After reading through the CyberSecurity Strategy and Implementation Plan (CSIP) I was impressed with its scope and relatively clear terminology, acronyms notwithstanding, and how it outlined federal strategy. I expect the timelines to be challenging, though.
Working in a multi-national, Fortune 500 company, I know that if you don’t already have some information collected and maintained you may set yourself up for failure and deception when you set arbitrary deadlines. The first such deadline assigned by the CISP is November 13, this upcoming Friday.
Determining what is considered a “high value asset” can be difficult for a number of reasons, including the following.
- Lack of knowledge of the evaluators as to the data and/or processes for which a system is responsible.
- Lack of knowledge of upstream/downstream impacts from a system.
- Political pressure to rank systems by importance as though valuation of systems was a zero-sum game.
I don’t doubt the talent and motivation of most people involved in this venture. My exposure to federal cybersecurity and information systems personnel has impressed me. I am concerned with the collection and collation of this information, however.
Where the Federal Incident Response Best Practices (shown in Objective 2 and targeted for October 30, 2015) had a shorter delivery time they also had a different vector to delivery, namely, I would expect less internecine arguing over well-known industry-vetted responses. Determining that an asset is of high value can involve negotiation of terms and understanding of the asset and its connections to other assets.
Objective 4: Human Resources also is concerning since it asks agencies to report their cybersecurity personnel needs but much of the guidance on implementing best practices for protection and response aren’t scheduled to be updated and redistributed to agencies before March 31, 2016 or June 30, 2016 (per § 3, parts a & b, page 17 of 21). This would seem to invite agencies to inflate their headcount before knowing specific responsibilities.
I am interested in seeing both the contract delivered in Objective 2: Detect and the guidance delivered in Objective 3: Respond as those should be informative for the how we might formulate similar corporate artifacts. My biggest interest is in the results of the subcommittee on emerging technology that’s the goal of Objective 5: Technology. It seems pretty accepted that information security and risk management as they’ve been implemented in recent history have a tenuous relationship with fast-to-market frameworks, methodologies, and technologies such as Agile, Scrum, Kanban, Lean, etc. My hope is that the subcommittee named in Objective 5 will take options from the public sector, vet them according to their stringent requirements and publish a good framework for integrating rigorous security standards with rapidly responsive segments of information technology.