Technology | Improving Cybersecurity

Our Nation's security and economic prosperity depend on the stability and integrity of our Federal communications and information infrastructure. Threats to cyberspace pose some of the most serious challenges of the 21st century for the United States. OMB is working with agencies, Inspectors General, Chief Information Officers, senior agency officials in charge of privacy, as well as GAO and Congress, to strengthen the Federal government's IT security and privacy programs.

Cross-Agency Priority (CAP) Goal: Cybersecurity

The Administration has set a limited number of Cross-Agency Priority (CAP) Goals for both crosscutting policy and government-wide management areas. Cybersecurity is included as one of these goals. This goal is being led by the White House Cybersecurity Coordinator J. Michael Daniel in partnership with agencies across the federal government including DHS, NIST, OMB and others. It is also coordinated with the FY11 FISMA report and FY12 FISMA metrics which focus on three administration cybersecurity priorities. The three priority areas for improvement within Federal cybersecurity include: Continuous monitoring of Federal information systems, Trusted Internet Connection (TIC) capability and use, and Strong authentication using government issued identity credentials, such as PIV (Personnel Identity Verification) and CAC (Common Access Cards).

The Administration's goal for cybersecurity is that by the end of 2014, Federal departments and agencies will achieve 95% use of these cybersecurity capabilities on Federal information systems.

Please click here to find more information about the cybersecurity CAP goal.

Proposed Cybersecurity Legislation

The dramatic increase in cyber crime and the repeated cyber intrusions into our critical infrastructure demonstrate the need for improved security. The President has noted that the “cyber threat is one of the most serious economic and national security challenges we face as a nation.” The President has made cybersecurity an Administration priority and welcomes the opportunity to assist Congressional efforts to develop cybersecurity legislation.

The Administration’s proposal would protect individuals by requiring businesses to notify consumers if personal information is compromised, and clarifies penalties for computer crimes including mandatory minimums for critical infrastructure intrusions. The proposal would improve critical infrastructure protection by bolstering public-private partnerships with improved authority for the Federal government to provide voluntary assistance to companies and increase information sharing. It also would protect Federal government networks by formalizing management roles, improving recruitment of cybersecurity professionals, and safeguarding the Nation’s access to cost-effective data storage solutions.

This proposal was developed by an interagency team made up of representatives from multiple departments and agencies. Proposed legislation was posted on May 12, 2011 at WhiteHouse.gov.

Strengthening Security Management through CyberStat Model

In 2011, DHS launched CyberStat. Using the TechStat model, DHS cybersecurity experts will now meet with agencies regularly to ensure accountability and to help agencies develop focused action plans to improve their information security posture. CyberStat is grounded in the data provided by CyberScope, among other key data sources about agencies’ information security. The development of clear and consistent metrics for CyberScope has increased the ability of DHS to hold agencies accountable for outcomes. As DHS works with agencies to improve data quality, CyberStat and CyberScope will allow DHS to assist agencies in quickly addressing problems that pose risks.

Continuous Monitoring and Remediation

In Fiscal Year 2011, the shift from the once-a-year FISMA reporting process to a monthly reporting of key metrics through Cyberscope will allow security practitioners to have more information than ever before to assist the protection of agency information and information systems. In the years to come, this reporting will require minimal human interaction and allow near real-time remediation of many vulnerabilities.

Using Smart Cards for Identity Management

Reforms in electronic business have presented new opportunities to use smart card technology as an enabling tool. Smart card technology offers an additional layer of electronic security and information assurance for user authentication, confidentiality, non-repudiation, information integrity, physical access control to facilities, and logical access control to an agency's computer systems. With the majority of federal employees and contractors now possessing smart cards, the focus has shifted to leveraging the electronic capabilities of the cards for access to information systems and facilities.

Standardizing Security through Configuration Settings

This year, the Federal government worked to develop new configuration settings. Secure configuration settings allow agencies to reduce risks across their enterprise by deploying settings that are more restrictive than what the manufacturer provides out of the box. When properly implemented, they reduce the risk of exploitation of yet-to-be discovered vulnerabilities as well as current risks. After deploying standard configuration settings, agencies can more effectively monitor their systems and deploy patches when needed. The Commerce Department’s National Institute of Standards and Technology administers the National Checklist Program (NCP), which maintains the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications. Moving forward, the federal government will evaluate additional products to allow for increased deployment of secure setting across the federal enterprise. NCP products are available at http://checklists.nist.gov/

Performance.gov

Improving Cybersecurity

Featured Story

Learn More