On October 30, the White House released a memorandum to the heads of federal departments and agencies detailing the Cybersecurity Strategy and Implementation Plan (“CSIP”), a proposal designed to update and bolster federal civilian government cybersecurity. The CSIP is the result of the “Cybersecurity Sprint” initiated by the Federal Chief Information Officer over the summer and represents “the result of a comprehensive review of the Federal Government’s cybersecurity policies, procedures, and practices by the [Cybersecurity] Sprint Team.” The CSIP aims to identify gaps in the federal government’s cybersecurity practices and address those gaps with detailed recommendations.
The CSIP has five overarching objectives, each of which is supplemented by corresponding action items designed to achieve the objectives. The first objective is “Prioritized Identification and Protection of High Value Information and Assets.” Pursuant to this objective, federal agencies must determine the value of information on relevant networks and systems and, in turn, identify which IT assets are involved in the processing and storage of critical information. Additionally, agencies “must identify those assets and capabilities that enable mission essential functions and ensure delivery of critical services to the public.” To that end, the Office of Management and Budget (“OMB”) has directed federal agencies to identify high-value assets and strengthen security controls related to those assets.
The second objective of the CSIP is “Timely Detection of and Rapid Response to Cyber Incidents.” While the CSIP notes that cyber-threat detection at civilian agencies has improved, the plan identifies “further improvements that OMB, [the Department of Homeland Security (“DHS”)], and Federal agencies will take to enhance information sharing efforts, detect cyber threats in real time, and rapidly respond to cyber incidents.” Such improvements include a review of internet connection architecture by the OMB (coordinated with DHS) and prioritization of information sharing throughout the federal government regarding threats and vulnerabilities.
The CSIP’s third objective is “Rapid Recovery From Incidents When They Occur and Accelerated Adoption of Lessons Learned From The [Cybersecurity] Sprint Assessment.” The Cybersecurity Sprint found “Federal-wide and agency-specific policies and practices for recovering from cyber events are inconsistent and vary in degree of maturity.” The CSIP states that while there are some standards and guidance for recovery in the event of a cyber incident, these procedures need improvement. Accordingly, the CSIP initiates various actions to assist recovery practices, including directing the Office of Personnel Management (“OPM”) “within 3 months to review options and develop and deliver to OMB recommendations for making Identity Protection Services a standard Federal employee benefit.”
The plan’s fourth objective is “Recruitment and Retention of the Most Highly-Qualified Cybersecurity Workforce Talent the Federal Government Can Bring to Bear,” in recognition of the fact that enhancing cybersecurity procedures in the federal government requires the human talent to do so. The CSIP sets forth a few recruiting-specific actions, including directing agencies to participate in “OPM’s existing Special Cyber Workforce Project, which provides cybersecurity job codes by specialty, so that agency leadership can identify the universe of their cyber talent, understand Federal-wide challenges for retaining talent, and address gaps accordingly.”
The CSIP’s fifth and final objective is “Efficient and Effective Acquisition and Deployment of Existing and Emerging Technology,” pursuant to which the plan delineates the “steps the Federal Government must take to provide agencies with the appropriate technological toolset to adequately secure the functions, systems, and information enabling their missions.”
The CSIP is the latest example of the federal government’s enhanced focus on addressing its own cybersecurity controls and procedures, particularly in the wake of the OPM data breach earlier this year (covered previously in the Data, Privacy & Security Practice Report here).