The White House Office of Management and Budget will shortly issue new guidance to federal departments and agencies on protecting their highest value IT assets from cyberattacks — and is looking at consolidating the IT systems of smaller agencies into a single network to save money and improve security.
OMB official Trevor Rudolph told the National Institute of Standards and Technology’s Information Security and Privacy Advisory Board that the initiatives were outgrowths of President Barack Obama’s Cybersecurity National Action Plan, rolled out in February. A key element of CNAP was an instruction to agencies “to identify and prioritize their highest value and most at-risk IT assets and then take additional concrete steps to improve their security,” according to a White House fact sheet.
“This is the first time in the unclass[ified] space that the government has inventoried all of the [IT] assets … that an adversary would be particularly interested in and then we’ve independently verified the security protections around those assets,” Rudolph told the board. Importantly, he added, this was done “from an enterprise-wide perspective, not an agency-centric view.”
The forthcoming guidance on high value assets, or HVAs — due in “a couple of weeks” — was necessary to “instantiate this program for the long run.”
“This needs to happen on a continuing basis,” he said, not least because the definition of HVAs might change or evolve over time.
“We recognize that having a fact sheet on the White House website is not sufficient for a program’s survival through a presidential transition,” he said, so OMB aimed at publishing several “foundational documents, signed by our director” that would set policy throughout the federal government until it was overturned by a subsequent administration.
Similar guidance on modernizing legacy IT was published Thursday, FedScoop reported.
The HVA guidance, Rudolph said, will tell agencies “exactly how they’re to identify those assets, routinely protect those assets and what the relationship should be” between their IT teams and those from the Department of Homeland Security so that “remediation efforts happen in a coordinated fashion.”
But, “Is it enough to just better coordinate our existing efforts?” Rudolph asked.
Centralizing IT provision is much more controversial, and Rudolph told reporters after he briefed the board that there was no timeline for issuing any OMB policy on it.
Instead, he said, the agency hoped to produce “a very thoughtful options paper” for the next administration and was working “very closely” with the agency’s transition team on the issue.
“Centralized IT services for small agencies … is an attempt to prove out a concept,” he said, “The concept is, if we centralize IT networking, storage, email and collaboration tools and have a central provider providing all that to agencies we can win out on cost, performance and security. We we may be losing on all of those right now,” he told the board.
“In a post-OPM world, we realized all agencies perhaps shouldn’t be making these decisions” about how much risk to accept and other IT issues, he told reporters afterwards.
“One model or analogy is what [the Defense Information Services Agency] has done in the [Department of Defense] environment,” he said.
“The idea is centralizing risk … so it can be mitigated” through measures like technological control and network segmentation, he added.
He acknowledged that there were barriers, singling out the fact that the recent Federal IT Security Modernization Act, or FISMA, “places that responsibility [for making risk decisions] on each agency head.”
“I’m not saying we have a perfect answer yet, but I think continuing down the status quo path [of agency silo’ed IT] is perhaps not acceptable.”