The Situation Report: Is This The New Federal CISO?

Federal CISO Decision Imminent

The Situation Report has picked up strong signals from the Old Executive Office Building that Federal Chief Information Officer Tony Scott has made his final decision on who will be the first Federal chief information security officer and plans to Brian Burnsmake an announcement as early as next week.

If our intelligence is correct, that would place Scott’s public announcement within about 48 hours of Brian Burnslast day as CISO at the Department of Veterans Affairs. It was also unusual for Veterans Affairs CIO LaVerne Council to announce Burns’ resignation only from his role as deputy director of the Interagency Program Office (IPO).  One would think that if your CISO is moving to another government agency, you might address the fact that you are soon to be without a CISO.

While there is one other viable candidate known to The Situation Report to have been on Scott’s short list, Burns certainly has the chops and the background to be a serious contender.

Burns first entered Federal service in 1997, after a 13-year stint in commercial IT. But his government resume is impressive: He’s held senior IT positions at the Department of Defense, Department of the Air Force, Department of the Navy, Department of Education, Department of the Interior, Department of Health and Human Services, Department of Treasury, and the Internal Revenue Service.

Will Burns be the first Federal CISO? I think there’s a better than 50-50 chance he’s the chosen one.

Veterans Data Breach Report

A VA lawn maintenance worker in Bay Pines, Fla., recently came upon a small pile of documents sitting on the lawn outside the VA facility where he worked. Turns out the papers were a Housing and Urban Development Veterans Affairs Supportive Housing (HUD VASH) Veteran contact list.

The employee responsible for leaving the documents on the lawn has been disciplined, according to the VA report on the incident. However, a privacy violation memo was issued and 103 veterans were notified that their personal information was involved.

Veterans’ personal data seems to be in constant danger at VA, from the lawns in front of facilities to even the highways. Last month, the VA’s Data Breach Core Team opened an investigation into a VA employee who left an envelope full of unapproved claims, billing documents, and tort claims information on the top of a car. The employee then drove off and went home.

The documents were found by an unknown citizen spilled across a section of highway nowhere near the VA facility. The VA sent 28 veterans an offer of free credit protection services.

Of course, things could be worse. A VA facility in Hampton, Va., lost three encrypted hard drives in April. As of the latest security incident report, they remain unaccounted for. VA is not concerned about the drives because they were encrypted. In addition, there were two other similar incidents that took place during the same reporting period, but VA left them out of the report “because of repetition.”

Shadow Cloud

Should Burns get the nod for the Federal CISO post, he will have his hands full when it comes to gaining control of unauthorized government cloud services.

One of my remote Silicon Valley listening posts recently detected a serious disturbance in the Federal cloud computing force. A recent assessment of a major government agency “with very strict cloud usage policies” uncovered more than 3,000 “unique, unsanctioned cloud services” that were being accessed routinely over a three-week period. Some of the things discovered included private storage devices that were used for backing up data, and “hundreds of risky data sharing, collaboration, and social media sites.”