navigation-background arrow-down-circle Reply Icon Show More Heart Delete Icon wiki-circle wiki-square wiki arrow-up-circle add-circle add-square add arrow-down arrow-left arrow-right arrow-up calendar-circle chat-bubble-2 chat-bubble check-circle check close contact-us credit-card drag menu email embed facebook-circle snapchat-circle facebook-square facebook faq-circle faq film gear google-circle google-square googleplus history home instagram-circle instagram-square instagram linkedin-circle linkedin-square linkedin load monitor Video Player Play Icon person pinterest-circle pinterest-square pinterest play readlist remove-circle remove-square remove search share share2 sign-out star trailer trash twitter-circle twitter-square twitter youtube-circle youtube-square youtube

Feds on '30-day sprint' to better cybersecurity

June 15, 2015 (Photo Credit: Aaron Boyd/Staff)

As news of the full scope of the breach of Office of Management and Budget systems emerges, Federal CIO Tony Scott launched a government-wide Cybersecurity Sprint on June 12, giving agencies 30 days to shore up their systems.

During the 30-day sprint, agencies are encouraged to patch all known vulnerabilities; use information provided by Homeland Security to identify and mitigate known threats; limit the number of privileged users and tighten access controls; and "dramatically accelerate" the use of personal identity verification (PIV) cards and other forms of multifactor identification.

More: Second OPM hack exposed highly personal background info

Agencies will have to report to OMB and DHS if they are unable to accomplish any of these tasks within the 30-day window. Agencies will also have to report on their progress at the end of the sprint, as well as any challenges encountered.

"One of the big challenges of our time is cybersecurity," Scott said during the opening keynote of the CIO Council IT Symposium on June 15.

"Most of the systems, most of the technology you and I use every day was designed and architected in the 1970s or 1990s," he said, noting even newer systems are built on the same framework. "It's kind of like trying to put airbags on a '65 Mustang — it just wasn't designed for security, wasn't designed for safety."

More: After OPM breach, OMB requires tighter security

Future systems need to be designed with cybersecurity at the center, Scott said, however agencies must also work to secure existing systems and protect federal information today.

The sprint includes eight priority areas for agencies to focus on:

  • Protecting Data: Better protect data at rest and in transit;
  • Improving Situational Awareness: Improve indication and warning;
  • Increasing Cybersecurity Proficiency: Ensure a robust capacity to recruit and retain cybersecurity personnel;
  • Increase Awareness: improve overall risk awareness by all users;
  • Standardizing and Automating Processes: Decrease time needed to manage configurations and patch vulnerabilities;
  • Controlling, Containing, and Recovering from Incidents: Contain malware proliferation, privilege escalation, and lateral movement. Quickly identify and resolve events and incidents;
  • Strengthening Systems Lifecycle Security: Increase inherent security of platforms by buying more secure systems and retiring legacy systems in a timely manner; and
  • Reducing Attack Surfaces: Decrease complexity and number of things defenders need to protect.

A Cybersecurity Sprint Team was also created, including members from OMB's E-Gov Cyber Unit, DHS, the National Security Council Cybersecurity Directorate and Defense Department. The team is charged with leading a 30-day review of "cybersecurity policies, procedures and practices," and issue a Federal Civilian Cybersecurity Strategy based on their findings.

Video: What should feds do after the OPM data breach

Next Article