The Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) will be bringing together all of the federal chief information security officers (CISOs) within the next month for a tabletop exercise focused on operational resilience.
Michael Duffy, the acting federal CISO, shared that news at the Billington CyberSecurity Summit in Washington, D.C. Duffy also chairs the Federal CISO Council, the primary body for interagency CISO collaboration and communication.
“In the next month, I’m convening all CISOs together to have a tabletop exercise on operational resiliency. This is a readiness focus where we say, not just technology – we’ve spoken a lot about mechanisms and technical capabilities – but just process-wise,” Duffy said.
Duffy, whose office sits within OMB, explained that the exercise will help CISOs answer critical questions, such as if they have “the right people on call” if a cyber incident were to occur, or if they “know what collaboration looks like if a major incident happens within the agency.”
“Convening all department-level CISOs to have that frank conversation through a tabletop exercise that OMB is working with CISA [on] right now, that’ll make a difference,” he said. “That’ll help me better understand where we need to shape the policy perspectives, the changes in the mechanisms that we have as an interagency for the foreseeable future.”
Duffy stressed the importance of having “that informed state” in order to move forward and close any operational readiness gaps.
As the chair of the Federal CISO Council, Duffy said that one of his main priorities for the council is figuring out how to increase operational resilience.
He explained that the United States cannot afford to wait for the next cyber crisis to define “what the next 10 years” of cybersecurity policy looks like.
“A lot of the past decade has been shaped by, whether it’s the [Office of Personnel Management] breach or the SolarWinds compromise, or you name it, we found policy remedies for a series of really hard challenges for the federal government and found ways to increase our cyber resiliency and defense along the way,” he explained.
“The challenge right now is we can’t wait to see what’s next. We have to start acting now,” Duffy said.