The President announced the Cybersecurity National Action Plan (CNAP) on February 9, 2016 that called for a significant increase in funding and major reorganization of cyber activities within the Government. This cybersecurity mandate has spawned conferences and meetings on both coasts discussing technologies and policy issues related to the CNAP initiative.
As cybersecurity experts begin to plan reorganizations and cyber protocols to meet the CNAP guidelines, we realize there are several “elephant in the room” topics that are hard questions for the Government and contractors who make up the ecosystem of the Federal marketplace.
These are eight questions for Federal cybersecurity that will need to be addressed in the upcoming year.
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
8 Questions for 2016 Federal Cybersecurity National Action Plan (CNAP)
1. HARD
QUESTIONS
FEDERAL
“Elephant in the room” topics
for the Government and contractors
Who make up the information technology
ecosystem of the Federal marketplace.
CYBERSECURITY
IN 2016 FOR
2. These are eight questions
regarding the Federal
Cybersecurity National Action
Plan (CNAP) that will need to
be addressed in the 2016.
2
3. • The Federal Government has data on every citizen
in the U.S. This personal data is spread across
hundreds of agencies. Which agency has primary
ownership of that data?
• Is the most critical information (health records and
security background data) protected better than
general information such as the seating chart for
the upcoming holiday party?
Who owns the data….
and where is it located?
3
4. • Government contractors create, manage and
process billions of critical records in support of the
Federal government. If a contractor is hacked, who
pays for the system recovery, data monitoring
services, public relations, etc.?
• If the breach bankrupts the company, is the
Government responsible for this cost?
• Should the Government require insurance to share
this risk?
Should the Government require
contractors to have cyber
insurance?
4
5. • Government contractors create, manage and
process billions of critical records in support of the
Federal government. If a contractor is hacked, who
pays for the system recovery, data monitoring
services, public relations, etc.?
• If the breach bankrupts the company, is the
Government responsible for this cost?
• Should the Government require insurance to share
this risk?
Can the Government use past
cyber breaches in the source
selection of contractors?
5
6. • From automated buildings to medical devices, the
Federal government has an enormous supply chain
for products and services. Recent events
surrounding medical devices have shown that
certain devices are not only threats to patients but
to the networks they are connected to. Should each
item in the chain have a cyber rating or evaluation?
• Is it time for a UL-like rating to be applied to all
devices purchased by the Government?
Should products have a cyber
rating as part of the Government
supply chain evaluation?
6
7. • Unlike many commercial entities, a basic construct
of Federal contracting is that competition is open
and fair to qualified vendors. Given that most cyber
products are only a few years old and that the
threat is changing daily, is trying to provide fair
opportunity to service and product providers (and
therefore slower) putting the Federal systems at
risk?
• Would the faster purchase of a “good enough”
solution be better than using a slower path to buy
the best solution?
Is the process of fair bidding more
important than acquisition and
implementation speed?
7
8. • Anybody that attended the recent RSA Conference
in San Francisco saw booth upon booth of new
cybersecurity products. Exactly how does the
Government determine if one product is worth
more than another?
• Is spending a million dollars on a new technology
going to get ten times more protection than a
solution that costs ten thousand?
What is the value of a cyber
solution?
8
9. • In the end, there is always a legal component to
major issues that confront the nation. Cyber is no
different. A key element of the Government’s
approach is greater sharing of incidents and threats
to shorten the time of response and protection.
• How do you get greater cyber breach information
sharing and legal protection at the same time?
How does Government deal with cyber
breach information sharing and the
inherent conflict with outside legal
counsel?
9
10. • In the commercial world, there is a rapid growth of
outside cyber breach response teams who work
with companies that have been hacked to get them
quickly back up and running. A key component of
this strategy is the breach response team is an
outside entity.
• Who is this entity for a Federal agency?
• Should this responsibility rest with on-call
contractors or with an on-call Federal group?
Who cleans up the mess of a
cybersecurity breach?
10
11. Has approaches to many of the
questions surrounding
cybersecurity for Federal
agencies.
11
volver
12. Evolver's cybersecurity teams currently
protect tens of thousands of Government
and commercial clients.
Our specialization is in protecting highly
critical, large data and transactional
enterprises.
Our experience spans more than 15 years
12
YBERSECURITY TEAMS
13. Includes tools to
– Identify
– Measure
– Track
– Reduce
cybersecurity risks
13
ybersecurity Approach
14. Click here for a
downloadable PDF of
the 8 Hard Questions for
Federal Cybersecurity
(CNAP)
14
15. Chip Block
Vice President
1943 Isaac Newton Square
Reston, VA 20190
703-889-9353
cblock@evolverinc.com
www.evolverinc.com
15