incidents in their top 2 or 3 for frequency suggests that some of the greatest information security challenges facing federal agencies are internal – whether through lack of awareness or training or through outright disregard for approved security practices. In a fiscally constrained environment where return on investment for each dollar is scrutinized agencies might actually save money that they would spend on cleaning up security mistakes by users if they could more effectively prevent many of these incidents in the first place.

---
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWin FIA. Follow me on Twitter @GovWinSlye.

This week the Congress passed a fiscal year (FY) 2013 funding bill that provides budgets for a handful of federal departments and continuing resolution (CR) level funding for the remaining departments and agencies through the end of fiscal 2013 on September 30. The final bill averts the potential for a government shutdown and funds key priorities while leaving intact the sequestration rules set under the Budget Control Act (BCA).

 

• Complies with the Budget Control Act spending caps by eliminating unneeded, unrequested funding that would be provided if the CR was extended
• Directs 671 cuts to unnecessary or under-performing programs and eliminates excess funding due to schedule delays, program terminations, redundancies, and budgeting errors
• Rescinds nearly $4 billion in unspent prior year funds
• Aligns funding to new Defense strategy to fund current needs and reprioritizes funds to address known shortfalls
• Fully complies with Senate Rule XLIV for transparency and maintains earmark moratorium
• Bill provides the necessary funding for training and military health care
• Adds $1.5 billion to the National Guard and Reserve Equipment account
• $486 million to repair aging base facilities
• Adds $463 million to mitigate shortfalls in day-to-day operation costs for installations
• Increases funding for nanotechnology, advanced materials, silicon carbide, and manufacturing technologies

• Coast Guard: $10.4 billion overall, of which $9 billion is discretionary spending. The bill also provides targeted increases above the FY 2013 request to support front line personnel with resources, including $8 million for initial acquisition planning and design of a new polar icebreaker and $20 million to reverse cuts proposed in the request for critical operational assets.
• Transportation Security Administration (TSA): $7.5 billion for TSA is reduced by $2.4 billion in offsetting collections and fees. The bill includes funding for investments in explosives detection systems, passenger screening technologies, and air cargo security. The bill includes several funding oversight requirements including expenditure plans for checkpoint security technology investments, explosives detection systems for checked baggage, and air cargo security. In addition, language is included requiring TSA to provide a five-year investment plan forecast for passenger screening technologies.
• U.S. Customs and Border Protection (CBP): $11.9 billion, which adds $79 million above the request for procurement, operations, and maintenance of critical air and marine assets used to defend our borders – including one additional multi-role enforcement aircraft, enhanced radar for unmanned aerial systems, and $28 million to increase flight hours.
• U.S. Immigration and Customs Enforcement (ICE): $5.7 billion for ICE, primarily supporting personnel and operations, including border patrol, special agents and immigration officials.
• United States Citizenship and Immigration Services (USCIS): $112 million in direct appropriations for USCIS and fully funds the E-Verify employment eligibility verification system.
• United States Secret Service: $1.6 billion, adding $3.5 million for priority domestic and electronic crimes investigations and continues the multi-year modernization of critical White House and other Secret Service information technology and communications systems.
• Science and Technology (S&T): $835 million, returning to FY 2011 levels, for R&D in biological defense, explosives defense, cyber security, first responders, border security, chemical countermeasures, and interoperability.
• Domestic Nuclear Detection Office (DNDO): $318 million, including $28 million for handheld portable radiation detectors and $75 million for research and development of next-generation detection technologies.
• National Protection and Programs Directorate (NPPD): $1.4 billion, including the following:
  • $232 million for a new account, the Office of Biometric Identity Management (OBIM). Instead of realigning the US-VISIT program as proposed in the FY 2013 budget, the bill creates a new account for OBIM, the DHS lead responsible for biometric identity management services.
  • $756 million for cybersecurity programs including Einstein intrusion detection and a critical cyber diagnostic strategy for the 118 federal agencies. Also included in cybersecurity funding is $16.8 million for cyber education programs.
  • $260 million in infrastructure protection programs to bolster against natural and man-made disasters, including $78 million to implement the Chemical Facility Anti-Terrorism Standards Program.
• Office of Health Affairs (OHA): $132 million, including $85 million for the Bio-Watch Program and $2 million to complete demonstration projects through the Chemical Defense Program.

• Homeless Veterans Programs: $5.76B for health care and support services for homeless veterans.
• Iraq and Afghanistan Veterans: $3.28b to meet the health care needs of veterans who have served in Iraq and Afghanistan, a $510M increase over FY 2012.
• Long Term Care: $7.2M for long term care for the nation’s aging veterans as well as severely wounded combat veterans from the wars in Iraq and Afghanistan.
• Information Technology (IT): $3.3 billion for IT projects.
  • $1B for pay and associated costs
  • $1.8B for operations and maintenance
  • $494B for DME including $169m for the iEHR and $38.5m the development of paperless claims systems. Requires approval for iEHR spending over 25% of total allotted. 

• National Institutes of Health: Provides $1.5b for NIH, a $71m increase including $165m for the National Children’s Study.
• Food and Drug Administration: Provides $2.5b for the FDA including $50m for implementation of the Food Safety Modernization Act.
• Child Care and Development Block Grant: Provides $2.3b for the program, which is a $50m increase for grants to states to improve working families’ access to quality, affordable child care.
• HHS Lease Assistance: Provides additional funding to address imminent lease expirations and consolidations to allow HHS to save millions in annual lease costs and reduce its real property portfolio.
• Head Start:  Provides a $33.5m increase for the Head Start program.

• Section 1801 of the legislation increases funding for highway, highway safety, and motor carrier safety programs to make them consistent with the levels previously authorized under the Moving Ahead for Progress in the 21st Century (MAP-21) Act. Total funding provided by MAP-21 was $561 million in FY 2013 and $572 million in FY 2014.
• Normalized MAP-21 funding potentially has an impact on initiatives related to the improvement of travel data collection and safety management. These initiatives would include active procurements for Compliance Test Procedures for Electronic Logging Devices and the Road Inventory Program, as well as task orders under contract # DTFAAC09D00081 held by SAIC for NextGen Initiatives Support Services.

• Department of Commerce will receive $7.7B in total funding.
• The National Oceanic and Atmospheric Administration (NOAA) will receive $5B, including funding for satellite programs.
• The Patents and Trademark Office (PTO) provides $2.88B.
• The National Institute of Standards and Technology (NIST) receives $809M for laboratories and research.
• Bureau of the Census will receive $906M.

• Department of Justice will receive $27.3B in total funding.
• Grants to State and Local Law Enforcement and crime victims total $2.2B. This includes funding for the National Instant Criminal Background Check System (NICS) improvements.
• Federal Bureau of Investigation (FBI) receives$8B for salaries and expenses for national security and counterterrorism investigations, combating cyber threats.
• Drug Enforcement Administration (DEA) receives $2.36B.

• Energy Department funding was reduced by a total of $44M.
• Energy Efficiency and Renewable Energy reduced by $11 M
• Nuclear Energy reduced by $10M.
• Science reduced by $13M.
• Advanced Research Projects Agency –Energy reduced by $10M to $265M.
• Atomic Energy Defense Activities, National Nuclear Security Administration (NNSA) $7.577B, an increase of $363M.
• Atomic Energy Defense Activities, Defense Nuclear Proliferation receive an additional $110M.

• USDA’s operating budget is a winner this time around as FY 2013 discretionary funding of $20.5 billion represents a 5% increase over the FY 2012 level of $19.5 billion. Funding includes:
• $24 million for USDA Departmental Administration to provide for necessary expenses for management support services and general administration. These support services include enterprise IT services provided by the National IT Center (NITC) and investments in enterprise IT modernization called for by the USDA’s Optimized Computing Environment (OCE) initiative.
• $44 million for the Office of the Chief Information Officer and $6 million for the Office of the Chief Financial Officer.
• $89 million for the Office of Inspector General that the legislation states may be used for contracting.
• $811 thousand for the Office of the Under Secretary for Food Safety and calls out that funding shall be directed to the Public Health Data Communication Infrastructure System (PHDCIS) until expended. This potentially affects the following vendors and contracts: General Dynamics, # AG3A94D090194 & Dell, # AG3A94D090137.
• $75 million for the Risk Management Agency (RMA), including funding that may be used for the Common Information Management System (CIMS). This affects the IT Support Services contract, # GST0011AJ0019, held by SAIC.

• National Aeronautics and Space Administration receives $17.5B in total funding.
• Space Launch System receives $2.1 B including funding for ground operations and construction and related test facilities.
• Funding for the International Space Station (ISS) includes $515M for commercial crew transportation to the ISS and $2.9B for operations and research.
• NASA Science includes $630M for Space Technology to support human and robotic missions.

• Safe Schools and Citizenship: Allows funds available under the Department of Education Safe Schools and Citizenship account to be used to assist educational institutions impacted by school violence.

• Bureau of Land Management $951M for Management of Lands and Resources, $0 for construction.
• US Fish and Wildlife Service, $1.2B for Resources Management

• Job Corps Program: Provides an additional $30m for the program.
• Unemployment Insurance: Decreases funding for grants to state agencies that administer federal and state unemployment insurance (UI) by $60m.

---
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWin FIA. Follow on twitter @GovWinFIA.

Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWin IQ. Follow on twitter @FIAGovWin.

• Total discretionary budget authority of nearly $1.2 trillion, including
• Full-year appropriations for Defense and Military Construction/Veterans Affairs committees
• Defense – $518 billion in non-war funding for the DoD, $87 billion for overseas contingency operations (OCO)
• MilCon/VA – $72 billion in discretionary funding for military construction and the Department of Veterans Affairs, with some shifting of funds away from military construction to support increase in veterans’ programs, which are exempt from sequestration
• The remaining federal agencies would be funded at fiscal 2012 levels under a continuing resolution covering the remaining 6 months of fiscal 2013

• Veterans Benefits Administration – Provides $3.3 billion for information technology, including $1 billion for staff pay, $1.8 billion for operations and maintenance, and $494 million for systems development, modernization, and enhancement. This DME funding is 2-year money available through FY 2014 but requires the VA Secretary or CIO to submit to Congress a certification of the amounts to be obligated for each project. Further, Congress requires approval of any transfers between the three funding sub-accounts or individual project funding increases/decreases of more than $1 million.
  
• No more than 25% of any joint DoD-VA integrated electronic health record (iEHR) may be obligated until the DOD–VA Interagency Program Office gets the approval of both Congressional Appropriations Committees on the planned costs, timelines, acquisition, etc.
  
• Of the $60.5 billion appropriated for veterans compensation and pension benefits programs no more than $9.2 million “shall be reimbursed to ‘General operating expenses, Veterans Benefits Administration’, ‘Medical support and compliance’, and ‘Information technology systems.’”
  
• $115 million for the VA’s the Office of Inspector General, to include information technology costs and for constructing, altering, extending, and improving any of the facilities.
  
• Only upon approval of Congress may the VA Secretary transfer funds to/from the VA’s ‘‘Information technology systems’’ account to/from the ‘‘Medical services’’, ‘‘Medical support and compliance’’, ‘‘Medical facilities’’, ‘‘General operating expenses, Veterans Benefits Administration’’, ‘‘General administration’’, and ‘‘National Cemetery Administration’’ accounts.
  
• Department of Justice, General Administration, Justice Information Sharing Technology receives $22 million, the National Protection and Programs Directorate, United States Visitor and Immigrant Status Indicator Technology receives $279 million, and the Office of Health Affairs receives $132.5 million, of which $85 million is for the BioWatch program.

• None of the DoD appropriation can be used for new multiyear procurement contracts for any systems or components if the value of the multiyear contract would exceed $500 million, unless specifically provided in the bill. A cursory review finds these are predominantly weapons systems, with some mention of commercial SatCom for naval vessels.
  
• The DoD provisions further stipulate that no multiyear procurement contract can be terminated without 10-day prior notification to the congressional defense committees.
  
• Defense Intelligence Agency funds may be used for the design, development, and deployment of General Defense Intelligence Program intelligence communications and intelligence information systems for the Services, the Unified and Specified Commands, and the component commands, unless otherwise stated.
  
• $12 million for mitigation of environmental impacts on Indian lands resulting from DoD activities, including training and technical assistance, related administrative support, the gathering of information, documenting of environmental damage, and developing a system for prioritization of mitigation and cost to complete estimates for mitigation.
  
• None of the funds in the Act may be used for research, development, test, evaluation, procurement or deployment of nuclear armed interceptors of a missile defense system. 
  
• $519 million in multi-year funds for  Cooperative Threat Reduction for the elimination and secure transportation/ storage of nuclear, chemical and other weapons; to prevent the proliferation of weapons, weapons components, and weapon-related technologies, etc.
  
• RDT&E New Starts Justification – Funds appropriated under ‘‘Research, Development, Test and Evaluation, Defense-Wide’’ for any new start advanced concept technology demonstration project or joint capability demonstration project may only be obligated 45 days after a report, including a description of the project, the planned acquisition and transition strategy and its estimated annual and total cost, has been provided in writing to the congressional defense committees. (The Secretary of Defense may waive this restriction on a case-by-case basis.)
  
• Funds appropriated for research and technology for programs of the Office of the Director of National Intelligence shall remain available until the end of fiscal year 2014.

• Federal Emergency Management Agency receives $35 million for the National Urban Search and Rescue Response System, $22 million shall be for capital improvements at the Mount Weather Emergency Operations Center, and not less than $5 million directed to the modernization of automated systems. 
  
• United States Citizenship and Immigration Services (USCIS) receives $112 million for the E-Verify Program. 
  
• DHS’s National Protection and Programs Directorate, Infrastructure Protection and Information Security receives $1.1 billion, with $328 million slated for Network Security Deployment and $218 million for Federal Network Security to establish and sustain essential cybersecurity activities, including procurement and operations of continuous monitoring and diagnostics systems and intrusion detection systems for civilian federal computer networks. $213 million (40%) of the combined $546 million is tagged as multi-year funding through FY 2014.
  

Following on the heels of updates to federal information security guidance, the General Services Administration (GSA) recently released a Request for Information (RFI) on incorporating updates into its Federal Risk and Authorization Management Program (FedRAMP).

The Third Party Assessment Organizations (3PAOs) undergo an accreditation process to verify their ability to provide independent reviews of cloud service provider (CSP) system security controls. According to the RFI published mid -February 2013, “the purpose of this notice is to allow the vendor community the opportunity to provide feedback, input, and changes to FedRAMP’s 3PAO Program Requirements.” At the time the RFI was issued, 16 organizations have received 3PAO accreditation.

On February 5, 2013, the National Institute of Standards and Technology released a final draft update on information security (Special Publications 800-53). The changes included in the latest version include additional security controls related to cloud computing. Those familiar with the FedRAMP program will recall that the program’s security baseline draws on the controls from the previous version of this document. The release of this latest draft raises questions about whether (or rather, how soon) FedRAMP security controls will be updated.

In the early phases of establishing the program, FedRAMP officials suggested that the program’s security controls would evolve along with guidance and technology. Ultimately, this adaptability becomes the burden of 3PAOs and authorized CSPs, both of whom are responsible for ensuring systems continue to comply with FedRAMP requirements, even as they change. Communication with federal customers regarding any change to service or risk management will also be a factor. 

• Threat Information Sharing – The EO expands the sharing of both classified and unclassified cyber threat and attack information to companies by requiring federal agencies to produce and quickly share unclassified reports of threats to U.S. companies. The directive also expands the Defense Industrial Base (DIB) Enhanced Cybersecurity Services (DECS) program to stimulate near-real-time sharing of cyber threat information with participating critical infrastructure companies. 
   
• Cybersecurity Framework – The Order gives the National Institute of Standards and Technology (NIST) the lead role in developing a Cybersecurity Framework of practices to reduce cybersecurity risks to critical infrastructure. This construct is to be built in collaboration with industry, leveraging existing and proven international standards, practices, and procedures. Further, the Framework is to be technology neutral to allow for innovation and competition among cyber products and services. The Department of Homeland Security (DHS) will promote the implementation of this Framework by industry through various sector-specific agencies like the Department of Energy and others.
   
• Privacy Protections –The mandate requires federal agencies to incorporate privacy and civil liberties safeguards into their activities, based upon the Fair Information Practice Principles (FIPPS) and other applicable privacy and civil liberties standards. Agencies are also required to conduct regular assessments of the privacy and civil liberties impacts of their activities and make these findings available to the public. 
   
• Cybersecurity Regulation – The EO requires regulatory agencies to review existing cybersecurity regulations in light of the new Cybersecurity Framework to determine if current regulations are effective and sufficient, if any should be eliminated, or if new regulations are needed. Agencies will propose new, cost-effective regulations based upon the Framework to shore up existing regulations deemed ineffective or insufficient.

In the end, the new EO reignites the policy and legislative debate on federal cybersecurity as well as asserts broader federal influence over private critical infrastructure and networks.

With the Executive Order signed February 12^th the administration has reiterated a commitment to improving critical infrastructure, driven in part through government collaboration with industry and in part by the continued development of a cybersecurity framework by NIST. On February 13^th, NIST announced that it would issue a Request for Information (RFI) from critical infrastructure providers, government organizations, industry and other stakeholders. It’s clear that government risk management and security requirements will continue to evolve. In the meantime, both cloud service providers and third party assessment organizations should familiarize themselves with the new controls and consider the steps required to accommodate any additions or changes to their offerings.