CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber Initiatives 30 January 2018 1
Agenda Federal Landscape Cybersecurity Program Federal Funding NASCIO Call to Action NGA Call to Action CIS & MS-ISAC Economy of Security 2
Federal Directives May 11, 2017 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure NIST Risk Management Framework (RMF) NIST Cybersecurity Framework (CSF) NIST Special Publication 800-53 r 5: Security and Privacy Controls for Systems and Organizations NIST Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations HIPAA, DoJ CJIS Security Policy, IRS Pub 1075, FERPA 3
Key Components of a Sound Cybersecurity Program Approach to Risk-Based Information Security Risk Management IT Governance Privacy Information Security Cybersecurity Environment FISMA and OMB Circular A-130 are the key drivers for Federal security & privacy, implemented by NIST, DHS, DoD & NSA CIOs and CISOs are seeking support at the enterprise and security architecture level NOT point solutions DHS is providing oversight and direction for improved cybersecurity and continuous monitoring under OMB Memorandums M-10-28, M-14-03 and M-15-01, EO. Risk Management identifies alignment of critical business processes with supporting technology systems. Serves to focus IT Governance and security investments in the areas contributing most to mission success. IT Governance provides the consistency, process, standards, and repeatability needed for effective operations at the lowest possible cost within compliance requirements. Increased I&T Governance improves the effectiveness of information security and privacy controls, using risk management practices, based on best practice frameworks such as COBIT, CMMI, ITIL, ISO/IEC & NIST Special Publications and the Cybersecurity Framework. Information Security the information security program is managed by the agency Chief Information Security Officer (CISO) according to the FISMA/NIST framework. This framework includes technology, processes, policies, and people under the family of controls outlined in NIST Special Publication (SP) 800-53 and other SPs. IT Governance must achieve a minimal level of maturity in order for the information security program to achieve an acceptable level of risk to operate. Privacy within an organization, privacy policies, procedures and controls manage the information lifecycle for properly designated personnel to access information governed under various privacy laws. Information security and IT Governance directly impact the success of a privacy program. 4
Evolution to a Predictive/Proactive Cybersecurity Program What is really important to the organization? Risk Management IT Governance Privacy Information Security Is this keeping the CISO from being successful? Continuous Monitoring What data is the organization trying to protect & meet privacy compliance requirements? What is the organization trying to protect? Cyber Analysis & Security Intelligence Defensive Offensive Reactive mitigate Predictive remediate & Prevent This evolution is critical to prevention NIST SP 800-137 is the guide for conducting continuous monitoring to achieve continuous improvement in security architecture protection Continuous Monitoring is the key for evolving from defensive reactive into defensive predictive protection through security intelligence The George Washington University Center for Cyber and Homeland Security (CCHS) developed a report "Into the Gray Zone" https://cchs.gwu.edu/ to clarify Defensive and Offensive security 5
Federal Funding DHS Cybersecurity Grants FEMA Grants NSF Cybersecurity Education Grants Maryland s Robert H. Smith School of Business receives part of a $5M Grant from the NSF for Cybersecurity Education https://www.rhsmith.umd.edu/news/smith school part 5mgrant nsf cybersecurity education 6
NASCIO: State Governments at Risk! States are attractive targets data! More aggressive threats organized crime, phishing, ransomware, hacktivism Nation state threats, attacks Critical infrastructure protection: disruption Human factor employees, contractors Data and services on the move: cloud and mobile Need for continuous training, awareness 7
NASCIO: What Do We Know? Patterns of Success Enterprise Leadership and Governance Statewide Cybersecurity Framework & Controls Cybersecurity Culture: A Team Sport Know the Risks, Assess the Risks, Measure Communicating the Risks: Training Invest: Deploy Security Technologies 9
NGA Paper Act and Adjust: A Call to Action for Governors for Cybersecurity Establishing a governance and authority structure for cybersecurity; Conducting risk assessments and allocating resources accordingly; Implementing continuous vulnerability assessments and threat mitigation practices; Ensuring that the state complies with current security methodologies and business disciplines in cybersecurity; and Creating a culture of risk awareness. https://www.nga.org/cms/home/nga center for best practices/center publications/page hspspublications/col2 content/main content list/act and adjust a call to action.html 10
CIS Benchmarks: Proven benchmark guidelines to protect 100 distinct systems and platforms CIS Controls: 20 prioritized controls to beat the vast majority of the most common attacks CIS CAT Pro: Automated configuration assessment tool MS ISAC Mission: To improve the overall cybersecurity posture of the nation's state, local, tribal and territorial governments through focused cyber threat prevention, protection, response, and recovery 11
The economy of security: How physical and cyber security drive economic vitality Economic vitality requires security Security challenges to economic vitality Case Study: Securing national registration Global IT Risk Study: IT managers and CIOs Agree that Security has economic benefits The drivers of economic vitality Addressing security intelligence into economic development A three point plan for security intelligence Get informed. Take a structured approach to assessing business and IT risks. Get aligned. Implement and enforce security excellence throughout the organizations, divisions, departments and agencies that make up local, municipal, regional and national governments. Get smart. Use analytics to proactively highlight risks and identify, monitor and address threats. Conclusion: Turn strategies into action https://www.ibm.com/blogs/insights on business/government/the economy of security howphysical and cyber security drive economic vitality 12
Thank You! Contact Information John Lainhart, Director P: 703.837.4510 E. john.lainhart@us.gt.com 12