GovWin
B2G is moving!
Blogs posted after May 22, 2015 will be located on Deltek's central blog page at www.deltek.com/blog.
Just select the "B2G Essentials" blog to continue to receive this valuable content.
Could New Cybersecurity Acquisition Plans Disrupt Federal Procurements?

Growing concern over cybersecurity and vulnerabilities to cyber-attacks that would impact the supply chain of both military and civilian agencies has led the federal government to look for ways to build cyber-protections into the federal acquisition process. But some in industry are concerned that new proposals coming out of the Pentagon and GSA could be disruptive in their own right.

The joint DoD/GSA publication, Improving Cybersecurity and Resilience through Acquisition - Final Report of the Department of Defense and General Services Administration, is one component of the government-wide implementation of Executive Order 13636 and Presidential Policy Directive (PPD) 21, issued in February 2013 and both addressing improved critical infrastructure cybersecurity.

The report included six recommended reforms addressing cybersecurity and federal acquisitions:

  • Institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions

  • Include cybersecurity in acquisition training

  • Develop common cybersecurity definitions for federal acquisitions

  • Institute a federal acquisition cyber risk management strategy

  • Include a requirement to purchase from original equipment manufacturers, their authorized resellers, or other trusted sources

  • Increase government accountability for cyber risk management

In the news release announcing the report release GSA Administrator, Dan Tangherlini noted that “the ultimate goal of the recommendations is to strengthen the federal government’s cybersecurity by improving management of the people, processes, and technology affected by the Federal Acquisition System.  GSA and DoD will continue to engage stakeholders to develop a repeatable process to address cyber risks in the development, acquisition, sustainment, and disposal lifecycles for all federal procurements.”

Industry Concerns

The report has been open for industry comment for a few months and several IT industry organizations have expressed concerns over the direction the DoD and GSA are taking, according to a recent account. Specifically, some in industry are concerned that assessing cyber-risk based primarily on the inherent risk of the purchased products or services (i.e. product category) creates additional issues because it ignores the larger risk environment surrounding their implementation and it adds complexity and ambiguity that will make it difficult to use by agencies. If implemented in its current form, it sounds like it could run the risk of “the law of unintended consequences.”

Implication

While the emphasis of the executive order is on using security standards to influence acquisition planning, contract administration, and to ultimately increase resiliency, agencies are also under pressure to improve the economy and efficiency of their IT acquisitions.  Agencies also struggle with delays to procurements due to changing or additional requirements as well as protests. How security and resiliency controls are added to the acquisition process will have direct implications for the complexity, speed and cost of completing procurements. 

Implementing good cybersecurity intentions is important, but it is equally important to implement them in the right way. Otherwise, agencies run the risk that some supply chain disruptions they experience could be self-inflicted.

---
Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @GovWinSlye.

White House Cyber Czar Walks a Thin Line on Cybersecurity Info Sharing

If the federal government knew about the Heartbleed security bug before it became public, would they have said anything? The answer, according to Michael Daniel, the White House Cybersecurity Coordinator, is an unequivocal . . . “maybe.”  

In a recent White House Blog post, Daniel reiterated the NSA assertion that they had no prior knowledge of the existence of Heartbleed, the recently discovered vulnerability in OpenSSL that could expose online passwords and encrypted Internet traffic to hackers. Daniel used the occasion to wade into the murky waters of when the federal government would, and would not, withhold knowledge of a computer vulnerability from the public.  He affirmed the administration’s “commitment to an open and interoperable, secure and reliable Internet, and in the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest.”

But he also noted that a major reason they would delay disclosure is if the opportunity for critical intelligence gathering was deemed to outweigh the cost of the delay. At odds are the extremes of saying nothing and maintaining and exploiting a collection of undisclosed vulnerabilities while leaving users vulnerable . . . and saying everything and completely forgoing this knowledge as a way to conduct intelligence gathering.

In an effort to balance the trade-offs between transparency and secrecy with a strong leaning toward disclosure, Daniel outlined a list of question he wants agency officials to address whenever they are proposing to withhold their knowledge of vulnerability:

  • How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
  • Does the vulnerability, if left unpatched, impose significant risk?
  • How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
  • How likely is it that we would know if someone else was exploiting it?
  • How badly do we need the intelligence we think we can get from exploiting the vulnerability?
  • Are there other ways we can get it?
  • Could we utilize the vulnerability for a short period of time before we disclose it?
  • How likely is it that someone else will discover the vulnerability?
  • Can the vulnerability be patched or otherwise mitigated?

The impact of the answers to these questions on the share/don’t share decision is unclear, since by his own admission “there are no hard and fast rules.”

In a previous blog post that ran about the same time that Heartbleed was coming to light, Daniel emphasized the importance of information sharing to improve the nation’s overall cybersecurity posture. In that blog he said “reducing barriers to information sharing is a key element of this Administration’s strategy to improve the nation’s cybersecurity,” and that they would ”continue to work to address the concerns our private sector partners have raised that the government should share more of its own information, so that companies could better protect themselves.” “Our goal is for the government to be a reliable information sharing partner, but only one of many.” 

In an era where government transparency and secrecy issues have become high-profile in the public mind, the above guidelines show the tightrope the White House is attempting to walk.

---
Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @GovWinSlye.

Energy Department Outlines Cyber Procurement for Critical Infrastructure

In 2013, the President issued an executive order to improve critical infrastructure, which calls for a voluntary framework to be established to support organizations risk-management. The National Institute of Standards and Technology (NIST) released the resulting cybersecurity framework mid February 2014. Building on NIST’s Framework for Improving Critical Infrastructure Cybersecurity, the Department of Energy has published baseline principles for improving cybersecurity procurement for energy delivery systems.

On April 28th, the Energy Sector Control Systems Working Group (ESCWG) released Cybersecurity Procurement Language for Energy Delivery Systems. The document outlines language for procurement of cybersecurity products common to the energy industry, such as software and session management.

This baseline cybersecurity procurement language covers individual energy delivery systems, individual components of such systems, as well as assembled or networked energy delivery systems. Individual components of energy delivery systems may be programmable logic controllers, digital relays, or remote terminal units. Examples of individual energy delivery systems include a Supervisory Control and Data Acquisition (SCADA) system, Energy Management Systems (EMS), or Distribution Control Systems (DCS). Electrical substations or natural gas pumping stations would be considered assembled or networked energy delivery systems.

Many types of products are procured as part of an energy delivery system. The ESCWG provides general language for cybersecurity procurement across ten categories:

  • Software and services
  • Access Control
  • Account management
  • Session management
  • Authentication/password policy and management
  • Logging and auditing
  • Communication restrictions
  • Malware detection and protection
  • Heartbeat signals
  • Reliability and adherence to standards

In addition to the types of products involved, the guidelines consider supplier’s life cycle security programs. As in other security areas, a vendor’s internal security capabilities help or hinder the trust it garners from government and industry customers. The DOE’s guidance explores product lifecycle is explored through half a dozen different areas, such as:

  • Secure development practices
  • Documentation and tracking of vulnerabilities
  • Problem reporting
  • Patch management and updates
  • Supplier personnel management
  • Secure hardware and software delivery

While this document outlines a baseline, obviously suppliers may build upon this language when proposing products and services in response to a request for proposal (RFP) or a request for information (RFI). In fact, a section on adding procurement language notes that the baseline language “is not intended to be all-inclusive.” Both suppliers and acquirers are directed to resources from other entities (e.g. NIST, NERC, DHS, SANS, etc.) for specific language or mandatory compliance standards. These procurement guidelines add to the existing toolkit for critical infrastructure protection and help to implement the framework and standards from previous government-industry collaborations.

------------------------------------------ 

Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWinIQ. Follow me on twitter @FIAGovWin.

 

FY 2015 President’s Budget Request – A First Take

The White House released its much-anticipated FY 2015 Budget request yesterday, a month past its legal and historical due date. Several of my fellow GovWin Federal Industry Analysis (FIA) colleagues and I dug right into reading the budget so that we could provide you with our first impressions of what we found noteworthy.

Like any presidential budget, the FY 2015 President’s Budget Request provides a blueprint for the administration’s policy and legislative agenda for the coming fiscal year and beyond. We reviewed the largest federal departments’ discretionary and information technology (IT) budgets to get a sense of direction and priorities for FY 2015, which begins October 1, 2014. Below is a summary table followed by key funding details and initiatives arranged by department.

 

Defense

DoD’s budget request is down this year as FY 2015 discretionary funding of $495.6B represents a 0.8% decrease from the FY 2014 enacted budget of $496B.

Funding highlights include:

  • $120.3B for the Army (a decrease of $1.3B from the FY 2014 enacted level)
  • $147.6B for the Navy (an increase of $300M from the FY 2014 enacted level)
  • $137.7B for the Air Force (an increase of $3B from the FY 2014 enacted level)
  • $89.8B for Defense-Wide operations (a decrease of $2.5B from the FY 2014 enacted level)
  • $199B for DoD operations and maintenance funding (an increase of $6B from the FY 2014 enacted level)
  • $90.3B for DoD procurement funding (a decrease of $2B from the FY 2014 enacted level)
  • $63.5B in DoD RDT&E funding (a decrease of $700M from the FY 2014 enacted level)

Provisions of Interest

  • $128M for military infrastructure in Guam, $51M of which is to establish facilities for Marine Air-Ground Task Forces throughout the region
  • $47.4B for the DoD Unified Medical Budget
  • $2.9B for the Defense Advanced Research Projects Agency
  • $11.5B for basic and applied research and advanced technology development

Agriculture

The USDA’s budget request is down this year as FY 2015 discretionary funding of $23B represents a 4% decrease from the FY 2014 enacted level of $24B.

Funding highlights include:

  • $7.2B for the Food and Nutrition Service (an increase of $124M from the FY 2014 enacted level)
  • $4.8B for the Forest Service (a decrease of $700M from the FY 2014 enacted level)
  • $2.4B for Rural Development (a decrease of $400M from the FY 2014 enacted level)
  • $1.8B for the Foreign Agricultural Service (same as the FY 2014 enacted level)
  • $1.5B for the Farm Service Agency (a decrease of $100M from the FY 2014 enacted level)
  • $1.1B for the Agricultural Research Service (same as the FY 2014 enacted level)
  • $1B for the Food Safety and Inspection Service (same as the FY 2014 enacted level)
  • $837M for the Animal and Plant Health Inspection Service (a decrease of $8M from the FY 2014 enacted level)
  • $815M for the Natural Resources Conservation Service (a decrease of $14M from the FY 2014 enacted level)

Provisions of Interest

  • The Opportunity, Growth, and Security Initiative provides funding to build a new biosafety research laboratory in Athens, GA
  • $45.2M for the USDA OCIO
  • $15M for IT investments for the Comprehensive Loan Program (CLP)
  • $44 million to address climate change’s risk to agriculture, including investments in cyber infrastructure for big data

Commerce

The president’s budget request provides $8.8B in base discretionary funding to Commerce, a 6% increase over FY 2014 enacted levels.  It requests $2B in IT funding, an increase of 5.3% over FY 2014 enacted levels. 

Funding highlights include:

  • Provides funding for NIST to accelerate advances in areas such as cybersecurity and advanced manufacturing
  • Supports key trade promotion activities to stimulate economic growth
  • Seeks to promote business investment in the US to create jobs and promote US competitiveness
  • Provides $753M for innovative design methods for achieving the lowest cost possible 2020 decennial census
  • Establishes up to 45 manufacturing innovation institutes across the US
  • Continues strong support of NOAA, including $2B to continue the development of polar-orbiting and geostationary weather satellite systems
  • Provides $1.6B for research and development
  • Funds a new investment line item for modernizing IT and business processes at PTO ($64.4M)

Energy

The DOE’s budget request is up this year as FY 2015 discretionary funding of $27.9B represents a 2.6% increase over the FY 2014 enacted level of $27.2B.

Funding highlights include:

  • $11.7B for the National Nuclear Security Administration (an increase of $M from the 2014 enacted level)
  • $6.0B for Department Management and Performance (a decrease of $200M from the FY 2014 enacted level)
  • $5.1B for Science Programs (an increase of $100M from the FY 2014 enacted level)
  • $4.0B for Energy Programs (an increase of $300M from the FY 2014 enacted level)

Provisions of Interest

  • $180M in R&D to facilitate the transition to a Smart Grid
  • $325M for Advanced Research Projects Agency–Energy programs
  • $141M ($91M in Science and $50M in NNSA) for R&D related to exascale computing
  • More than $300M for DOE cyber security initiatives

Health and Human Services

The president’s budget request provides $77.1B in base discretionary funding to HHS, a 1.7% decrease over FY 2014 enacted levels.  It requests $8.6B in IT funding, a decrease of 10.4% over FY 2014 enacted levels. 

Funding highlights include:

  • Supports the Affordable Care Act and operation of the Health Insurance Marketplace
  • Provides $30.2B to NIH for medical research
  • Improves mental health services for youth and families
  • Invests in payment innovations and other reforms for Medicare and Medicaid and other federal health programs to improve program integrity and delivery of high-quality, efficient health care
  • Invests in a new initiative to improve access to high-quality health care providers
  • Funds construction of two new Indian Health Service health care facilities
  • Increases the investment in CMS IT infrastructure by $58.6M, a 19.4% gain
  • Increases the investment in CMS Healthcare Fraud Prevention Partnership (HFPP) by $17M, a 354% increase
  • Decreases IT funding for the CMS  investment that developed the health insurance marketplace (-$297M) and transfers to states for CMS Medicaid Management Information System (-$618M) 

Homeland Security

DHS is slated to receive $38.2B in base discretionary funding in the president’s budget request, a 2.6% decrease over FY 2014 enacted levels. The budget also includes and $6.8B for disaster relief. The budget requests $5.8B in IT funding which includes a $3M reduction from the FY 2014 enacted levels, a 0.1% decrease year over year.

Funding highlights include:

  • $514M for research and development in homeland security technology and developing state-of-the-art solutions for first responders – target opportunities in cybersecurity, explosives detection, nuclear detection, and chemical and biological detection.
  • $300M to initiate construction in 2015 of the National Bio- and Agro-Defense Facility to study large animal zoonotic diseases and develop countermeasures
  • $124M to support, expand, and enhance E-Verify system to aid U.S. employers with employment legality verification
  • $112.5M for Secure Flight, under which DHS conducts passenger watch list
  • $3.8B for the Transportation Security Administration (TSA) screening operations. Supports risk-based security initiatives at the Transportation Security Administration that enhance the efficiency of passenger screening operations, while improving the customer experience for the traveling public.
  • $1.25B for cybersecurity activities including:
    • $377.7M for Network Security Deployment, including the EINSTEIN3 Accelerated (E3A) program
    • $143.5M for the Continuous Diagnostics and Mitigation (CDM) program
    • $173.5M to support ICE cyber and cyber-enabled investigations of cyber-crime, etc.
    • $28M for the classified Homeland Secure Data Network to security and info sharing
    • $67.5M for Cybersecurity/Information Analysis Research and Development
    • $8.5M to establish a voluntary program and an enhanced cybersecurity services capability to support Executive Order 13636, Improving Critical Infrastructure Cybersecurity
    • $3.9M for Secret Service Cybersecurity Presidential Protection Measures to support monitoring of protective sites which directly or indirectly support a Presidential visit

Justice

The president’s budget request provides $27.4B in discretionary funding for the Justice department, $122M above the 2014 enacted level – for DOJ core law enforcement needs, safe and secure prisons, and other Federal, State, and local programs. DoJ’s IT budget is just slightly better than flat (+0.4%) year-over-year at $27.4B.

Funding highlights include:

  • $722M for cybersecurity efforts to combat increasingly sophisticated and rapidly evolving cyber threats
  • $13M to the FBI for investment in the National Instant Criminal Background Check System as part of the DOJ’s overall $182M budget for Federal, State, and local gun violence reduction efforts
  • $8.4B for Federal prisons and detention facilities, to maintain secure prison facilities and to continue bringing newly completed or acquired prisons online
  • $15M under the Smart on Crime initiative for prisoner reentry programs and for Prevention and Reentry Coordinators
  • $15M to expand the Residential Drug Abuse Program at the Federal level and $14M to expand the Residential Substance Abuse Treatment program at the state level
  • $1.7M to develop new multidisciplinary program evaluation and policy analysis capability to improve budget, management, and policy decisions
  • $299M for the Department’s Juvenile Justice Programs
  • $423M (roughly half of which are grants) to combat violent crimes against women
  • $9M to establish a National Center for Building Community Trust and Justice to promote procedural fairness in policing, use deterrence strategies to reduce crime, and encourage police departments to track the quality of their interactions with the public

Transportation

DOT’s budget request is down this year as FY 2015 discretionary funding of $13.7B represents a 2.14% decrease from the FY 2014 enacted level of $14B.

Funding highlights include:

  • $48.6B for the Federal Highway Administration (an increase of $7.2B from the FY 2014 enacted level)
  • $15.3B for the Federal Aviation Administration (a decrease of $584M from the FY 2014 enacted level)
  • $4.9B for the Federal Railroad Administration (an increase of $3.3B from the FY 2014 enacted level)
  • $17.6B for the Federal Transit Administration (an increase of $6.9B from the FY 2014 enacted level)
  • $851M in mandatory and discretionary funding for the National Highway Traffic Safety Administration (an increase of $32M from the FY 2014 enacted level)
  • $669M for the Federal Motor Carrier Safety Administration (an increase of $97M from the FY 2014 enacted level)
  • $261M for the Pipeline and Hazardous Materials Safety Administration (an increase of $51M from the FY 2014 enacted level)

Provisions of Interest

  • $302B four-year surface transportation reauthorization proposal to support critical infrastructure projects
  • Funding for FAA NextGen investments is preserved
  • $370 million for National Airspace System Sustainment
  • $5M for cyber security initiatives, a decrease of $7M from the FY 2014 enacted level

Treasury

The president’s budget request provides $12.4B in base discretionary funding to Treasury, a 1.5% decrease over FY 2014 enacted levels.  However, provides total resources of $13.8B which is a $1.2B increase partially funded by proposed program integrity caps. It requests $4B in IT funding, an increase of 13.4% over FY 2014 enacted levels. 

Funding highlights include:

  • Continues implementation of the Affordable Care Act
  • Continues implementation of the Wall Street Reform and Consumer Protection Act to create a more stable  and responsible financial system
  • Invests $12.5B in the IRS, which includes a $480M program integrity cap adjustment.  Aimed at improving enforcement of current tax laws and reducing the current tax gap.  Includes more than a $100M increase to improve customer service, and an additional $165M is proposed to further enhance customer service through the Opportunity, Growth, and Security Initiative
  • $1.5B for a new round of State Small Business Credit Initiatives
  • Expands the level of detail and capabilities of sorting federal spending data to enable better use of the data
  • Calls for a $227M increase to the IRS Main Frames and Servers Services and Support investment over FY 2014 levels

Veterans Affairs

The president’s budget request provides $65.3B in base discretionary funding to VA, a 3% increase over FY 2014 enacted levels, giving VA total budget authority of $68.4B which includes $3.1B of estimated medical care collections.  The budget requests $4B in IT funding, an increase of 4.7% over FY 2014 enacted levels.

Funding highlights include:

  • $56B for VA medical care, and $58.7B in advanced funding for FY16 appropriations for medical care
  • Emphasis on ending veterans’ homelessness. ($1.6B) Working with HUD
  • Supports continued improvements in delivery of mental health care and telehealth technologies ($7B)
  • $1B in mandatory funding to help put veterans back to work protecting and rebuilding America
  • An additional $400M for high priority capital projects
  • Invests $138.7M in the Veterans Claims Intake Program and $173.3M for the Veterans Benefit Management System to address the claims backlog

Stay tuned to FIA as we will be publishing our complete analysis of the FY 2015 budget request later this month, where we will go into greater detail on the key initiatives, IT investments and contractor implications that will shape the federal IT marketplace for FY 2015.

Fellow GovWin Federal Industry Analysis (FIA) analysts Angela Petty and Alex Rossino contributed to this entry.

White House Cybersecurity Framework Takes a Cajoling Tone

Last week the White House unveiled its much-anticipated framework for cybersecurity aimed at persuading financial, energy, and other critical infrastructure companies to further bolster their network protections against cyber- attacks. The measured tone of the guidance and accompanying statements by officials is a stark contrast to the Obama Administration’s aggressive posture at the onset of the initiative.

The Framework for Improving Critical Infrastructure Cybersecurity is the product of a year-long effort led by the National Institute of Standards and Technology (NIST) initiated by President Barack Obama’s Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” on February 12, 2013. While the release came within the Obama’s specified time frame initial news reaction was that the framework was much weaker than what he promised a year ago. The White House’s promotion voluntary standards is a marked departure from the more regulatory approach it had pursued up to this point and in his published statement on its release the President said that much more work needs to be done.

Framework Overview

The Framework describes itself as a risk-based approach to managing cybersecurity risk and seeks to reinforce the connection between business drivers and cybersecurity activities. Its core is composed of three parts:

  • The Framework Core – a set of five cybersecurity functions—Identify, Protect, Detect, Respond, Recover, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level.

  • Framework Implementation Tiers – describes the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive) measured over a range, from Partial (Tier 1) to Adaptive (Tier 4), from informal to agile and risk-informed.

  • A Framework Profile – the alignment of current standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a “Current” Profile (the “as is” state) with a “Target” Profile (the “to be” state).

The remainder of the Framework defines cyber- risk management and further discusses the three Framework components, with examples of how the Framework can be used, and provides additional reference information relevant to implementation.

White House Event and DHS Program

The White House announced the Framework release with an event that featured speakers from several agencies and a panel of industry advocates that have worked closely with the administration on the issue. A key repeated theme throughout was the voluntary nature of the Framework, which may be a reaction to concerns that federal policy in this area would pursue a heavy-handed regulatory bent.

As part of the roll-out, The Department of Homeland Security Secretary Jeh Johnson announced the launch of their Critical Infrastructure Cyber Community C³ Voluntary Program, a public-private partnership aimed at aligning critical infrastructure owners and operators with existing resources that will help them adopt the Framework and manage their cyber risks.  The stated primary goals of the C³ Voluntary Program are to support industry in increasing cyber resilience, to increase awareness and use adoption of the Cybersecurity Framework, and encourage organizations to manage cybersecurity as part of an all hazards approach to enterprise risk management. In his remarks, Johnson said one aspect of the C-cubed program includes providing industry access to cyber- experts at DHS for consultation and advice at no cost.

Also at the event, Department of Commerce Secretary Penny Pritzker chaired a panel of supportive industry execs from AT&T, Lockheed Martin, and PEPCO to show their support for the White House’s efforts.  Among their comments, they emphasized the “good first step” aspect of the framework and that it is not a “cookie-cutter” approach. They also stressed the fact that “there are no truly private networks” as well as the need to understand exactly what actors and devices are connected to their networks.

White House Cyber Coordinator Michael Daniel closed out the event by highlighting the intent to continue to foster C-level engagement in order to keep the Framework a living document through NIST workshops, etc.; to address the regulatory aspects of the EO by streamlining and aligning existing regulations without issuing new ones; and to deal with the issue of incentives for industry to participate in the framework and related cyber- efforts.

Implications

In the industry panel discussion, AT&T’s Randall Stephenson commented that he sees huge opportunities within the cyber framework for big business. He and the others see the need for innovation in cybersecurity, including solutions that improve an organization’s situational awareness of their cyber- risk posture, training and education, policy development and enforcement, risk management, etc. It was unclear whether he meant up-side for cybersecurity vendors or potential for big firms to improve their cyber- risk poster, or both.

The potential cost of pursuing the government’s framework approach has been raised as an issue. In fact, an administration official noted that the federal government is going to “do its best to make the costs of using the framework lower, and the benefits of the framework higher…”

Cybersecurity opportunities that develop within the private critical infrastructure markets will complement the ongoing needs of federal agencies to secure their networks and improve their processes, especially in light of the continued challenges and failures of many agencies to lead by example.

---
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Discover more about 
GovWin FIA. Follow me on Twitter @GovWinSlye.

Will It Take a Real Zombie Attack to Improve Federal Cybersecurity?

It's been said that 80% of cyber-attacks could be prevented by implementing and maintaining the most basic cyber-measures like keeping software patched and using non-default passwords. Well, a recently released Senate study documents the dismal track record many federal agencies have at doing just that. The ramifications range from the now-infamous zombie attack warning that went out over a hacked emergency notification system to incidents of personally identifiable information (PII) theft.

As the White House releases updated critical infrastructure protection (CIP) guidance and Congress is debating its latest cybersecurity and CIP bill, the Republican Ranking Member of the Senate Homeland Security and Governmental Affairs Committee, Tom Coburn, released a report detailing how federal agencies are poorly prepared to defend against some of the even most routine attacks.

The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure was picked up by the Washington Post, which highlighted the February 2013 hack of the FCC’s Emergency Broadcast System that led to several TV stations broadcasting the zombie attack warning. The report cites previous work by the GAO and by agency IGs to emphasize the breath and severity of the problem of not doing the basics when it comes to IT security.

Physician, Heal Thyself

The gist of the report is that while the White House has been very focused on improving the security of the computers and networks which run the nation’s commercially-owned critical infrastructure, through efforts like last year’s executive order, etc., for these efforts to be credible and taken seriously the federal government should address the dangerous insecurity of its own critical networks. This is especially true when the vulnerabilities are due to the failure to perform routine and basic measures.

The report cites the most recent FISMA report in noting that civilian agencies fail to detect about 4 in 10 intrusions and notes that many hacks often exploit mundane weaknesses that could be prevented with routine efforts, particularly out-of-date software patches. The report also cites a June 6, 2013 Congressional Research Service memo to the HSGAC Minority Staff on “FISMA Spending, Historical Trends,” in which CRS estimates that the federal government has spent at least $65 billion on IT security since 2006. (Assuming that covers from FY 2006 to FY 2012, that would average more than $9 billion per year.)

Select examples mentioned in the report include:

  • Homeland Security – In 2013 OMB found DHS rated below the government-wide average for using anti-virus software or other automated detection programs encrypting email, and security awareness training for network users. DHS also came in at 72% of their internet traffic going through Trusted Internet Connections (TIC), missing its OMB-set goal of 95% and even the general government agency goal of 88%. Other widespread issues deal with unpatched software and poor password practices (using weak/default passwords, written/posted passwords, etc.)

  • Internal Revenue Service – Every year since 2008, GAO has identified about 100 cybersecurity weaknesses which compromise computers and data, often repeating weaknesses GAO cited the previous year. Issues include routine lack of encryption to protect sensitive data, lax password standards/administration, failure to fix known vulnerabilities that have been identified by their security monitoring, and lagging software patch installation.

  • Energy – In January 2013 hackers compromised 14 servers and 20 workstations, stealing personal information on hundreds of government and contract employees, and possibly other information. In another incident six months later, hackers took personal information for 104K past and present employees. Vulnerabilities include from unprotected servers, unapplied software patches, weak access controls and passwords, and poorly-secured web applications.

Implications

Shining the spotlight on the ongoing deficiencies of federal agencies to effectively deploy rudimentary security measures may add fuel to the fire in the debate over the fed’s role in private CIP and cybersecurity. The lines have been drawn largely between those who favor a regulatory approach with rules and requirements versus those who advocate an incentives-based approach with liability protections. Whatever the merits of either side, the fact still remains that more must be done to secure federal networks, systems and devices.

The Post article notes that Coburn and others see as the underlying problem the fed’s failure to hire and maintain highly-skilled IT workers that have the proper authorities to enforce simple security protocols, combined with a lack of accountability at the agency senior level for security failures. The examples emphasize that the problem in this area is not technical, really. It’s more about policy, governance and administration. That comes back to strategy, training, and execution, to which agencies should turn to their cyber- industry partners for support and expertise.

Maybe a report like this will give federal IT managers and cybersecurity staff a little more clout to shake the current system out of “zombie mode” and into effective action. We’ll see what the next FISMA report reveals.

---
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about 
GovWin FIA. Follow me on Twitter @GovWinSlye.

Targeting Security Improvements through Supply Chain Risk Management

National Aeronautics and Space Administration (NASA) officials started market research over a year and a half ago for the follow-on to a government-wide acquisition contract (GWAC) that supplies federal agencies with information technology products and product-based services. One new aspect of this follow-on is the growing emphasis on IT supply chain risk management.

Since the release of the Request for Proposal (RFP) for the next iteration of the Solutions for Enterprise-Wide Procurement (SEWP) contract in August, NASA’s program office for SEWP has released 12 amendments and extended the submission due date into December.  The security associated with IT supply chains has received increasing attention. On the vendor side, more detail around supply-chains will be disclosed in SEWP V. Information about industry supply-chains will help to clarify the various risks and costs as products move from manufacturers to government customers. Supply-chain risk management considers what technologies agencies are using and evaluates layers of risk from how a product moves from a manufacturer to a customer.

Aligned with the Executive Order released in February, efforts to improve critical infrastructure security have highlighted mitigating security risks introduced through the supply chain. Back in April 2013, the Cyber Security Research Alliance (CSRA) conducted a workshop in collaboration with the National Institute of Standards and Technology (NIST) targeting security for cyber-physical systems (CPS). Cyber-physical systems span applications in critical infrastructure including power and water, industrial systems, emergency management, security systems, and medical devices among others. Among other topics, the workshop participants explored the impact of supply chain on securing CPS. The global market for information and communication technology product manufacturing introduces numerous opportunities for products to be subject to tampering or sabotage. Both insufficient diligence around buyer practices and lack of visibility into the supply chain present challenges for reducing and managing risks.

Recommendations for moving forward included developing supplier reliability and monitoring methodologies. In particular, findings recommend advancing research and development for tools to identify vulnerabilities and corrective measures, reviewing existing practices to improve information sharing and collaboration between suppliers and buyers, building security technology refresh into life-cycle, and leveraging analytics to target potential future failures and counterfeits.

Moving forward, the practices of government contractors are likely to be subject to increasing scrutiny as agencies face growing reporting requirements, demand cost efficiencies, and strive to comply with security mandates.  Past iterations of the SEWP have been leveraged by organizations across the government. With the increased performance period and ceiling value of SEWP V, it’s clear that trend is expected to continue.  In order for vendors to maximize the opportunity, they need to meet the modernized requirements. Deadline for submission to the SEWP V RFP is set for December 16, 2013.

Further perspective on current and evolving government cyber security concerns is available in our latest report: Federal Information Security Market, FY 2013-2018.

-------

Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWinIQ. Follow me on twitter @FIAGovWin.

Cyber Framework Shifts toward Standards Implementation

Earlier this fall, White House Cybersecurity Coordinator Michael Daniel wrote that, “Cyber is one of those challenging areas in which there really is no ‘done.’” This is a particularly poignant observation as we look at government-industry collaboration and progress in developing security standards. A few days after Daniel posted that blog, the National Institute of Standards and Technology (NIST) released the next draft of the cybersecurity framework for critical infrastructure providers.

NIST released the Preliminary Cybersecurity Framework on Tuesday, October 22, 2013. Comments will be accepted over the next few months before Version 1.0 of the framework is completed in February 2014. The next workshop for the framework has been scheduled for mid November. Early in this process, a question about best practices was raised. Namely, what has prevented industry from sharing and changing their practices? While no definitive answer was achieved, the role of security within various business organizations has no doubt in play.  As organizations look to balance business goals with security objectives, risks weigh differently for different organizations. Ultimately, the cybersecurity framework will have a different impact for organizations of differing size and market sector.  The preliminary draft notes that, “The Frame work complements, and does not replace, an organization’s existing business or  cybersecurity risk management process and cybersecuity program.”

As for encouraging adoption, over the summer, the administration referenced potential incentives associated with the framework, including insurance, grants, streamlined regulations, and public recognition.  While several of these can be implemented now, others will follow completion of the framework. It’s worth noting that reception of these incentives is likely to vary across industries. For example, some industries are already regulated by government agencies, such as banking. As review of the framework continues, the extent of the agencies’ regulatory authority will need to be determined. Within the insurance industry, government agencies and providers are collaborating to ensure the framework can be properly utilized. These initial discussions precede any formal recommendations or policies, which are likely to hinge on the finalized framework. 

The fifth workshop for the framework will be held November 14 to 15 in Raleigh, North Carolina. According tothe draft agenda, this workshop will explore implementation as well as future information security governance. Amid ongoing federal spending pressure, government contractors look for business opportunities in the private sector resulting from new security standards. Further exploration of how these standards may be implemented will shed some light on where some of those opportunities may arise.

Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWinIQ. Follow me on Twitter @FIAGovWin.

Take-aways from the CyberMaryland Conference

October is Cybersecurity Awareness Month and so there are numerous events happening around the region. With the partial federal shut-down, several have been postponed or cancelled, but not the CyberMaryland Conference in Baltimore, where I had the opportunity attend and to present Deltek’s Federal Cybersecurity market outlook and forecast in one of the sessions.

The annual two-day CyberMaryland Conference draws people from industry and education as well as from inside and outside federal, state and local government. The event also hosts the Maryland Cyber Challenge competition for High School, College and Professional teams to compete in a real-world environment.

The conference’s proximity to Ft. Meade, home of the National Security Agency (NSA) and Defense CYBERCOM, helps to bring folks from those organizations to speak and network. But while there were those in uniform in the crowd, the speaking podium was almost completely void of government representation. Chalk it up to the shut-down.

Here are just a few of the comments and take-aways from the various sessions as well as some conversations I had with fellow attendees:

  • Fighting Malware – Simply chasing the malware is ineffective. You need to chase the person developing and inserting the malware to anticipate, predict their actions. You need to understand the tactics, techniques, and procedures well to defeat them before they hit you.
  • Maximizing the value of threat intelligence feeds – Everyone is building their TI filters from the same available data feeds. Whatever the source you have, you need to evaluate and establish for yourself the fidelity of the information you’re getting. Keep track of the reputation of the feeds you get so you know their value to you over time.
  • Using “Big Data” for cybersecurity – Scientific analysis is foundational to an effective defense and to do this you need raw, unfiltered data. Use your big data platform to build a threat intelligence repository and take a deep dive into the threat data to maximize your understanding and the data’s value. Use it to pivot off data points and make connections. Bring critical thinking to bear. Big data analytics is a science and intelligence analysis is an art. You need to combine the two to be effective.
  • Information sharing for cybersecurity effectiveness – Often, sharing within a particular industry community begins as an informal process among people you know, through established relationships. Operationalizing wider sharing becomes more about the data – is it useful, trustworthy.  The data needs to fit easily into your analysis processes and framework. This is not always the case for some feeds, e.g. STIX is a CSV file, so it doesn’t flow automatically into systems.
  • Outsourcing security – The trend of outsourcing an organization’s security knowledge base to a 3rd party can have the effect of “dumbing down” security. As we leverage externally-provided knowledge bases more and more we are letting go of internal comprehension of the local security terrain, at the same time the necessary skills are increasing. This is dangerous. Organizations need to maintain some in-house core capabilities in security analysis and build a measure of advanced analysis capabilities to maintain security effectiveness.
  • Offensive cyber-capabilities – These need to be distinct enough from known threats in order to get past current protections. Stuxnet would have never gotten through the perimeter if it matched any of the known profiles. Otherwise, it would have been detected and prevented. So when it comes to developing effective offenses, you really have to come up with something new.

These are just some of what I jotted down during sessions or in reflection on conversations with others. Even with limited interaction with our federal counterparts in the cybersecurity community there was plenty of useful exchange of information, networking and camaraderie.  The challenge to secure data, systems and networks seems only to be growing and collaboration will continue to be a key to success.

---
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about 
GovWin FIA. Follow me on Twitter @GovWinSlye.

Cybersecurity Staffing Shortages Make Safeguarding Data a Challenge

What do you get when you cross exploding data stores concentrated together by technical efficiencies with a shortage of IT security staff to secure that data? You get the potential for huge data breaches. And from the looks of several recent surveys in the news this cybersecurity staffing issue is causing some insomnia among IT managers.

Several years of budget pressure has pushed federal IT managers to look for ways to cut their IT spending and increase efficiencies while the demands placed on IT through big data, mobility and the like continue to increase. At the same time we see more reports of how the current budget environment may impact the size of the federal workforce – either through retirements or reductions. Even IT staffing does not appear to be immune as agencies look for savings through approaches like cloud computing, virtualization, and IT-as-a-service. But could the combined effect of technology efficiencies mixed with growing data stores and a shortage of information security staff be setting agencies up for potential trouble. Several recent surveys suggest that is a possibility.

A recent Federal Times report included interviews from those inside and outside the federal government that said IT staffs would almost surely shrink across most areas due to trends like cloud computing, program consolidation and (of course) sequestration and budget cuts. The only likely safe area seems to be cybersecurity. But budget reductions may not be the biggest staffing issue facing federal cybersecurity departments. Their challenge seems to be finding enough people with the right skills.

Staffing Shortages, Big Data and the Insider Threat

Nextgov has reported that it is security concerns IT staffing shortages that keep IT workers up at night. The article references a survey by security company EiQ Networks of more than 250 IT decision makers in industries including government and 2/3 say their IT security department is understaffed and that their largest security concern (34%) is an external data breach for financial gain. By comparison, 22% said loss of intellectual property was their greatest concern and 9% responded that they feared a trusted 3rd-party contractor exposing their organization.

In the wake of the Snowden exfiltration case and others, organizations have come to recognize their data is one of their most valuable assets and that has agencies more aware of how the manage and protect it.  Another recent article cites a study that federal cybersecurity pros are worried about the glut of data clogging their networks, with more than half (55%) of the 203 survey respondents saying agency networks cannot keep up with the current data loads and nearly 20% saying that their network and security monitoring capacity are insufficient to the task.

A fourth survey reported by Federal Computer Week of more than 700 IT professionals and business managers in civilian, defense and intelligence agencies and across large public sector organizations suggests that insider threats are more concerning than ever. Of the respondents 63% feel vulnerable to abuse of privileged user access rights by employees of the organization and 58% feel vulnerable to abuse of access rights by contractors of the organization.

So we have ever-burgeoning data assets that are increasing in value to agencies being concentrated in fewer places through the drive for technology efficiencies and that are straining existing networks. At the same time we have an ongoing shortage of skilled cybersecurity personnel – both in- and outside government – necessary to protect those data assets. Could this be the potential makings of another high-profile news story? Hopefully not.

Implications

Competition for IT staff with up-to-date security skills will continue to be hot and the growing emphasis on critical infrastructure protection by the White House, Congress and others will only fan the flames.  Federal agencies face strong competition from private companies in the energy, financial, and transportation sectors as well as industries supporting government missions. This shortage will likely take years to overcome.

Training of federal IT staffers with adjacent skill sets will be a way to bridge part of the gap, so training companies may have some business opportunities, even though training is often the first place agencies look when trying to obtain immediate budget cuts. But much of the high-demand skills only come from years of varied experience, making these folks particularly hot commodities. 

Since the cost and steep learning curve exacerbate the people problem technologies have been cropping up to help fill the void, reduce cost and help leverage the security staff that agencies do have on board. Technologies that increase efficiencies – analytics and advanced monitoring tools, etc. – will continue to be in demand.

Like so many things, the final solution will be a combination of people and technology to effectively secure valuable data. Both elements have a ways to go before IT managers will sleep better.

---
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about 
GovWin FIA. Follow me on Twitter @GovWinSlye.

More Entries