Federal chief information officers (CIOs) may want to read the new 21-page Cybersecurity Strategy and Implementation Plan (CSIP) with a calendar in one hand. That’s because the CSIP, released Friday, includes a long list of deadlines.
The first deadline arrives next week.
Here is a detailed list of the most important deadlines and milestones in the new Federal cybersecurity plan.
Nov. 13, 2015 – Reporting and Response
Federal CIO Tony Scott and Office of Management and Budget (OMB) Director Shaun Donovan are putting things in motion right away.
To speed up reporting of cyberattacks by agencies, Scott and Donovan have ordered agencies to “designate one principal Security Operations Center (SOC), or equivalent organization to be accountable to agency leadership, DHS, and OMB for all incident response activities…by November 13, 2015.”
Agencies must submit that information to the U.S. Computer Emergency Readiness Team (U.S.-CERT).
The intent is to streamline and coordinate reporting and response.
Within three months, OMB will provide agencies with best practices and use cases for those security operations centers “to ensure consistent roles, responsibilities, policies, and procedures are employed by SOCs across the Federal Government.”
Nov. 30, 2015 – NIST Best Practices
The CSIP directs the National Institute of Standards and Technology (NIST) to publish best practices for privileged user Personally Identifiable Verification (PIV) Implementation based on lessons learned from last summer’s Cybersecurity Sprint by Nov. 30.
PIV credentials reduce risk by increasing identity and access management because their use makes it harder for hackers to steal the information of privileged users. Last summer’s Cybersecurity Sprint found that just 42 percent of Federal civilian agencies used strong authentication.
Dec. 31, 2015 – Identifying High-Value Assets
The Director of National Intelligence will identify a group by Dec. 31 to lead a threat assessment of Federal high-value assets that hackers could target.
Dec. 31, 2015 – Einstein
The Department of Homeland Security (DHS) will provide greater detection capabilities through Einstein, the Federal government’s intrusion detection program, by Dec. 31. A contract issued by DHS will extend Einstein 3A to all Federal civilian agencies not currently covered by the program. Einstein 3A monitors Internet traffic to and from agencies, providing intrusion prevention capabilities as a managed security service provided by Internet service providers.
Dec. 31, 2015 – Addressing the Skills Gap
Finding and hiring people with the appropriate skills continues to represent a challenge throughout all agencies, and Scott and Donovan want agencies to accelerate hiring of people with cyber skills by Dec. 31.
To help agencies do that, the Office of Personnel Management (OPM) and OMB will “compile existing Special Hiring Authorities (by agency) that can be used to hire cybersecurity and IT professionals across government. OPM will clarify legal guidelines and provide guidance to agencies on how to increase the understanding of these Special Hiring Authorities, and how agencies should work with their human resources departments to implement them.”
Agency CIOs, in conjunction with human resources professionals, should identify their top five cyber talent gaps and report them to OPM and OMB by Dec. 31.
Within six months, OMB will publish a Cybersecurity Human Resources Strategy, “which will help ensure the Federal Government can recruit, develop, and maintain a pipeline of cybersecurity talent throughout the Federal Government.”
Dec. 31, 2015 – Technology Acquisition
Scott and Donovan want agencies to have greater access to emerging technology. The CSIP directs the General Services Administration (GSA) to develop a procurement capability “to allow Federal agencies to access the technology at any known Federal technology incubator,” including NIST’s National Cybersecurity Center of Excellence, DARPA’s Information Innovation Office, and DHS’s Homeland Security Advanced Research Projects Agency by Dec. 31.
OMB will also convene a working group to develop recommendations for strengthening and better coordinating the collective ability of Federal civilian departments and agencies “to identify, acquire, and rapidly implement innovative commercially-available cybersecurity products and services.” The working group will deliver its recommendations to the Federal CIO and NSC Coordinator for Cybersecurity by March 31, 2016.
Dec. 31, 2015 – Innovation and Testing
Scott and Donovan also want to identify all the work being done by agencies to test new technology solutions and attempt to coordinate those efforts. The CSIP directs the GSA and Department of Energy to submit recommendations to establish a new testing approach by Dec. 31. GSA also will provide protocols for using shared testing facilities.
Dec. 31, 2015 – Authentication
OMB and the National Security Council will release the EO 13681, Improving the Security of Consumer Financial Transactions implementation plan by Dec. 31 to require implementation of strong authentication and effective identity proofing for government digital services that make personal data accessible to citizens online.
March 31, 2016 – Analytics for Einstein?
DHS will attempt to improve its Einstein program through analytics. It wants Einstein to identify zero-day vulnerabilities. DHS is piloting a project now that takes advantage of analytics to accomplish that goal, and DHS will share results from the project with OMB by March 31, 2016.
March 31, 2016 – Guidance for Agencies that are Attacked
In 2007, OMB published OMB M-07-16, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information,” which provides guidance to agencies as to how they should protect against data breaches and respond and recover when one occurs.
By March 31, 2016, the agency will update that document “to reflect current best practices and recent lessons learned regarding privacy protections and data breach standards. This updated guidance regarding the collection and disposal of PII will help agencies ensure compliance with relevant laws and regulations for the protection of this sensitive information.”
June 30, 2016 – Guidance from NIST
Scott and Donovan also directed NIST to weigh in on the issue. NIST must provide guidance to agencies by June 30, 2016, on how to recover from a cyberattack, focusing on potential scenarios to include, but not limited to, a data breach or a destructive malware campaign.
Oct. 30, 2016 – Information Sharing
Within 12 months, agencies must begin working with DHS’s National Cybersecurity and Communications Integration Center (NCCIC) to implement an information sharing program.
Continuous Diagnostics and Mitigation (CDM)
In the CSIP, Scott and Donovan clearly state that they want to speed up deployment of the CDM program. The CSIP directs DHS to work with NIST’s Cybersecurity Center of Excellence to improve the CDM program by developing “solutions and guidance related to CDM including providing technical guidance, best practices, sample implementation plans, and capability assessment methodologies within two months.”
DHS will complete phase two of CDM implementation by the end of fiscal year 2016.
Within three months, OMB will release a plan to implement new cybersecurity shared services including: identity, authentication, and authorizations services; mobile security services; network segmentation services; digital rights management services; and encryption services.
Protecting Federal Employees
Within three months, OPM must deliver recommendations to OMB for making identity protection services a standard benefit for Federal employees.