Since President Trump released his EO a few days ago, we at GuidePoint Security Federal are carefully crafting some strategies for our customers to respond to the requirements detailed in it. This is the first of four blogs outlining some of our guidance. This first blog is about what important take-aways are in the EO and how to best produce an acceptable risk management report in this tight 90-day window. The second blog will offer some “quick hit” products that are the easiest to deploy and close the gaps in a NIST framework, boosting agency scores. The third specifically focuses on what the EO calls the “highest risk” to agencies, which is known, but unmitigated vulnerabilities. The fourth blog will address how the EO defines Cybersecurity Risk Management by mapping specific products, not vendors, to each of the four areas.
The take-aways below are specific to Section 1, and do not cover the entire EO, but outline some important points to note. It does not cover Section 2 and 3, which are about how agencies in the Executive Branch should support non-government entities and does not cover Section 4, which offers up some definitions for clarity. It is important to note that this EO covers all Civilian, DoD and IC agencies not part of the Legislative Branch or Judicial Branch of government. Quick Hits:
- Section 1 b (i) defines Cybersecurity Risk Management as:
- Protecting IT from unauthorized access
- Maintaining awareness of threats
- Detecting anomalies and incidents
- Mitigating the impact of incidents through response and recovery
(NOTE: These points closely map to the NIST categories below in Figure 1)
- Section 1 b (iv) Specifically calls out known but unmitigated vulnerabilities as the highest risk to agencies.
- Section 1 b (v) Exhorts agency leadership to personally head integration of different typically silo’d teams such as IT, security, budgeting, acquisition, policy, and HR for better risk management.
- Section 1 c (i) Agency heads should implement risk management measures to prevent harm from unauthorized:
- Disruption (of government services)
- Modification (of government owned data)
- Destruction (of government data or IT infrastructure)
- Section 1 c (ii) Establishes the NIST Cybersecurity Framework as the standard measurement to manage cybersecurity risk, overriding any DoD or IC standards. It mandates a risk management report by each agency within 90 days.
- Section 1 c (iii) Establishes both DHS and OMB as the joint assessor of each agencies’ report to determine if it is sufficient to manage the cybersecurity risk of that agency. For the first time, it is commanded that DoD and IC agencies, must now report to DHS and OMB both as authorities for Cybersecurity.
- Section 1 c (iv) Mandates that OMB and DHS have 60 days from time of receiving each agency’s report to send the President a determination from Section 1 c (iii) and a plan of action going forward for each agency.
- Section 1 c (vi) Mandates that agencies (DoD, IC, and Civilian) move to “shared IT services” which appears to be public or private cloud and requires a report on that effort within 90 days.
Now we will focus on Section 1 c (ii) of the EO, where the President defines the NIST Cybersecurity Framework as the official standard that Executive Branch agencies should be managing their risk against. It then mandates that a report be created by each agency under the President’s authority (which includes Civilian, DoD and IC, but not Legislative or Judicial organizations) within 90 days of the EO being issued.
This means that each agency be able to show that they can:
- Identify systems, assets, data, and capabilities.
- Protect delivery of critical services.
- Detect threats and attacks defined as cybersecurity events.
- Respond to threats and attacks detected as cybersecurity events.
- Recover from attacks and compromises by maintaining plans for resilience and plans for restoring services.
Anyone who is familiar with government cybersecurity will recognize Figure 1. as the NIST “Functions” graphic from the official NIST.gov Cybersecurity Framework document. This is not new information. However, the question is, “How do I measure myself against this NIST Framework for my report to DHS and OMB?” Some Federal customers we work with are well down the path to delivering on the EO’s reporting mandate, however, some of our customers have previously decided to devote all resources to securing their infrastructure, rather than tracking, for reporting purposes, how they map to the NIST framework.
Following the NIST categories, we recommend agencies start by discovering and profiling to Identify assets, software and vulnerabilities that need to be addressed. Protecting, the next category, requires mapping that information to a current network infrastructure and resolving any high-risk gaps. Detecting threats, Responding to attacks, and Recovering from events involves both technical products and establishing a codified policy inside the agency.
Check out our next blog that will detail some quick-hit products to improve an agency’s security posture for the last three NIST categories (Detect, Respond, Recover). The first two, Identify and Protect, can be done quickly, if not in place already, to show compliance to the NIST framework before the report needs to be completed. It only requires a comprehensive end point profiler and a Network Vulnerability Management solution that consumes asset, vulnerability, and network configuration information and map them together into something like Figure 2.
Finally, a Governance, Risk and Compliance (GRC) product that can consume all technical and policy information to produce a comprehensive NIST compliance and risk assessment report. If an agency is already using a GRC product now, they simply need to configure and start running NIST modules that produce the reporting needed. However, many agencies do not run GRC products yet. GRC products, in general, have developed a reputation for their difficulty to stand up and get operating well for something like this, however, there are GRC solutions that are not difficult and cumbersome. GuidePoint has been working with specific GRC products that are designed specifically to stand up, integrate, and provide reporting on modules like NIST compliance status quickly, meeting the needs for responding to the EO.
Contact us at firstname.lastname@example.org for assistance in helping your agency respond with the best possible report to DHS/OMB today!
About the author:
Jean-Paul Bergeaux, Federal CTO, GuidePoint Security
With more than 18 years of experience in the Federal technology industry, Jean-Paul Bergeaux is currently the Federal CTO for GuidePoint Security. JP’s career has been marked by success in technical leadership roles with ADIC (now Quantum), NetApp and Commvault and SwishData. Jean-Paul focuses on identifying customers’ challenges and architecting innovative solutions to solve their complex problems. He is also a thought leader on topics that are top of mind for Federal IT Managers like Cyber Security, VDI, Big Data, and Backup & Recovery.