But the Office of Management and Budget also is using the opportunity to better connect agency performance improvement officers to the Trusted Internet Connections and Homeland Security Presidential Directive-12 efforts, which started with high expectations but have floundered over the last few years. Michael Daniel, the White House cyber coordinator, said giving PIOs better awareness and responsibility over meeting cyber goals has been a missing piece to the puzzle that equals success.
“It was a piece that was at least under developed previously,” said Daniel in an exclusive interview with Federal News Radio. “By bringing these under the formal performance framework, it really can help use that accountability and measurement process to actually drive performance improvement and make sure we are getting the right attention in the agencies to this area. It’s actually emblematic of the emergence of cybersecurity in a whole bunch of policy areas that we’re now putting this on the performance agenda.”
Bringing cyber into mission context
The PIOs often are tied to the financial side of the agency, which would help give these cyber programs the boost they need. Several PIOs also are agency CFOs or deputy CFOs, including at the departments of Interior, Health and Human Services and Treasury.
“It also helps bring the cybersecurity mission in to the context with the mission of the rest of the mission of the agency, and enables everyone to see how it’s not just a cost center for the agencies, but it’s actually a mission enabler,” Daniel said. “If an agency wants to be able to continue to execute its mission, they have to be sure its networks are secure and that they are able to continue functioning and can protect their information. All of those things, in turn, makes cybersecurity now a key mission enabler function, and by tying it into that performance area, you can make that case much more clearly in the resource allocation side of agencies.”
Agencies have been working to implement TIC since 2007 with a goal to reduce the number of Internet access points across the government. At one point, OMB hoped to bring that number down from a few thousand to less than 100.
Departments have been working even longer, since 2004, to implement computer access software that uses the HSPD-12 smart cards.
Daniel said both initiatives, along with the newest one to continually monitor networks, make up the core components of federal cybersecurity efforts.
“Just because they’re not new doesn’t make them not important to achieve. These are really foundational building blocks that will underlie all the rest of our efforts in federal network security,” Daniel said. “I think they really are the most cost effective and efficiency information security controls that we know about now that will really shore up our defenses.”
The White House sent implementation targets for each of these three major initiatives:
Continuous monitoring – By 2014, 95 percent of all agencies must have implemented it. Currently, 78 percent have done so.
Strong authentication – By 2014, 90 percent; currently, 53.7 percent.
TIC consolidation – By 2014, 95 percent; currently 84 percent.
TIC capabilities – By 2014, 100 percent; currently 82.2 percent.
“For example, 18 agencies have already reached the minimum target for the automated asset management piece of the [continuous monitoring goal], which is 80 percent, and 12 have reached the fiscal 2013 target of 95 percent,” Daniel said. “I think what you are seeing is this capability is starting to be put in place and agencies are really beginning to see the value of where they adopted it and they’ve begun to see the value of this in terms of being able to manage their networks much more effectively.”
Additionally, the TIC is not to reduce the number of Internet gateways to a specific figure, but to implement the capabilities to ensure traffic coming into and going out of agency networks are not malicious or infected.
As a byproduct of this effort, Daniel said he expects the number of Internet access points to come down, however.
“The numeric target served a good purpose when it was first created in the sense of it really signaled the direction of where we wanted to go, that we really wanted to get the handle on and get control of all the different places that the federal agencies connected to the public Internet so it served as a very useful baseline to get us started,” he said. “Now, we have set the target in terms of getting the agency’s traffic behind there and we will settle on a number that makes the most sense for the agencies.”
Under the strong authentication goal, agencies will have a bigger challenge. Currently, OMB reports that agencies have handed HSPD-12 cards to 96 percent of all employees who are required to have them. But the usage rate is only at 53 percent after almost a decade since President George W. Bush signed the policy.
“It has not gone as fast as many people had hoped when HSPD was originally issued,” Daniel said. “I think it’s just turned out that as with many complex systems that as we dug deeper into that issue there turned out to be more dependent requirements in there in terms of all the different ways the systems interconnected and all the different ways the systems could interact with that two-factor authentication that people originally understood. Where we are now, I think we have a much better handle on that.”
He added agencies have started to put in place many more of the underlying capabilities needed to make the smart cards work. Agencies also are taking advantage of the lessons from the Department of Defense and the General Services Administration, which have implemented HSPD-12 card enabled systems.
“I think what we will see if an acceleration of implementation across the federal government,” Daniel said. “And certainly, we want to ramp up the implementation across the government over the next two years, really by the FY 2014 date that we are shooting for in the first round of the CAP goals here. I think we will start making some significant progress over the next few months.”
The updated CAP goals also set several short term milestones to be accomplished by March 31 including:
The Homeland Security Department, the GSA and the National Institute of Standards and Technology will develop an education and awareness document focused on communicating the value of smart card usage.
DHS and GSA will charter one or more tiger teams to focus on implementing strong authentication to networks and information systems to include a business case, a methodology to determine cost and savings potential and evaluate current acquisition vehicles and whether new ones are needed.
GSA and NIST will develop a “solutions to PIV implementation barriers” document to accelerate prioritization and implementation of smart card mandatory authentication.
DHS will perform at least three CyberStats, focusing specifically on logical access using smart cards.
GSA, in coordination with DHS and the Commerce Department, will coordinate with the Strategic Sourcing Cross Agency Priority Goal on a roadmap of deliverables to identify commodity IT services and solutions supporting the implementation of the priority cybersecurity capabilities.
“We are putting this on the agenda and we are now publishing the scorecard as part of the regular ongoing process and it will highlight where we are and you can measure progress against that,” Daniel said. “We will be doing that in a transparent and open way like the other CAP goals, and to me that’s an important milestone because it will help shed light on this.”
He added in the long term by accomplishing these goals agencies will have a much deeper understanding of what how secure their systems are and how to adjust to dynamic threats.