In the past two years, both the Department of Labor and the Transportation Security Administration have enacted new guidance and standards for entities operating within their jurisdictions. Compliance within new guidance keeps organizations from significant liabilities in the event of cyber breaches that impact peoples’ financial and physical safety. Here are summaries of the latest regulatory rules and guidance from DOL and TSA.
With the recent announcement for federal cybersecurity via the Cybersecurity National Action Plan (CNAP), cyber experts have already begun to plan reorganizations and cyber protocols to meet the new guidelines, which call for a significant increase in funding and major reorganization of cyber activities within the Government. Evolver realizes that there are several “elephant in the room” topics that are hard questions for the Government and contractors who make up the ecosystem of the Federal marketplace.
THE 8 HARD QUESTIONS FOR FEDERAL CYBERSECURITY IN 2016
The President announced the Cybersecurity National Action Plan (CNAP) on February 9, 2016 that called for a significant increase in funding and major reorganization of cyber activities within the Government. This cybersecurity mandate has spawned conferences and meetings on both coasts discussing technologies and policy issues related to the CNAP initiative.
As cybersecurity experts begin to plan reorganizations and cyber protocols to meet the CNAP guidelines, we realize there are several “elephant in the room” topics that are hard questions for the Government and contractors who make up the ecosystem of the Federal marketplace.
Who owns the data…. and where is it located?
The Federal Government has data on every citizen in the U.S. This personal data is spread across hundreds of agencies.
- Which agency has primary ownership of that data?
- Is the most critical information (health records and security background data) protected better than general information such as the seating chart for the upcoming holiday party?
Should the Government require contractors to have cyber insurance?
Government contractors create, manage and process billions of critical records in support of the Federal government.
- If a contractor is hacked, who pays for the system recovery, data monitoring services, public relations, etc.?
- If the breach bankrupts the company, is the Government responsible for this cost?
- Should the Government require insurance to share this risk?
Can the Government use past cyber breaches in the source selection of contractors?
Currently there is no way to verify the cyber events a contractor has experienced. There are no standardized levels of severity associated with cyber breaches.
- If a contractor or product has been identified in a breach (either Federal or commercial) can the Government use this information in the evaluation of future proposals?
- How do you determine if the breach was the fault of the contractor, a technology or just bad user behavior?
Should products have a cyber rating as part of the Government supply chain evaluation?
From automated buildings to medical devices, the Federal government has an enormous supply chain for products and services. Recent events surrounding medical devices have shown that certain devices are not only threats to patients but to the networks they are connected to.
- Should each item in the chain have a cyber rating or evaluation?
- Is it time for a UL-like rating to be applied to all devices purchased by the Government?
Is the process of fair bidding more important than acquisition and implementation speed?
Unlike many commercial entities, a basic construct of Federal contracting is that competition is open and fair to qualified vendors.
- Given that most cyber products are only a few years old and that the threat is changing daily, is trying to provide fair opportunity to service and product providers (and therefore slower) putting the Federal systems at risk?
- Would the faster purchase of a “good enough” solution be better than using a slower path to buy the best solution?
What is the value of a cyber solution?
Anybody that attended the recent RSA Conference in San Francisco saw booth upon booth of new cybersecurity products.
- Exactly how does the Government determine if one product is worth more than another?
- Is spending a million dollars on a new technology going to get ten times more protection than a solution that costs ten thousand?
How does Government deal with cyber breach information sharing and the inherent conflict with outside legal counsel?
In the end, there is always a legal component to major issues that confront the nation. Cyber is no different. A key element of the Government’s approach is greater sharing of incidents and threats to shorten the time of response and protection.
- How do you get greater cyber breach information sharing and legal protection at the same time?
Who cleans up the mess of a cybersecurity breach?
In the commercial world, there is a rapid growth of outside cyber breach response teams who work with companies that have been hacked to get them quickly back up and running. A key component of this strategy is the breach response team is an outside entity.
- Who is this entity for a Federal agency?
- Should this responsibility rest with on-call contractors or with an on-call Federal group?