Chief Information Officers Council - Chapter19-4

An Official Website of the United States Government
FDCCI       IT REFORM       FEDRAMP       TECHSTAT       RSS  
HOME
BLOG
PRIORITIES
Open, Transparent & Participatory Government
Policy Compliance
Infrastructure
Efficiency
Security & Privacy
Effectiveness
INNOVATIONS
ABOUT
Mission & Vision
Leadership
Organization
Milestones
VIDEO
CIO COUNCILAbout The Council
People & Organization
Committees
Knowledge Base
INNOVATIONS

Chapter 19 Information Technology Page 4
Tags: Securing Government Systems, Cybersecurity, Best Practices, FISMA, US-CERT
INFORMATION TECHNOLOGY  (Page 4)
SECURITY AND PRIVACY
Securing Government Systems — Our Nation’s security and economic prosperity depend on the stability and integrity of our Federal communications and information infrastructure. As stated in the Cyberspace Policy Review, the 60-day clean-slate evaluation of cyber activities ordered by the President, threats to cyberspace pose some of the most serious economic and national security challenges of the 21st century for the United States. The group of state and non-state actors who target U.S. citizens, businesses, and Federal agencies is growing. US-CERT, the computer response center for civilian agencies, sees millions of attempts daily to access open ports and vulnerable applications on Federal networks.
Historically, the Federal Government has not been as effective as necessary in its cyber defense. An inadequate cybersecurity workforce, a focus on compliance rather than outcomes, and a cumbersome and time-consuming process for collecting information regarding agency security postures have hindered our cyber security management capabilities. OMB will work with agencies, Inspectors General, Chief Information Officers, senior agency officials for Privacy, as well as GAO and the Congress, to strengthen the Federal Government’s IT security and privacy programs. As part of those activities, OMB will:
Utilize a Modern Platform for Federal Information Security Management Act (FISMA) Reporting. On October 19, 2009, OMB launched an interactive data collection tool—CyberScope—enabling agencies to fulfill their FISMA reporting requirements through a modern digital platform. The broad range of meaningful information collected, the use of secure two-factor authentication, and the online access to data provides for a more efficient and effective reporting process. In the spring of 2010, OMB will unveil a cybersecurity dashboard, unlocking the value of agency FISMA reporting by presenting the information gathered to agencies’ IT professionals and management in a timely, comprehensive, and secure manner.
Collect More Specific Cost/Budget Information. Beginning with the 2009 FISMA report, OMB is collecting cost estimates and actual amounts spent on IT security. Collection of this information, especially when combined with performance-based metrics, will allow both OMB and agency management to make informed, risk-based decisions on where to al-locate scarce resources.
Implement New Security Metrics. In September 2009, OMB established a task force which has developed new, outcome-focused metrics for information security performance for Federal agencies rather than merely demonstrating compliance. These metrics will be used in agencies 2010 FISMA reports to OMB and the Congress. Additionally, OMB and the task force will release a roadmap for future reporting under FISMA, which will incorporate real-time metrics and enhance Government-wide situational awareness in 2010.
Move towards Situational Awareness across the Government. More frequent reporting, near or at real-time, is imperative for developing situational awareness across the Federal enterprise. The use of Security Information Management or Security Information Event Management tools will assist in progressing towards real time security awareness and management in the Government.
Cybersecurity Workforce. On October 1, 2009, as a result of OMB collaboration with the Office of Personnel Management, DHS Secretary Janet Napolitano announced that DHS has the authority to hire up to 1,000 new cyber security professionals over the next three years to fill staffing gaps at various DHS agencies. This new hiring authority will enable DHS to recruit skilled cyber analysts, developers and engineers to serve their country by helping to secure the Nation against cyber threat.
Identity Management—The Cyberspace Policy Review outlined a number of cybersecurity recommendations. To support this effort, the Federal Chief Information Officers’ Council developed the “Identity, Credential and Access Management (ICAM) Roadmap and Implementation Guidance” document to provide implementation guidance for program managers, leadership, and stakeholders as they plan and upgrade their architectures. One of the major outcomes of this effort is to enable agencies to create and maintain information systems that deliver more convenience, appropriate security, and privacy protection, with less effort and at a lower cost. The ICAM roadmap, issued in November 2009, outlines a number of transition activities for agencies to complete. It also serves as an important tool for providing awareness to external mission partners and driving the development and implementation of interoperable solutions. ICAM solutions will leverage the existing investments in the Federal Government while promoting efficient use of tax dollars when designing, deploying, and operating ICAM systems.
As part of this effort, OMB will continue to over-see the implementation of the strong Federal identity management scheme outlined in Homeland Security Presidential Directive 12 (HSPD-12). This directive, “Policy for a Common Identification Standard for Federal Employees and Contractors,” addressed the September 11th Commission recommendation to improve the security of Federal facilities and information systems. Agencies are required to follow specific, technical standards and business processes for the issuance of Federal credentials including a standardized background investigation to verify employees’ and contractors’ identities. HSPD-12 credentials facilitate physical access control and provide for digital signature, encryption, archiving of documents, multi-factor authentication, and single sign-on to improve security and facilitate information sharing. They also provide for a very high level of trust in identity credentials during disaster response, disaster recovery, and reconstitution of Government scenarios. As of September 1, 2009, more than 4.1 million credentials (71 percent of those needed) were issued to the Federal workforce and 3.3 million background investigations (57 percent of those needed) were completed. Additionally, 20 credential issuance infrastructures are in operation nationwide and 55 system integrators and 449 products are on the Approved Products and Services list maintained by GSA. Agencies are currently focusing on completing the issuance of credentials to their remaining employees and contractors and leveraging the electronic capabilities of the credentials.
Protecting Privacy — Federal agencies will continue to implement breach notification plans, eliminate unnecessary collection and use of Social Security numbers in agency programs, reduce unnecessary holdings of person-ally identifiable information, and develop policies outlining rules of behavior and identifying consequences and corrective actions to address non-compliance. Agencies are expected to demonstrate progress in all aspects of privacy protection. The Federal Government will continue to improve information security for Federal systems and the information sector overall. This focus, along with a commitment to ensuring privacy as investments are made in the widespread implementation of electronic health re-cords, will maintain the privacy of personal information for all Americans as a top priority.

Leadership Testimony
The Fight Against HIV/AIDS Goes Mobile
FedRAMP Press Inquiries
Federal Risk and Authorization Management Program (FedRAMP)
FBI Targets Better Website Functionality



Related Blog Posts
Tuesday, October 26, 2010
Benefits of Peer Interactions and Perspectives
Darren Ash, CIO, NRC (from cio.gov)
I returned recently from the largest gathering of Information Technology (IT) officials from public, private, non-profit, and international ...More ›
Wednesday, October 6, 2010
Seeing Eye to Eye with the Tech CEO Council
Jeffrey Zients, OMB (from whitehouse.gov)
Today, the Technology CEO Council released a report outlining a plan to “maximize productivity…and enhance government services” through the ...More ›
Monday, August 23, 2010
Cybersecurity: A Team Sport
Robert Carey, CIO, US Navy (from doncio.navy.mil)
So I was thinking about how much the Department of the Navy relies on teamwork (civilians/military/contractors and academia) to build and ma...More ›
Related Video
Monday, October 4, 2010

GSA Hosts Conference Focused on Improving Government Efficiency
Sunday, May 16, 2010

Cyber Security Awareness, Web 2.0-Style at Treasury
Related Knowledge Base Documents
Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security, M-10-28
Priorities
Open, Transparent, & Participatory Government
Policy Compliance
Infrastructure
Efficiency
Security & Privacy
Effectiveness
Library
About
Mission & Vision
Organization
Leadership and Staff
Milestones
Blog
Innovations
Video
CIO Council
About The Council
People & Organization
Committees
Knowledge Base
Accessibility Policy
Privacy Policy
Council Events
© 2010 Chief Information Officers Council All Rights Reserved.
CIO HomeWhite HouseUSA.govOpen Government