On May 19, 2017, the Director of the Office of Management and Budget (OMB), Mick Mulvaney, issued a memorandum holding the Executive Branch’s department heads accountable for managing the cybersecurity risks of their agencies.
Enforcing a recent Executive Order (EO) issued by the White House, the memo requires that each agency adhere to NIST’s Cybersecurity Framework. The overarching rationale of the EO: The government’s data should be secure and the White House will hold heads of executive agencies responsible for managing the known and emerging cybersecurity risks to their enterprises.
Mulvaney’s memorandum gives a fairly aggressive timetable for compliance. Agencies are required to submit their “Framework Implementation Action Plan” by July 14 and respond to the OMB’s risk assessment of that agency by August 9. Agencies will then be held accountable for implementing their specific Action Plan.
One of the chief issues that the EO aimed to address was the “known but unmitigated vulnerabilities” that plague the Federal Government. Among these vulnerabilities, using software, applications, or operating systems beyond “the vendor's support lifecycle,” thus not being able to take advantage of security patches. Another vulnerability is the delay to upgrade to more recent versions of a vendor’s software, thus not being able to utilize new data security technologies.
As a prime example of not taking advantage of new data security technologies, Federal agencies grappled in 2016 with the fact that SQL Server 2005 would no longer be supported by Microsoft. Let that sink in. For eleven years Federal agencies were using technologies that were increasingly obsolete from a data security standpoint.
This means that for all this time those agencies still on SQL Server 2005 were not able to deploy Column Level Encryption with Extensible Key Management (2008), Transparent Data Encryption (2008), Always Encrypted (2016), Row Level Security (2016), or a host of other data security enhancements.
While that is not to say they didn’t find other ways to achieve parity with these features, it is hard to believe that all that time and effort would be invested to come up with home-grown or third party solutions instead of just upgrading to the latest version of SQL Server.
What could be considered a point of good news, The Executive Order requires that the OMB use the agencies collected reports to aggregate all the information and present it to the White House. This unified report will enable the Executive Branch to identify new technologies needed to mitigate known and emerging threats.
It will also act as a lens in which to identify areas in which agencies could consolidate services “to improve the cybersecurity posture” of the government. Armed with this information, the government could coordinate its efforts to better secure its data.
That being said, the Federal government likely faces an uphill road. In a recent anonymous survey of Federal IT professionals conducted by BeyondTrust, 81% of respondents say that aging IT infrastructure has a large impact on their cyber-security risk and 61% say that their IT infrastructure impedes them complying with cybersecurity mandates. If this is true, the assessments to be completed next month will highlight some major improvements to be made in order to combat the looming threats from state-sponsored and rogue hackers.
The Cybersecurity Framework designed by NIST is a simple and stable way to assess a department’s current data security posture and then chart a path to greater stability. Its five step approach Identify, Protect, Detect, Respond, and Recover offer a roadmap to anticipate likely threat vectors, shore up known vulnerabilities, and recover quickly after an attack.
Hopefully these agencies have already begun the process as NIST’s Framework was published back in 2014 and has been readily available. Time will tell how much work they have ahead of them.