Federal agencies need more help from IT groups within government and from the private sector to mitigate cybersecurity threats, according to Grant Schneider, acting Federal chief information security officer at the Office of Management and Budget.
Schneider said that organizations such as the United States Digital Service and 18F should continue to play a supporting role in working with government red teams that are sent in to help agencies clean up after a significant data breach. The digital service teams could work with agency developers to figure out what went wrong, how it can be fixed, and how to prevent similar issues in the future. USDS and 18F could also build tools for agencies that are more secure on the front end.
“Our legacy environment is just not secure enough. We really are only as strong as our weakest link,” Schneider said at the Akamai Government Forum on March 28.
The private sector can help agencies by ensuring that tools are easy to use, agile, integrated, secure, and affordable, he said. These tools should be able to share information with one another in order to secure the environment.
Schneider’s goals for the future of OMB are to understand each agency’s cybersecurity risk, find ways to modernize IT systems on a limited budget, figure out what system architecture is needed in which to operate effectively, and manage the Federal cybersecurity workforce so that they are tackling the toughest issues.
OMB released the 2016 FISMA report earlier this month, which found that 16 major incidents occurred last year. In this report, the Department of Homeland Security changed the way incidents were tracked in order to focus on the “things that matter,” according to Schneider. Also, in the past year, OMB began the High Value Asset initiative, which asked agencies to document where their most important systems are located and why they are important.
“What’s new about this is taking a governmentwide view,” Schneider said, “to understand where our most important things are across government.
As the Federal CISO, Schneider focuses on developing and overseeing cybersecurity policies, requiring agencies to protect systems based on the amount of harm that could result from a data breach on those systems, and making sure that agencies comply with policies and guidelines. Schneider said that OMB began dealing with cybersecurity issues by only putting out policy, but now OMB focuses on what systems need protection and whether this is happening.
Schneider said that cybersecurity issues will continue to be discussed because there continue to be major cyber incidents, the government is more dependent on IT to deliver its mission, the threat surface continues to expand with the advent of the Internet of Things, and malicious tools are more easily attainable.
“Our risk continues to increase,” Schneider said. “We have to look at this as a risk management endeavor.”
Editor’s Note: This story was updated on 3/29. A paraphrased comment attributed to Grant Schneider was adjusted to more accurately reflect his remarks.