As news of the full scope of the breach of Office of Management and Budget systems emerges, Federal CIO Tony Scott launched a government-wide Cybersecurity Sprint on June 12, giving agencies 30 days to shore up their systems.
During the 30-day sprint, agencies are encouraged to patch all known vulnerabilities; use information provided by Homeland Security to identify and mitigate known threats; limit the number of privileged users and tighten access controls; and "dramatically accelerate" the use of personal identity verification (PIV) cards and other forms of multifactor identification.
Agencies will have to report to OMB and DHS if they are unable to accomplish any of these tasks within the 30-day window. Agencies will also have to report on their progress at the end of the sprint, as well as any challenges encountered.
"One of the big challenges of our time is cybersecurity," Scott said during the opening keynote of the CIO Council IT Symposium on June 15.
"Most of the systems, most of the technology you and I use every day was designed and architected in the 1970s or 1990s," he said, noting even newer systems are built on the same framework. "It's kind of like trying to put airbags on a '65 Mustang — it just wasn't designed for security, wasn't designed for safety."
Future systems need to be designed with cybersecurity at the center, Scott said, however agencies must also work to secure existing systems and protect federal information today.
The sprint includes eight priority areas for agencies to focus on:
- Protecting Data: Better protect data at rest and in transit;
- Improving Situational Awareness: Improve indication and warning;
- Increasing Cybersecurity Proficiency: Ensure a robust capacity to recruit and retain cybersecurity personnel;
- Increase Awareness: improve overall risk awareness by all users;
- Standardizing and Automating Processes: Decrease time needed to manage configurations and patch vulnerabilities;
- Controlling, Containing, and Recovering from Incidents: Contain malware proliferation, privilege escalation, and lateral movement. Quickly identify and resolve events and incidents;
- Strengthening Systems Lifecycle Security: Increase inherent security of platforms by buying more secure systems and retiring legacy systems in a timely manner; and
- Reducing Attack Surfaces: Decrease complexity and number of things defenders need to protect.
A Cybersecurity Sprint Team was also created, including members from OMB's E-Gov Cyber Unit, DHS, the National Security Council Cybersecurity Directorate and Defense Department. The team is charged with leading a 30-day review of "cybersecurity policies, procedures and practices," and issue a Federal Civilian Cybersecurity Strategy based on their findings.