US government CIO Tony Scott has announced a new plan designed to bolster cybersecurity among federal civilian agencies, following a series of damaging data breaches across departments.
The Cybersecurity Strategy Implementation Plan (CSIP) focuses on five objectives, Scott wrote in a blog post on Friday.
These are: identification and protection of high value assets and information; timely detection of and response to incidents; rapid recovery from incidents; recruitment and retention of the best infosecurity talent; and better use of new and existing technologies.
“Across the Federal Government, a broad surface area of legacy systems with thousands of different hardware and software configurations contains vulnerabilities and opportunities for exploitation. Additionally, each Federal agency is responsible for managing its own IT systems, which, due to varying levels of cybersecurity expertise and capacity, generates inconsistencies in capability across government.
CSIP directs a series of actions to improve capabilities for identifying and detecting vulnerabilities and threats, enhance protections of government assets and information, and further develop robust response and recovery capabilities to ensure readiness and resilience when incidents inevitably occur.”
The security enhancements don’t end at CISP.
Scott revealed that the Office of Management and Budget was also issuing guidance to agencies on the Fiscal Year 2015 – 2016 Federal Information Security Modernization Act (FISMA) and Privacy Management.
Crucially, the guidance will define for the first time what qualifies as a “major” incident and direct agencies to report such incidents to Congress within seven days.
The initiative follows the OMB’s 30-Day Cybersecurity Sprint—an attempt to quickly address some of the biggest security failings at the heart of government, which were exposed in the OPM hack.
That effort appears to have borne fruit, with a rise in the use of strong authentication by federal civilian agencies of 40% this year to over 80%.
However, Scott warned that security is a continuous process of evolution, with “no one-shot silver bullets.”
“Cyber threats cannot be eliminated entirely, but they can be managed much more effectively,” he added. “CSIP helps get our current Federal house in order, but it does not re-architect the house.”