GovWin
B2G is moving!
Blogs posted after May 22, 2015 will be located on Deltek's central blog page at www.deltek.com/blog.
Just select the "B2G Essentials" blog to continue to receive this valuable content.
The Hunt for the New Duct Tape – New Defense Cyber Strategy Looks to Cyber R&D

The Secretary of Defense, Ashton Carter, announced last week the release of the Department of Defense’s (DoD) new Cyber Strategy aimed at improving the their cyber capabilities. One theme focuses on leveraging cybersecurity research and development (R&D) to accelerate these capabilities. So how much money might DoD be directing toward cyber R&D?

New Defense Cyber Strategy Overview

The stated purpose of the new Department of Defense Cyber Strategy is to guide the development of DoD's cyber forces and strengthen its cyber defense and cyber deterrence posture. The strategy focuses on building cyber capabilities and organizations for DoD’s three cyber missions: defend DoD networks, systems, and information; defend the United States and its interests against cyberattacks of significant consequence; and provide integrated cyber capabilities to support military operations and contingency plans.

The strategy sets five strategic goals and establishes specific objectives for DoD to achieve over the next five years and beyond.

  1. Build and maintain ready forces and capabilities to conduct cyberspace operations
  2. Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions
  3. Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence
  4. Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages
  5. Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability

Cybersecurity Research and Development

Under the first strategic goal in the area of building technical capabilities for cyber operations the DoD is setting an objective to accelerate innovative cyber research and development (R&D) to build their cyber capabilities, looking to both the existing DoD R&D community and to established and emerging private sector partners for help in developing “leap-ahead technologies” that can aid U.S. cyber-defenses. To that end, DoD plans to focus its basic and applied R&D on developing cyber capabilities to expand the capacity of overall cyber workforce.

What might cyber-focused R&D look like in budgetary terms across the DoD? Looking at the FY 2016 Defense Research, Development, Test and Evaluation (RDT&E) budget books gives a general sense of magnitude and relative distribution of recent and proposed budget dollars. Reviewing the various RDT&E budget artifacts for Army, Air Force, Navy, and the Defense Agencies and searching for key terms like cybersecurity, information assurance, and information security identifies dozens of programs that are primarily directed at cybersecurity (and several more that appear cybersecurity-related.)

Looking at just the programs that appear directly cybersecurity-focused in the FY 2016 DoD RDT&E budget shows that the department budgeted nearly $780 million in FY 2014, with that level increasing to more than $1.1 billion in FY 2015 and FY2016. Further, the Air Force and DARPA have been the major players in the cyber R&D area for DoD, accounting for $844 million (72%) of the total $1.17 billion in FY 2016 requested funding. (See chart below.)


 

Implications

The R&D dollars depicted above are just part of the story. There is other cyber-related R&D spending embedded in larger efforts that contain cybersecurity elements or impacts, but ferreting out those dollars is gets tricky and can be even more imprecise. The point here is to get a sense of the size of the overall investment and where these dollars tend to be directed.

While it is important to recognize that not all of these dollars will be spent on contracts with industry partners for R&D services and technologies, the fact remains that the sustained need by DoD for more advanced cyber technologies and tools is likely to grow in both real terms and in proportion to other R&D areas. In fact, the investment in this push for greater cyber tools may easily outpace the growth rate for other areas of contractor-addressable cybersecurity within DoD. This is especially true in the support services area as the DoD strives to develop thousands of uniformed cybersecurity personnel in the coming years.

One thing seems for certain, the DoD recognizes its need to cover a lot of ground quickly when it comes to improving its cybersecurity capabilities and posture and they are looking to harness creative energies to address the need. In many ways, it’s not unlike past challenges where they have looked to partners in industry and elsewhere to come up with creative solutions. Who knows? Soon we could be looking at the cyber equivalent of duct tape.

Competition for Cyber Talent Drives New Army and DHS Efforts

There is rarely a day that goes by when you won’t see a top story on cybersecurity and the scarcity of people with the right IT security skills to address the growing challenges. It is this very demand for skilled cybersecurity staff that is driving some new, creative, and some might say bold efforts by the Army and the Department of Homeland Security (DHS) to raise up, recruit, and retain talent.

The Department of Defense (DoD) may be the one federal entity where building a cyber workforce is the most prominent, as they continue to grow a cadre of uniformed cyberwarriors to staff various cyber commands and other network defense organizations, like the Joint Task Force-DoD Information Networks (JTF-DoDIN). However, building the force is only part of the challenge. Once their tour of service commitment is fulfilled these skilled cyberwarriors often have the attractive option to land high-paying jobs in the private sector, so the sustainability of a cyber-force is a major DoD priority.

Recognizing these realities is a driving force behind the establishment of the Army Reserve's Cyber Private Public Partnership, or Cyber P3, among the DoD, universities and private employers. In recent comments in a story by Nextgov, Cyber P3 program manager Lt. Col. Scott Nelson said that the program is trying to answer key questions of "how do we retain the investment the Army made in that soldier" and also "allow them to get a really good job with our industry partners?"

Maximizing the return on investment in cybersecurity personnel is not the only item on the Cyber P3 agenda. They also want to enhance the pipeline of skilled cyber personnel through building parallel cybersecurity education and training programs among military and universities. In that pursuit, several universities, companies and federal agencies are collaborating on the effort with the goal of establishing 3,500 to 5,000 Army reserve cyberwarriors that can be at the ready when the need arises. Among the 21 private companies that have already stepped up to help transition service members into civilian careers include Citibank, Microsoft, Fox Entertainment and Chevron, according to the Nextgov report. (Read more about Cyber-P3 here and here.)

The Pentagon is not the only federal agency looking to industry to bolster its long-term cybersecurity posture. The Department of Homeland Security Secretary Jeh Johnson announced at the RSA Conference in San Francisco that DHS is opening a cybersecurity branch office in Silicon Valley to “strengthen critical relationships… and ensure that the government and the private sector benefit from each other’s research and development.” Collaboration and synergy is not the only thing on Johnson’s mind, however. He’s recruiting. He intends to “convince some of the talented workforce in Silicon Valley to come to Washington,” highlighting the new United States Digital Service program that provides mechanisms for tech talent in private industry to complete a “tour of service” within government agencies. But on a more formal level, Johnson is “on the hunt” for a cybersecurity “all-star” to head up DHS' National Cybersecurity and Communications Integration Center (NCCIC), promising a direct reporting and communications line to the department Secretary, i.e. Himself.  

These efforts, and others, underscored the ongoing urgency and scope expansion of cybersecurity into nearly every area of modern life. As the “Internet of Things” (IoT) continues to march on – bringing digitization, sensor-ization and connectivity to everything from communications to home appliances and motor vehicles – securing this infrastructure from exploitation and destruction becomes even more critical. Further, the farther down the cybersecurity road we go, the more it becomes apparent that there is only so much we may be able to automate with tools – at least for now. This is especially true when it comes to decision-making and rapid response. Skilled people are critical, in high demand, and in short supply.

These efforts by the DoD, DHS, and others will take time to build the pipeline necessary to meet the demand. It will likely take years, not a cheerful prospect when one considers the growing threats we face. Meanwhile, the competition for these skills will remain fierce. 

White House Announces New Cybersecurity Center

The White House has announced that it is launching a new federal organization to step up the national cybersecurity coordination and response capability. Details are still slim, but a senior cybersecurity adviser at the White House did outline the vision for the new center in a recent address.

News of the new cyber agency launch hit news sources like Washington Post and Reuters shortly before the official statement. In the public announcement, Lisa Monaco, Assistant to the President for Homeland Security and Counterterrorism, said the new Cyber Threat Intelligence Integration Center (CTIIC) will reside within Office of the Director of National Intelligence and will be patterned after the National Counterterrorism Center (NCTC). “There are structural, organizational, and cultural shifts that were made in our government in the counterterrorism realm that also apply to cyber. We need to develop the same muscle memory in the government response to cyber-threats as we have for terrorist incidents.”

Filling a Void

In the summer of 2014, the White House created a Cyber Response Group (CRG) in response to the growing number of highly-publicized breaches and intrusions to both public and private networks. Modeled on the Counterterrorism Security Group, the CRG convenes multiple agency players and pools knowledge on current threats. It appears that the CTIIC will build upon the CRG’s efforts to “quickly consolidate, analyze, and provide assessments on fast moving threats or cyber-attacks.”

“Currently, no single government entity is responsible for producing coordinated cyber-threat assessments, ensuring that information is shared rapidly among existing cyber-centers and other elements within our government, and supporting the work of operators and policy makers with timely intelligence about the latest cyber-threats and threat actors. The CTIIC is intended to fill these gaps,” Monaco said.

CTIIC Functions

Monaco said that the new center will serve a similar function for cyber that the NCTC does for terrorism:

  • Integrate intelligence for cyber-threats – information sharing is critical
  • Provide all-source analysis to policy makers and operators – cross-domain analysis to provide a comprehensive perspective
  • Support the work of existing federal cyber-centers, network defenders, and law enforcement communities – coordinated action and response to achieve common goals.

What the CTIIC Will Not Do

Monaco was quick to stress that the CTIIC will not collect intelligence, but rather it will analyze and integrate information already collected under existing federal authorities. Similarly, Monaco said that CTIIC will not perform functions already assigned to other cyber-centers, but is intended to enable them to perform their respective roles more effectively.

Looking Ahead

In her remarks, Monaco said that the government will need to work in lockstep with the private sector and do its utmost to share cyber-threat intelligence information, not simply let private entities fend for themselves. The latest budget request from the White House for FY 2016 budget has $14 billion allocated to cybersecurity to protect critical infrastructure, government networks, and other systems.

The CTIIC announcement comes just days ahead of a White House Summit at Stanford University to discuss cybersecurity and consumer protections.

Contractor Implications

It is yet unclear what implications the CTIIC will have for federal contractors. There is limited public information about the role of contractor support at the ODNI and related entities within the Intelligence Community. That said, there is likely to be some need for technology infrastructure in setting up any new entity, and if the demand for skill sets exceeds the government’s talent pool then they may look to the contractor community for support.

The broader emphasis on cyber-threat information sharing and related cybersecurity provisions in recent National Defense Authorization bills and others will continue to raise the bar for contractor companies to meet federal cyber-requirements. Increasingly, companies are required to provide agencies with increased visibility into their internal security posture – including reporting incidents – as a stipulation to performing federal work. Expect provisions like these to continue to evolve.

Progress Continues on Cyber-Physical Framework

During the summer of 2014, the National Institute of Standards and Technology (NIST) kicked off a working group effort to develop a framework and roadmaps for cyber physical systems. Mid January 2015, this public working group focused launched the second phase of its work. 

Cyber-physical systems (CPS) are often simply referred to as “smart” systems. These co-engineered systems comprise interacting networks of physical and computations components. The influx of smart technologies has expanded CPS domains to include infrastructure (grid, water, gas), buildings, emergency response, healthcare, manufacturing, transportation, and numerous others. The public working group aims to take a multi-domain perspective to ensure the research, development and deployment guidance it produces will be applicable within all CPS domains as well as supporting cross-domain applications. In particular, this group intends to address needs for a common lexicon and taxonomy as well as a reference architecture. 

These working group efforts began during the summer of 2014 with plans for the first several phases over the course of a year. The first face-to-face meeting during August launched the first phase of the initiative to draft a framework for the CPS elements. This work produced draft reports from each of the five subgroups – Reference Architecture, Use Cases, Cybersecurity, Timing, and Data Interoperability. Following the launch of the first phase, the subgroups organized meeting and collaboration to create initial documents that would eventually combine as elements of the CPS framework. 

All five subgroups completed their documents by the close of 2014, so now efforts are underway to integrate and review the work. This second phase aims to produce a combined framework document by integrating the work completed by the subgroups and refining it further. The third phase of the work will result in a CPS technology roadmap which will identify opportunities for additional collaboration and propose a timeline for follow-on efforts to address key technical challenges. 

According to the current timeline, the combined framework is expected to be finalized this spring.  The group is scheduled to have its next face-to-face meeting in April, which will conclude the framework phase and launch the roadmap activities. A draft of the roadmap is anticipated in June 2015, followed by a month of review before its finalized in July. Another, related effort underway is also being led by the NIST Engineering Laboratory’s Smart Grid and Cyber-Physical Systems Program Office. The Cyber-Physical Testbed Development Workshop is scheduled for February 24-25, 2015 and will explore future research and development areas for CPS. 

Ultimately, these efforts hope to head off several trends like the sector-specific applications of cyber-physical system deployments and the expansion of the Internet of Things without a foundation of interoperability. By drawing stakeholders from government, industry, and academia, the working group hopes to address the increasing need for systems-of-systems solutions to integrate CPS across domains. For insights on how CPS and other technologies are shaping the federal landscape, check out the Federal Industry Analysis team’s recent report on emerging federal technology markets.

 

Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWinIQ. Follow me on twitter @FIAGovWin.

 

DHS Would Get a $400 Million Boost for the Rest of FY 2015 Under House Bill

While most federal departments received their final fiscal year (FY) 2015 appropriations in mid-December, the Department of Homeland Security (DHS) was put in a funding holding pattern by the last Congress. Now, the new 114th Congress is in session and the U.S. House of Representatives has moved forward on a funding bill for the department.

In December, Congress passed an FY 2015 omnibus that funded all federal departments through the rest of the fiscal year, ending on September 30, except for DHS, which was funded with a continuing resolution (CR) until February 27, 2015. 

Now, with the DHS CR set to expire in a few weeks, the House has approved a FY 2015 Homeland Security Appropriations bill which would fund DHS through September, provided the Senate can move forward on a comparable version and the two chambers can reconcile a final bill to send to the president by the deadline.

The House bill, H.R. 240, provides a total of $39.7 billion in discretionary funding, which is an increase of $400 million (+1%) over the FY 2014 enacted level of $39.3 billion, which itself was a billion dollars more than White House requested in the FY 2015 budget. If enacted, the $37.7 billion would constitute more than a 3.5% increase over what the president requested for this fiscal year.

The bill and the accompanying Explanatory Statement provide details into agency funding and some specific IT investments areas.

  • Office of the Chief Information Officer (OCIO) – $288.1 million, of which $189.1 million is multi-year money available through FY 2016. The $288.1 million is $31 million over the FY 2014 enacted level. An additional $1 million is provided for the DHS Data Framework initiative and an additional $500 thousand is provided for cyber remediation tools.
  • Cybersecurity – The bill includes a total of $753.2 million for cybersecurity operations in the National Programs and Protection Directorate (NPPD). An additional $164.5 million is provided for NPPD Communications and $271 million for infrastructure protection programs, for an aggregate total of $1.19 billion. Cybersecurity workforce funding of $25.9 million is provided for Global Cybersecurity Management, of which at least $15.8 million is for cybersecurity education.
  • Science and Technology – $1.1 billion, $116.3 million below the FY 2014 enacted level, but $32.1 million above the president’s request. This includes $973.9 million for Research, Development, Acquisition, and Operations.
  • Customs and Border Protection (CBP) – $10.7 billion, an increase of $118.7 million above the FY 2014 enacted level. Of this, a total of $808.2 million is provided for Automation Modernization efforts for TECS, Automated Commercial Environment (ACE), International Trade Data System (ITDS) and others. The bill slates $382.5 million for Border Security Fencing, Infrastructure, and Technology (BSFIT).
  • Immigration and Customs Enforcement (ICE) – $5.96 billion, an increase of $689.4 million over the FY 2014 enacted level. IT funding includes $3.5 million to support enhancements to the PATRIOT system for visa vetting
  • Transportation Security Administration (TSA) – $4.8 billion, a decrease of $94.3 million below the FY 2014 enacted level. Technology provisions include $334 million for Explosives Detection Systems (EDS) Procurement and Installation, of which $83.9 million is discretionary funds. The bill also includes $449 million for Transportation Security Support IT and $295 million for Screening Technology Maintenance.
  • Coast Guard – $10 billion, $159 million below the FY 2014 level but $439.5 million above the president’s request, including $2.5 million to restore cuts to USCG information technology programs.
  • Citizenship and Immigration Services (CIS) – $124.4 million in discretionary appropriations is provided for the E- Verify program.
  • Federal Emergency Management Agency (FEMA) – $934.4 million for Salaries and Expenses, down $12.6 million from the FY 2014 enacted level. The bill allows for $7 billion for disaster relief and $2.5 billion in first responder grants, including $1.5 billion for state and local grants; $680 million for Assistance to Firefighter Grants, and $350 million for Emergency Management Performance Grants.
  • Secret Service – $1.7 billion, an increase of $80.5 million above the fiscal year 2014 enacted level. This includes $21.5 million to begin preparation and training for presidential candidate nominee protection for the 2016 presidential election, including for protective vehicles and communications technology. It also includes $45,6 million for investments in Information Integration and Technology Transformation programs.

As anticipated, the House bill restricts the use of funds for controversial White House immigration measures. The House Appropriations Committee Report that accompanies the bill includes an amendment stipulating that no funds, resources, or fees provided to DHS may be used to implement the immigration policy changes that the president initiated last fall.

The ball is now in the hands of the Senate Appropriations Committee (SAC), which has just solidified and announced committee chairs after the leadership change resulting from last November’s election. The Homeland Security subcommittee will need to quickly move their bill forward from the last committee action last summer if they hope to make the February 17 deadline, so the clock is ticking.

---
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about 
GovWin FIA. Follow me on Twitter @GovWinSlye.

 

Federal Cybersecurity Market Forecast –Sustained Growth Continues

The federal cybersecurity market continues to grow and we have just completed analysis that shows how much. Increasing threats, the rapid pace of technological change, and an increasing reliance on mobility, cloud computing, big data, and information sharing make information security critical for federal agencies. To address these challenges, agencies continue to invest in industry tools, technologies and personnel services and this will drive growth in the market segment over the next several years.

Taking a comprehensive perspective on the federal cybersecurity market, we see four major driving areas that continue to create demand for government-wide and agency budget investments:

  • Threat Drivers - Rapid rise in complex, diverse, persistent and morphing threats to networks, devices, data and other infrastructure.
  • Policy Drivers - Executive branch policies address wide areas of cyber- across government and beyond. Stagnant legislation reflects diversity of opinion. Compliance policy bolsters spending on existing frameworks. RFP language both driving and requiring security.
  • People Drivers - Challenge to find enough qualified cybersecurity professionals. Initiatives to cultivate internal government talent and “inherently governmental” roles will limit contractor addressability, but agencies that supplement by contracting will drive spending.
  • Technology Drivers - Threats and vulnerabilities drive direct technical remedies while new, disruptive technologies require security for full adoption.

Given these drivers, Deltek forecasts the demand for vendor-furnished information security products and services by the U.S. federal government will increase from $7.8 billion in FY 2014 to $10.0 billion in 2019 at a compound annual growth rate (CAGR) of 5.2%. (See chart below.)

Key Findings

There are several conclusions that we came to when reflecting on what we are observing across the federal information security environment and how the drivers above are impacting the market both now and going forward. Here are some of our key findings:

  • The continued rise in cyber incidents underscores what is at stake.
    • Threats span all areas of cyber – from within and from without.
    • Threat concerns impact all levels of the federal IT environment.
    • Persistent and diverse threats are driving risk-based approaches.
  • Policies and priorities are slow to evolve into effective security approaches.
    • The drive for security permeates multiple layers of federal policy, but there is a disconnect between compliance policies like FISMA and actual security, as revealed by the volume and type of security incidents.
    • Security considerations impact the broader tech and acquisition landscape.
  • Security efforts and posture are currently dependent on the availability and proficiency of skilled personnel.
    • Staffing levels and skill sets vary across government, driving sustained demand for industry support.
  • Technologies are seen as both security “gap-filler” and “gap-creator.”
    • One year into CDM tools BPA only marginal improvements have been seen.
  • Strong processes are needed to link technologies, approaches and personnel skill sets to maximize security posture.

Efforts among agencies to increase effectiveness, efficiency and economy like the joint DHS-GSA Continuous Diagnostics and Monitoring (CDM) program BPA are having some impact on how agencies are approaching cybersecurity and setting their spending priorities within their security budgets. Although the process of arriving at accurate and complete IT asset inventories that need to be secured and monitored is taking time, somewhat elongating the journey, we remain bullish that the priority of securing and protecting federal data and infrastructure will continue to drive significant market opportunity over the next five years.

Get more of our perspective in our latest report: Federal Information Security Market, FY 2014-2019.

---
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about 
GovWin FIA. Follow me on Twitter @GovWinSlye.

Will Congress Help DHS Stem its Cyber-Workforce Hemorrhaging?

Recent news media reports reveal endemic leadership and staff turnover and low morale at the Department of Homeland Security (DHS) and these challenges continue to impact both its intelligence and cybersecurity missions and the department’s ability to attract and retain skilled experts. Now, it appears that some legislation in Congress might help address some of the issues. 

According to a recent Washington Post report, over the past four years, federal employees have left DHS at a rate that is nearly twice as fast as the overall federal government, and the trend is accelerating. Morale is dismal, by most reports, and the department’s ability to attract replacements and new talent has been slow and ineffective. Contributing factors include cultural clashes and in-fighting among the sub-agencies, bureaucratic lethargy, unclear missions, a high degree of regulatory oversight, and low pay compared to similar jobs in the private sector. The departures have hit the leadership area especially hard. The department’s ­top-level vacancy rate had reached 40 percent, although the Senate has confirmed 10 top DHS officials in the last six months or so.

The high-level leadership departures have hit hard DHS’s intelligence functions as well as cybersecurity. The Post reports that between June 2011 and March 2012, four senior DHS cybersecurity officials left, right as DHS was arguing its case to Congress to be given more authority in protecting critical private-sector infrastructure and networks, a failed effort. High churn rates have also impacted operational areas like the National Cybersecurity and Communications Integration Center (NCCIC), which just recently lost its director and another key leader. The high turn-over rate is credited with stalling the progress of major programs like EINSTEIN. Compensation is a major issue as cybersecurity experts can make 2-3 times as much, or more, in the private sector than they can at DHS.

While numerous legislative bills aimed at beefing up the federal cybersecurity workforce have come and gone over the last few years, one effort to support DHS has gained legs recently. The Senate recently passed the Border Patrol Agent Pay Reform Act of 2014, which includes the DHS Cybersecurity Workforce Recruitment and Retention Act that is aimed at helping the department recruit and retain cybersecurity experts.

A recent article summarizes the provisions to include:

  • Giving DHS greater hiring authorities, similar to those at DoD, to expedite the on-boarding of cybersecurity staff, as well as greater leeway in compensation,
  • Requiring DHS to report annually on the progress of the hiring effort, and
  • Requiring DHS to develop cyber- occupation classification codes for staff performing cybersecurity activities to aid in identifying and fulfilling its cybersecurity needs.

What gives some hope to the current Senate bill is that it is similar to the Homeland Security Cybersecurity Boots-on-the-Ground Act that passed the House this summer.  I discussed this House bill when it first passed out of committee back in October, 2013. Now, nearly a year later, we will see if this or the Senate bill has enough legs to be passed as-is by the other chamber or can survive a conference committee mark-up and re-vote in both chambers to make it to the president. Given that we are in a Congressional election year with little left in the legislative calendar before the run-up to November, such fate may fall to the lame duck session and that is an uncertain fate for sure.

Even if legislation were enacted immediately, it will take significant time to for DHS to make up lost ground and build up its workforce. Until then, they look to industry to help fill the gaps and protect the department and the rest of the .gov domain from an increasingly hostile cybersecurity landscape.

---
Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @GovWinSlye.

Collaboration Needed to Improve Health IT Security

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) and the Department of Commerce’s National Institute of Standards and Technology (NIST) hosted the seventh annual conference on Safeguarding Health Information on September 23 and 24, 2014. Exploring information assurance through the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, the event covered topics including breach management, technical assurance of electronic health records, and integrating security into health IT.

The keynote address that kicked off the event was delivered by Darren Dworkin, the chief information officer and senior vice president for of enterprise information systems for Cedars-Sinai Health System. Dworkin described major security events that have shaped security architecture. For example, 2003’s Blaster RPC Worm led to better security patch management as well as improvements to antivirus deployment. More recently, Heartbleed resulted in enhancements to security scanning and inventory. Dworkin noted that hackers have not been the only threat. In fact, 35% of patient data breaches in 2013 were due to loss or theft of unencrypted laptops or other devices. The recent explosion of medical devices and mobile computing are further changing the landscape for health IT security. As new technologies change how data is accessed and shared, protecting health information becomes increasingly challenging.

Other speakers at the event stressed hurdles around risk assessments and promoting end-user awareness. One speaker from the HHS observed that it’s impossible to achieve effective risk management if organizations don’t know what their risks are. Another presentation (from industry) emphasized the importance of encrypting data at rest, in transit, or in process. One major takeaway from the event was the need for health care organizations to perform comprehensive security risk assessments. There’s no such thing as eliminating vulnerability or being “risk proof.” The key is managing risks, but first organizations need to know what those risks are. 

While speakers described a broad range of challenges and setbacks related to safeguarding healthcare information, the burden of progress must be shared by the whole community. As the Food and Drug Administration’s Suzanne Schwartz put it, "No one organization, no single government agency, no sole stakeholder, manufacturer, healthcare facility, provider, information security firm is going to be able to address and solve these issues on their own ." Schwartz’s comments echoes a recent blog entry from the White House Cybersecurity Coordinator, which stressed the need for collaboration between government and industry to strengthen the nation’s information security posture.

Vendors will find a number of opportunities to engage with government in the discussion around cybersecurity improvements. For example, NIST is accepting comments on its Framework for Improving Critical Infrastructure Cybersecurity until October 10, 2014. Later in October, the Food and Drug Administration will be holding a public workshop on adapting medical device cybersecurity. These discussions will help lay groundwork for partnerships, identify best practices, and may help shape requirements for future guidance.

----------------------------------

Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @FIAGovWin. 

 

Defense CIO Wants Risk-Based Information Security Solutions

At an industry event in early September 2014, Department of Defense CIO Richard Hale described the setbacks associated with the current "one-size-fits-all" model for security system standards.

The goal of implementing risk-based security solutions is not a new concept, but there are differing opinions on how best to approach a risk-based model. Historically, there's also been an absence of best practices. In fact, the lack of consensus on best practices received a fair amount of attention over the past year during planning session targeting improvement for critical infrastructure protection.

Some of the barriers that the Defense Department faces are not unique. In many cases, however, defense information systems do require higher or additional levels of security. The administration has even called out improving information security as a Cross-Agency Priority (CAP) Goal, focusing on making network security advances and developing metrics for success as well as best practice sharing.

One of the hurdles agencies have faced in implementing risk-based security is getting a handle on their data. With the swelling volume and variety of information on government systems, organizations have been playing catch up to understand the information they currently store and manage. This effort is further complicated by varying levels of data sensitivity and classification.

Determining an agency's risk tolerance has also been a challenge. Fiscal constraints, however, are making it clear that treating all systems and data equally is unsustainable and impractical. As Hale noted, "I shouldn't spend as much money on morel and welfare websites as I do on nuclear command control. It doesn't make sense."

Cost efficiency wouldn't be the only benefit of adopting a risk-based information security posture. Innovation is another area that stands to gain as the Defense Department could more readily adopt commercial technologies. As the Defense Department looks to leverage cloud and mobile computing technologies, the issue of risk tolerance takes on an additional layer as the role of service providers increases. As the Defense Department pursues shared cyber defense capabilities, they need to establish common security controls requirements and identify trusted providers.

Hale's comments mentioned "zoning by mission risk," which could assess general levels of computing and network infrastructure risk-tolerance for different missions. This would help address the problem that Hale called out around security spending for websites and nuclear missions. It also allows missions with similar levels of risk-tolerance to benefit from efforts around common issues like sharing information and defining security requirements. Before such an approach could transition into general practice on an enterprise-level, an agency needs to have a handle on its data.

----------------------------------

Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @FIAGovWin .

2-Year Interagency Initiative Aims to Define and Integrate Secure Systems Engineering

Mid May 2014, the National Institute for Standards and Technology (NIST) released an initial public draft of guidance for secure systems engineering. The document is part of NIST’s 800 series of special publications, which provide computer security resources.

According to NIST fellow Ron Ross, “We need to have the same confidence in the trustworthiness of our IT products and systems that we have in the bridges we drive across or the airplanes we fly in.” To that end, computer security experts are working to incorporate security into IT systems through systems and software engineering principles. An initial set of guidelines has been released by NIST for public comment in the draft document Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems. The ultimate objective, as the document puts it, is “to address security issues from a stakeholder requirements and protection needs perspective and to use established organizational processes to ensure that such requirements and needs are addressed early in and throughout the life cycle of the system.”

The process for developing the guidance has four stages. The phased approach of the initiative will allow the numerous stakeholders to focus their review and feedback on key elements of the engineering process as different parts of the guidance are developed. The current draft is part of the first stage of the guidance development process.

The secure systems engineering guidance produced by this process is intended to be applied to both public and private systems, including financial systems, critical infrastructure, and defense systems. Building on the federal cyber security strategy and information security efforts, the detailed guidelines pursue an objective of reducing the susceptibility of systems to threats. Taking a systems engineering approach allows security to be addressed at every stage of the lifecycle for new systems, upgrades, modifications, planned upgrades that result in a new system, systems-of-systems, and retiring systems.

 

Although security professionals are the primary target audience for the publication, the information may be of use to a range of roles throughout the system lifecycle. Specific examples of such roles include those with risk management or oversight responsibilities, acquisition and budgeting roles, systems design and integration roles, auditing and monitoring roles, as well as providers of products, systems, or services.  The 120 page draft document is available for review at http://csrc.nist.gov/publications/PubsDrafts.html#800-160. Public comments may be submitted to sec-cert@nist.gov through July 11, 2014.

-------------------------------------

 

Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWinIQ. Follow me on twitter @FIAGovWin.

 

More Entries