United States: OMB Cybersecurity Plan: What Gov't Contractors Should Know

As part of its ongoing effort to combat cyberattacks on the federal government, the White House issued, on Oct. 30, 2015, a "Cybersecurity Strategy and Implementation Plan" that directs federal agencies to undertake a series of actions to identify and address cybersecurity threats. Although the CSIP is primarily directed at federal agencies, federal government contractors also will be affected by the initiatives that are set forth in the CSIP. And, although the acronym-loaded, technical-jargon-heavy CSIP will make even the most sophisticated government contractors' (and seasoned attorneys') eyes glaze over, the new reality is that federal contractors that are not up to speed on federal cybersecurity laws, policies and developments (such as the CSIP) risk getting left behind by their competitors — or worse, risk being unprepared to confront cyberthreats. This article aims to provide a brief, user-friendly overview of the CSIP's key features.

Background

On June 12, 2015, in response to a series of highly-publicized cybersecurity breaches at the Office of Personnel Management, the White House Office of Management and Budget formally announced a "30-day Cybersecurity Sprint" initiative, which was directed at assessing and improving federal cybersecurity and protecting federal systems against evolving cyber threats.¹ As part of the initiative, the OMB instructed federal agencies to immediately take a number of steps to "further protect Federal information and assets and improve the resilience of Federal networks."² In particular, the OMB directed federal agencies to, among other things:

• Immediately "deploy indicators" provided by the U.S. Department of Homeland Security regarding "priority threat-actor Techniques, Tactics, and procedures to scan systems and check logs;"
• Promptly patch critical system vulnerabilities;
• Tighten policies and practices for "privileged users;" and
• Accelerate implementation of "multi-factor" system authentication.³

In connection with the "30-day Cybersecurity Sprint" initiative, the OMB also established a "Cybersecurity Sprint Team," which was instructed to lead a 30-day-long review of the federal government's cybersecurity policies, procedures and practices.⁴ The OMB also directed the Cybersecurity Sprint Team to "create and operationalize" at the end of the 30-day review "a set of action plans and strategies to further address critical cybersecurity priorities and recommend" a federal civilian cybersecurity strategy.⁵

On Oct. 30, 2015, the OMB issued the CSIP, which "is the result of [the] comprehensive review of the Government's cybersecurity policies, procedures and practices by the [Cybersecurity] Sprint Team."⁶ The CSIP sets forth the following six primary objectives: (1) prioritization of identification and protection of "high value information and assets;" (2) timely detection and "rapid response" to cyberincidents; (3) "rapid recovery" from cyber incidents when they occur and "accelerated adoption" of lessons learned; (4) recruitment and retention of the "most highly-qualified Cybersecurity Workforce talent the Federal Government can bring to bear;" and (5) "efficient and effective acquisition and deployment of existing and emerging technology."⁷ In addition, the CSIP sets forth various actions that are to be taken in furtherance of each of the six primary objectives. These objectives (and certain key actions under the objectives) are discussed below.

The CSIP In A "Nutshell"

Objective 1: Prioritization of Identification and Protection of "High Value Information and Assets"

The CSIP directs the director of national intelligence to identify by Dec. 31, 2015, appropriate interagency resources to lead a threat assessment of federal "high value assets" (or "HVAs") that are at "high-risk of targeting by adversaries."⁸ Additionally, the CSIP provides that the DHS simultaneously will lead a team, "augmented by" the U.S. Department of Defense, the intelligence community and other "agency resources" as needed, to "continuously diagnose and mitigate the cybersecurity protections around the HVAs that were identified during the 30-day Cybersecurity Sprint."⁹ Moreover, the CSIP directs federal agencies to accelerate the implementation of capabilities and tools to identify risks to their systems and networks, to include the DHS Continuous Diagnostics and Mitigation Program.¹⁰

Objective 2: Timely Detection and "Rapid Response" to Cyberincidents

The CSIP provides, among other things, that the DHS will build on the current Einstein program — which provides "network perimeter protection" — to implement advanced protections beyond the "current signature-based approach."¹¹ The CSIP also states that the OMB, together with the DHS, will initiate a 30-day review of current trusted Internet connection architecture and baseline controls.¹² In addition, the CSIP states that the OMB will provide federal civilian agencies with incident response best practices.¹³ Of particular relevance to federal contractors, the CSIP directs the General Services Administration to "research contract vehicle options and develop a capability to deploy incident response services that can quickly be leveraged by federal agencies, on a reimbursable basis."¹⁴

Objective 3: "Rapid Recovery" From Cyberincidents When They Occur and "Accelerated Adoption" of Lessons Learned

The CSIP directs the National Institute of Standards and Technology to provide guidance to agencies by June 30, 2016, on how to recover from a cyberattack, "focusing on potential scenarios" that include "a data breach or a destructive malware campaign."¹⁵ The CSIP also directs the OPM to issue, within three months, recommendations for making identity protection services a standard federal employee benefit.¹⁶ Furthermore, the CSIP directs the OMB to update by March 31, 2016, its policies, set forth in OMB M-07-16, to "reflect current best practices and recent lessons learned regarding privacy protections and data breach standards."¹⁷

Objective 4: Recruitment and Retention of the "Most Highly-Qualified Cybersecurity Workforce Talent the Federal Government Can Bring to Bear"

The CSIP directs the OPM and OMB to compile and provide guidance on, by Dec. 31, 2015, existing "Special Hiring Authorities," by agency, that can be used to hire cybersecurity and information technology professionals across the government.¹⁸ The CSIP also directs agencies to identify by Dec. 31, 2015, their "top five cyber talent gaps" — something to which contractors should pay particular attention.¹⁹ Additionally, the CSIP directs the DHS to begin "piloting their Automated Cybersecurity Position Description Hiring Tool" across the federal government.²⁰ Further, the CSIP directs the OMB, DHS and OPM, in coordination with other relevant agencies, to develop, within six months, recommendations for federal workforce training and professional development "in functional areas outside of" cybersecurity and IT that "support cybersecurity efforts."²¹

Objective 5: "Efficient and effective acquisition and deployment of existing and emerging technology."

The CSIP directs the OMB, in coordination with other agencies, to develop by March 31, 2016, recommendations for "strengthening and better coordinating the collective ability of Federal civilian departments and agencies to identify, acquire, and rapidly implement innovative commercially-available cybersecurity products and services."²² The CSIP also directs the GSA to develop a "procurement capability" to allow federal agencies to access the technology at any known "Federal technology incubator."²³ The CSIP additionally directs the Federal Chief Information Officer Council to create by Dec. 31, 2015, an "Emerging Technology Sub-Committee" that will be responsible for facilitating efforts to "expediently deploy emerging technologies at Federal agencies."²⁴

Conclusion

As mentioned above, although the CSIP is primarily directed at federal agencies, federal government contractors also will be affected by the initiatives that are set forth in the CSIP (many of which will be implemented in the very near future). Moreover, as mentioned, the new reality is that federal contractors that are not up to speed on federal cybersecurity laws, policies and issues risk getting left behind from a competitive standpoint — or worse, risk being unprepared to address cyberthreats.

Footnotes

1 See https://www.whitehouse.gov/sites/default/files/omb/budget/fy2016/assets/fact_sheets/enhancing-strengthening-federal-government-cybersecurity.pdf.

Originally published by Law 360.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.