Executive Order Holds Agency Heads Responsible for Cyber Risks

Dabney Kern, CACI Senior Vice President for Homeland and National Defense and is a former executive in DHS, NSC, and Director of the White House Military Office
Dabney Kern, CACI Senior Vice President for Homeland and National Defense and is a former executive in DHS, NSC, and Director of the White House Military Office

Guest editorial by Richard Smith, CACI Vice President for Enterprise IT and Dabney Kern, CACI Senior Vice President for Homeland and National Defense 

The recently released 2018 federal budget includes an Executive Order that holds department and agency heads responsible for cybersecurity risk to their networks.

The good news is that agency heads are now empowered and incentivized to prioritize IT and security budgets.

CACI develops systems empowered by precision technologies to exploit emerging threats and protect platforms, such as smartphones, aircraft, UAVs, and vehicles.
CACI develops systems empowered by precision technologies to exploit
emerging threats and protect platforms, such as smartphones, aircraft, UAVs,
and vehicles.

The challenge will be to ensure they have adequate funding to address the risks.

The Congressional budget process appropriates money to specific programs, rather than to agencies as a whole, which means many agencies don’t have programs that directly fund cybersecurity – or even information technology writ large.

Agency security organizations are given the authority, but often lack the resources to adequately protect assets.

Cybersecurity is frequently embedded under general security programs and rarely receives prioritization in funding.

Adding to the problem is a lack of standardization in cyber protection, which has become the “kryptonite” of our federal agency networks.

Without a cyber-specific budget and clear, standardized processes and tools, every appropriated program is left to implement security policies in its own manner, resulting in an uneven – and leaky –  patchwork of solutions.

Steve Rice, DHS Acting Chief Information Officer (CIO)
Steve Rice, DHS Acting Chief Information Officer (CIO)

As Steve Rice, DHS Acting Chief Information Officer (CIO), pointed out, improving information security by moving to Windows 10 is the easy part, but “if one component doesn’t get it done, that’s a security risk to the entire department.”

The Executive Order directed agencies to use the National Institute of Standards and Technology (NIST) Cybersecurity Framework for Risk Management and gave them just 90 days to send a risk management report to the DHS.

This is a heavy lift for agencies, but those who are taking part in the DHS Continuous Diagnostic and Mitigation (CDM) program have a big advantage.

The program helps federal agencies monitor the health of their networks via DHS-installed sensors that search for known cyber flaws and feed the results into a local dashboard.

Agency executives can then view the overall health of their network and drill down to identify, prioritize, and address any weak links.

The dashboards provide alerts that enable agencies to efficiently allocate resources based on the severity of the risk, a critical step forward.

The Executive Order charges DHS with coordinating the response to cyber incidents that have catastrophic effects.

(President Trump Signed Executive Orders on Cybersecurity. Courtesy of FOX 10 Phoenix and YouTube. Posted on Jan 31, 2017)

In addition, the agency was given 90 days to report on the technical feasibility of transitioning all federal agencies to one or more consolidated network architectures and shared IT services.

If implemented, this would represent a sea change in the way that federal IT networks are managed and cybersecurity policies are implemented, but the budgetary implications are still unclear.

Until adequate funding is put in place, agency CIOs can leverage the CDM program to more efficiently allocate their IT resources.

For example, the dashboards provide a snapshot of where software is installed and whether it is out of date or rarely used.

The efficiencies gained by consolidating software licensing, automating processes, and moving applications and data to the cloud will help agencies pay for a more effective, standardized cybersecurity posture that will better protect agency assets and citizen information.

(At CACI, America’s missions are our missions. We’re a top-tier company providing high-value information solutions across 11 distinct market areas. For over 55 years, we’ve delivered operational excellence and innovation to our customers in the defense, intelligence, homeland security, and federal civilian communities. Courtesy of CACI International and YouTube)

Richard Smith, CACI Vice President for Enterprise IT
Richard Smith, CACI Vice President for Enterprise IT

About the Authors:

Richard Smith, CACI Vice President for Enterprise IT and is also former CISO and IT Executive at DHS/TSA

Dabney Kern, CACI Senior Vice President for Homeland and National Defense and is a former executive in DHS, NSC, and Director of the White House Military Office.