This document provides recommendations to the Department of Homeland Security on cybersecurity priorities and a roadmap. It outlines a phased approach over several years to improve the overall cybersecurity posture. Phase I focuses on establishing a baseline of security across government systems through mandates and best practices. Phase II enhances security controls and expands training and collaboration. The roadmap calls for securing infrastructure, changing culture, improving the IT business model, developing the workforce, and advancing technologies over time to reduce vulnerabilities and attacks on critical systems.

1. Cybersecurity Priorities and Roadmap:
Recommendations to DHS
John M. Gilligan
November 20, 2009
(Subset of original charts)

2. Topics
• Background
• Framework for addressing cyber security
• Roadmap
• Summary

3. Background for Roadmap
• Assessing cyber threats (and therefore risks) requires
extensive experience and access to highly classified
materials
– It is unreasonable to expect most organizations to assess
threats/risks.
• The technical aspects of Cybersecurity are enormously
complex:
– Cybersecurity will require significant increase in levels of
discipline in systems/enterprise management
– Guidance must be simple and clearly stated.
• The overall state of cybersecurity is so poor, that it cannot
be solved quickly:
– Near term objective should be to establish a foundation upon
which we can build
– Cannot do everything at once; we must prioritize/focus

4. Cybersecurity Solution Space
1. Technology improvements (e.g., less defects,
locked-down configurations, new protocols)
2. Architecture improvements (e.g., changed
component interactions, reduced access, use
of virtualization)
3. Management improvements (e.g., policies,
training, reporting, collaboration)

5. A Simple Framework for Addressing
Cybersecurity
Sophisticated
Unsophisticated
MISSION/FUNCTION
CRITICALITY
THREAT
Low High

6. Top Level Cybersecurity Strategy
Sophisticated
Unsophisticated
MISSION/FUNCTION
CRITICALITY
Implement Comprehensive Baseline of Security
THREAT
Low High
Deploy Targeted
Advanced Security Controls
Accept Risk

7. 7
Emma Antunes <emma.antunes@nasa.gov >
Twitter: @eantunes
Sophisticated
Unsophisticated
MISSION/FUNCTION
CRITICALITY
Comprehensive Baseline of Security
(A “well managed” IT infrastructure)
THREAT
Low High
Deploy Targeted
Advanced Security
Controls
Accept Risk
7
TIC
Training for
Sys Admin
2-Factor
Authentication
20 Critical
Controls
FDCC+
SCAP
Result: Blocks 85% of attacks and provides foundation to address remaining/new
attacks (Ref: Dick Schaeffer, NSA/IAD)
DNSSEC, S-BGPThreat/Vul Collaboration
Top Level Cyber Security Strategy
NOTE: Added from another briefing)

8. Phase-I: Initial Baseline Security
(Next 12 months)
 Technical
 Mandate organization/enterprise-wide systems/asset management (discipline)
 20 Critical controls (with agency additions as appropriate)
 Locked down configurations (FDCC extended to all products)
 More Secure versions of Internet Protocols (DNSSEC, SBGP, etc.)
 Mandate SCAP for tools and systems
 Require two factor user authentication
 Architecture
 Complete Trusted Interconnection Initiative
 Implement Federated identity (built on HSPD-12 and two factor
authentication)
 Management
 Focused training for System/Network Administrators
 More robust collaboration regarding threats, attacks, incident
reporting/response (Phased expansion: Fed-Fed; State; Private)
 User identification policies for federated identity
Result: Block 85% of attacks and provide foundation to address
remaining/new attacks (Ref: NSA IAD)

9. Phase-I: Targeted Advanced Security Controls:
(Focus on most critical capabilities in Next 12 months)
 Technical
 Architecture
 Deploy additional monitoring/surveillance tools
 More sophisticated tools (Einstein 3 and beyond) to detect threats inside
.gov boundary
 Expanded use of NSA capabilities for most critical missions (possibly
address legal authorities)
 More frequent penetration analysis of critical systems
 Consider using separate sub network(s) for mission critical
functions.
 Management
 Identify most critical functions (in some priority)
 Establish training program to increase number of highly qualified
security personnel and deploy them to critical mission areas
Result: Reduce impact of sophisticated attacks on critical systems

10. Phase II-Baseline Security Controls
(12-36 months)
 Technical
 Mandate software/HW reliability standards
 Initial focus is on secure configurations and malware elimination
 Longer term focus on much more reliable software/HW
 Deploy new Internet protocols (for attribution, etc.)
 Architecture
 Catalog of secure configurations
 HW/SW Component authentication
 Management
 Expand qualifications of cyber security personnel (certification
requirements for select jobs)
 Oversee and focus cybersecurity research and development
Result: Reduce unaddressed vulnerability to less than 1% of attacks

11. Phase II- Advanced Security Controls
(12-36 months)
 Technical
 Trusted supply chain for selected mission areas
 Mandatory reliability assurance from vendors (i.e.,
warranty against defects)
 Self protecting systems
 Architecture
 Implement HW/SW/Network diversity/redundancy for
additional resiliency during attack
 Management
 Establish policies regarding response to attack
 Establish cyber “black belt/ninja” cadre for critical mission
areas
Result: Reduce success rate of most sophisticated attacks to one
successful attack per year with consequences mitigated within one hour

12. Backup

13. High-level Assessment of Cyber Security
Weaknesses tied to Potential Actions
1. Poor overall security posture of
government and industry IT systems
(permits attacks from relatively
unsophisticated sources)
2. IT products do not provide adequate
security out of the box
3. Internet does not support attacker
attribution
1. Implementing best practices
– Near-term*: 20 Critical Controls and
SCAP-based enterprise toolsets;
Continue comm. infrastructure security
(TIC)
– Longer-term: Expand focus of controls
and SCAP standards
2. Require IT products to have improved
security
– Near-term: Secure configurations (FDCC
expansion)
– Longer-term: Require improved
resiliency to attacks
3. Need reliable identity across the
Internet
– Near-term: Implement improved
protocols (DNS SEC, Secure BGP, etc.)
– Longer term: Federated, enterprise-
wide identity with reliable protocols and
standards
Weakness Potential Actions
* Near term=1 to 18 months

14. High-level Assessment (Continued)
4. Security enforcement within
critical infrastructure is
generally weak and uneven
5. Private sector (non critical
infrastructure—technology
firms, nongovernmental
organizations) not well
equipped to provide
adequate security
4. Ensure common standards
and oversight of critical
Infrastructure
– Near term: Initial guidelines
for CIP protection with
reporting metrics
– Longer term: tailored,
detailed standards and
guidelines and compliance
enforcement
5. Communications outreach,
reference and technical
support
– Near term: Education forums
– Longer term: on line advice,
tools, etc.
Weakness Potential Actions

15. Rough Roadmap
1. Secure the IT
infrastructure
2. Change culture
and awareness
3. Change the IT
business
model
4. Better
educated cyber
workforce
5. Improve cyber
security
technologies
4Q 2009 4Q2010 4Q 2011 4Q 2012
Implement CAG Guidelines for CIP Standards Enforcement
Continue TIC/CERT Expand Use of SCAP
Public awareness campaign Expanded public-private partnerships
Expand FDCC New standards for IT product security
Education forums On line tools/help
Implement DNSSEC/S-BGP Federated Identity
Enhance Einstein