B2G is moving!
Blogs posted after May 22, 2015 will be located on Deltek's central blog page at
Just select the "B2G Essentials" blog to continue to receive this valuable content.
Cybersecurity – From Frameworks and Farewells to Foreign Affairs

It’s been a busy time lately on the cybersecurity news front. In the last few weeks, there have been reports ranging from the release of evolving cybersecurity policies to outright attacks, and rumors of past and future attacks, on traditional networks and websites as well as industrial and weapons systems. It seems that cybersecurity issues are all-pervasive.

On the policy side, the National Institute of Standards and Technology (NIST) released a preliminary cybersecurity draft framework outlining various standards, best practices and guidance to provide guidance to organizations on managing cybersecurity risks. According to comments surrounding the release, the goal is to complement, rather than replace, an organization’s existing cybersecurity processes. The primary focus of the framework is improving cybersecurity among private critical infrastructure owners like utilities and other industrial entities, although there may be some applications for government agencies as well. The current draft is the next round in an eventual final framework that is expected to be codified in October.

The NIST critical infrastructure cyber- framework draft release comes on the heels of some very earnest comments from the outgoing Homeland Security Secretary, Janet Napolitano. In her farewell address, the Napolitano urged her eventual successor to have a strong sense of urgency in preparing for major cyber-attack on US infrastructure. “While we have built systems, protections and a framework to identify attacks and intrusions, share information with the private sector and across government, and develop plans and capabilities to mitigate the damage, more must be done, and quickly,” Napolitano said.

While it is widely acknowledged that adversarial nations employ offensive cyber capabilities against the US government and industry, etc. the threat also includes non-state and other loosely-defined actors. For example, al-Qaeda has been exploring ways to conduct cyber-attacks on US drones, enlisting engineers to identify ways to exploit any technical vulnerability in the aircraft to jam or remotely hijack them or otherwise compromise them to reduce their effectiveness.  And with the brewing potential for US strikes in Syria there were reports of tampering with a Marine Corps recruitment website by apparent pro-Syrian government hackers. It is unclear whether these or other actors could or would be able to effectively strike at other, less mundane, targets if things escalate.

Speaking of cyber-attacks . . . There’s growing confirmation that the US is taking its offensive cyber capabilities as seriously as its defensive know-how. The news that US intelligence entities have carried out hundreds of offensive cyber-operations against adversaries over the last few years, likely to include the Stuxnet attack on Iranian nuclear control systems, hints at the scope, abilities, and magnitude of their efforts. A related report reinforced the fact that federal cybersecurity spending – both defensive and offensive – is decentralized and peppered throughout numerous programs and areas.

There is a theme that connects all of these areas: As information technology continues to advance and permeate how we operate our critical infrastructures, government and military, the demand to protect and exploit this technology will continue to grow. And federal spending will likely grow with it.

Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about 
GovWin FIA. Follow me on Twitter @GovWinSlye.

NIST to Sponsor First Cybersecurity Federally Funded R&D Center

Along with its recent work on the Cybersecurity Framework, the National Institute for Standards and Technology (NIST) has been laying groundwork for ongoing cybersecurity collaboration between the public and private sector. Mid April, NIST hosted the formal establishment of a public-private partnership that includes 11 major companies. The partnership will work with industry, academic and government experts to explore solutions for businesses’ most pressing cybersecurity challenges. Shortly after that event, the NIST announced its intention to establish the nation’s first Federally Funded Research and Development Center dedicated to improving information security.
National Cybersecurity Center of Excellence (NCCoE) was formed in February 2012 through a Memorandum of Understanding between the state of Maryland, Montgomery County and NIST. As government and industry work together to strengthen cybersecurity capabilities, the NCCoE  testbed will enable users and vendors to collaborate on new technologies prior to deployment to document and share each solution. The center follows a four-step process:
-          Identify the problem and define a project around relevant technical “use cases” in which needs are currently unmet.
-          Assemble a cybersecurity team from industry, government and academia.
-          Build practical model solutions based on commercially available technology. These solutions will aim to be repeatable, secure and flexible to enable use with various products.
-          Facillitate rapid, widespread deployment and implementation of these solutions.
NIST has called out examples use cases for this process, such as interoperable information security templates for health IT, cloud and mobile computing, and continuous monitoring of IT systems.
On April 15, 2013, NIST hosted a signing ceremony to mark the formal partnership with 11 private companies.

During her comments at the signing event, Senator Mikulski, chairwoman of the Senate Appropriations Committee, noted that, “Joining the forces of the National Cybersecurity Center of Excellence at NIST with these new private-sector partners will unite their private-sector savvy with the deep cybersecurity knowledge of the government to make our country safer and Maryland’s economy stronger.” Beyond the formal industry partnership that has been established, vendors, users and researchers are invited to participate in NCCoE activities through a variety of collaborative channels.
A week later, on April 22, 2013, NIST released a notice about sponsoring a Federally Funded Research and Development Center (FFRDC) to strengthen the nation’s information security. In short, the FFRDC proposal will enable a nonprofit organization to support the NCCoE. According to Peter Gallagher, Under Secretary of Commerce for Standards and Technology and NIST Director, “The FFRDC model is the most effective way to center can work with private companies to accelerate industry’s adoption of integrated tools and technologies to protect IT assets.”
The announcement of sponsoring the FFRDC marks the first of three notices that must be published over a 90-day period. The three primary purposes for the NCCoE FFRDC address (1) research, development, engineering, and technical support; (2) program/project management; and (3) facilities management. NIST is especially interested in feedback on the scope of work and any existing private or public capabilities that should be considered. Comments on the proposed FFRDC are due July 22, 2013.
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWin IQ. Follow me on twitter @FIAGovWin.

NIST to Hold Workshop Series on Cybersecurity Framework

Based on early reviews of the 2014 budget request, it appears agency efforts to improve cybersecurity will receive continued attention for the foreseeable future. Considering the As part of the executive order for cybersecurity, the National Institute for Standards and Technology (NIST) was given the responsibility for developing a cybersecurity framework. The first in a series of workshops on developing this “living framework” was held in Washington, D.C. on April 3, 2013. Much of the discussion revolved around risk management and the role of industry in identifying best practices. (Not surprisingly, these are issues that government agencies have been facing too.)

Mid March, we looked at the role of private industry in implementing the cyber executive order. For government, the goal of partnership with industry is to strengthen national security both within government and across private industry. To that end, the public sector has been reaching out for input from industry, academia and the public. As Rebecca Blank, Deputy Secretary for the Department of Commerce, phrased it in her opening comments: “Government cannot and should not do this alone.”
It’s clear that improved information sharing, situational awareness, and public-private partnership have roles to play in moving forward. For the most part, government and industry agree that there’s a need to build on existing capabilities, to identify solutions that provide flexibility and that can adapt across varying sector requirements.
For many companies, cybersecurity has become an integral part of discussion around risk-management practices. Opinions vary about how to define “best practice,” and rightly so. Organizations do not have a consistent answer for how to measure the success of security practices. For the most part, risk levels are evaluated at the tactical level, rather than compared to strategic benchmarks. Raising risk and security management to a strategic level would clarify its role in business strategy. During an industry leadership panel discussion. Patrick Gallagher, the Undersecretary of Commerce for Standards and Technology and Director of NIST, described this challenge as the need “to learn about the balance between good cybersecurity and good business.”
In all likelihood, the best practices captured in the framework will illustrate range of approaches to security implementation. This brings us to another sticky wicket: incentives. While there’s no certainty around the success another organization might have following another company’s lead, effective policies and procedures around risk management can contribute to a competitive position. There is no current barrier to sharing practices. So what is going to change? What will motivate the private sector to adopt new security standards voluntarily? What role can the government play to facilitate the exchange?
For starters, they’re asking for input. The Departments of Homeland Security, Commerce and Treasury are working together to report on industry incentives. The Commerce Department posted a Notice of Inquiry on incentives for getting industry involved in the framework development process. Public comments are open until April 29, 2013.
Beyond that, several multiday workshops are being scheduled. The next session will be hosted at Carnegie Mellon, held from May 19th through 31st. Other sessions will be held in July and September, further informing the framework. The first draft of the framework is due in October 2013, allowing 8 months from the release of the executive order for draft to be crafted.