Why Cybersecurity Matters in Government Contracting. Robert Nichols, Covington & Burling LLP
|
|
- Mark Wright
- 8 years ago
- Views:
Transcription
1 Why Cybersecurity Matters in Government Contracting Robert Nichols, Covington & Burling LLP
2 Cybersecurity is the No. 1 Concern of General Counsel and Directors 2
3 Cybersecurity Concerns in the Government The American people deserve to know that companies running our critical infrastructure meet basic, commonsense cybersecurity standards, just as they already meet other security requirements. It would be the height of irresponsibility to leave a digital backdoor wide open to our cyber adversaries. President Obama Rarely has something been so important and so talked about with less clarity and less apparent understanding than this phenomenon. General Michael Hayden 3
4 Cybersecurity Concerns in Contracting Our internal IT security team recently identified an apparent external cyber-attack on USIS corporate network. We immediately informed federal law enforcement, the Office of Personnel Management (OPM) and other relevant federal agencies. We are working closely with federal law enforcement authorities and have retained an independent computer forensics investigations firm to determine the precise nature and extent of any unlawful entry into our network. Experts who have reviewed the facts gathered to-date believe it has all the markings of a state-sponsored attack. Cybercrime and attacks of this nature have become an epidemic that impacts businesses, government agencies, and financial and educational institutions alike. The protection and safeguarding of our networks, our data and the data of our customers is always of the utmost importance, and we have invested heavily in security measures. Our systems and people identified this attack, and, in response, we are working alongside OPM, the Department of Homeland Security (DHS) and federal law enforcement authorities in redoubling our cybersecurity efforts. We are working collaboratively with OPM and DHS to resolve this matter quickly and look forward to resuming service on all our contracts with them as soon as possible. We will support the authorities in the investigation and any prosecution of those determined to be responsible for this criminal attack. - Statement by USIS 4
5 Defining the Concerns Why cyber attacks occur Criminal seeking financial gain through theft of proprietary information Advance social and political agendas Employees to cause harm and embarrass employers Terrorists to harm US national security Economic espionage Foreign intelligence What is cybersecurity? Measures intended to protect information systems including technology Devices, networks and software, information, and associated personnel from various forms of attack 5
6 The U.S. Government s Approach to Cybersecurity and Framework Each government entity has responsibility for governing the infrastructure and people that make up the portion of cyberspace within its jurisdiction. The U.S. government s approach to cybersecurity has developed through a series of laws and policies over the last 30 years, with particular attention over the past decade. Congress has passed numerous statutes addressing different aspects of information security. 6
7 The Federal Information Security Management Act ( FISMA ) FISMA sets forth a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets, including those operated by contractors on behalf of the agency. FISMA requires each agency to develop, document, and implement an information security program that includes the following components: policies and procedures that are based on (1) risk assessments, (2) cost-effectively reducing security risks to an acceptable level, (3) ensuring that information security is addressed throughout the lifecycle of each system, and (4) ensuring compliance with applicable requirements. subordinate plans security awareness training periodic testing and evaluation a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies procedures for detecting, reporting, and responding to security incidents plans and procedures to ensure continuity of operations for information systems 7
8 FISMA Under FISMA, each agency Chief Information Officer has the responsibility to ensure that agency information systems, including those operated by contractors, are being protected under the agency s information security program. FISMA charged the Director of the Office of Management and Budget ( OMB ) with the oversight of agency information security policies and practices. In addition, the OMB annual FISMA reporting instructions require agencies to develop policies and procedures for agency officials to follow when performing oversight of the implementation of security and privacy controls by contractors. OMB guidance specifically requires each agency inspector general, or other independent auditor, to perform the evaluation, including the effectiveness of the agency s contractor oversight. The passing of FISMA in 2002 was the beginning of the creation of a broad framework for federal cybersecurity in the United States. 8
9 The Federal Information Security Modernization Act of 2014 ( FISMA 2014 ) The Federal Information Security Modernization Act of 2014 charges the Department of Homeland Security (DHS) with assisting OMB with FISMA implementation by coordinating government-wide efforts for information security. FISMA 2014 also authorizes DHS to develop and oversee the implementation of binding operational directives that direct agencies efforts to safeguard Federal information and information systems from information security threat, vulnerability or risk. The law clarifies and amplifies the notification requirements for major incidents and other breaches. As with the original FISMA, FISMA 2014 requires agencies to apply certain standards to contractors. 9
10 The Role of Federal Agencies DHS is the operational lead for Federal civilian cybersecurity; DOD plays a similar role for the military. both departments execute a number of protection programs on behalf of the Government. NIST issues and updates security standards and guidelines for information systems utilized by Federal agencies. OMB, in partnership with DHS and the National Security Counsel, oversees the successful implementation of agency-specific and government-wide cybersecurity programs. While no single Federal Agency has purview over cybersecurity issues, certain agencies do have defined functions and operate important programs. 10
11 The White House/Office of Management and Budget OMB appointed a Federal Chief Information Officer (Federal CIO) who administers the Office of Electronic Government (OMB E-Gov), which has oversight responsibilities for Federal cybersecurity policy and implementation. In 2009, President Obama named the first Cybersecurity Coordinator to lead the interagency efforts to implement the CNCI goals and initiatives. The Administration has also established an Information and Communications Infrastructure Interagency Policy Committee (ICI-IPC) as the primary policy coordination body for issues related to achieving an assured, reliable, secure, and survivable global information and communications infrastructure and related capabilities. OMB recently created a dedicated unit within OMB E-Gov called the Cyber and National Security Unit (E-Gov Cyber) that will focus on strengthening Federal cybersecurity through targeted oversight and policy issuance. 11
12 The White House/Office of Management and Budget The Federal CIO formally established the Federal Risk and Authorization Management Program ( FedRAMP ) to accelerate the adoption of cloud computing solutions across the Federal Government. In 2011, the Administration released the National Strategy for Trusted Identities in Cyberspace ( NSTIC ), which calls for publicprivate collaboration to create an Identity Ecosystem a marketplace of more secure, convenient, interoperable, and privacy-enhancing solutions for online authentication and identification. OMB has begun to focus on the role of government contractors in the federal government s Cybersecurity landscape. 12
13 The U.S. Department of Defense (DOD) and Intelligence Community The DOD aggressively defends its networks, secures its data, and mitigates risk to DOD missions. In 2010, DOD launched the U.S. Cyber Command ( USCYBERCOM ) USCYBERCOM is a centralized command for assuring the security of military information systems tasked with centralizing command of cyberspace operations, strengthening DOD cyberspace capabilities, and integrating and bolstering DOD s cyber expertise. In 2015, DOD released a new cyber strategy The strategy made clear that DOD s first mission is to defend its own networks, systems, and information. Its second mission is to defend the United States and its interests against cyberattacks of significant consequence. 13
14 DOD s 2015 Cyber Strategy The United States government has a limited and specific role to play in defending the nation against cyberattacks of significant consequence. The private sector owns and operates over ninety percent of all of the networks and infrastructure of cyberspace and is thus the first line of defense. One of the most important steps for improving the United States overall cybersecurity posture is for companies to prioritize the networks and data that they must protect and to invest in improving their own cybersecurity. While the U.S. government must prepare to defend the country against the most dangerous attacks, the majority of intrusions can be stopped through relatively basic cybersecurity investments that companies can and must make themselves. 14
15 The U.S. Department of Homeland Security (DHS) The DHS is responsible for creating and maintaining a common operational picture for cyberspace across the government. Coordinated response to significant cyber incidents is carried out by the National Cybersecurity Division (NCSD) of the DHS. DHS National Protection and Programs Directorate (NPPD) works with partners at all levels of government and form the private and non-profit sectors, to share information and build greater trust to make the cyber and physical infrastructure more secure. The Office of Cyber and Infrastructure Analysis (OCIA) supports efforts to protect the Nation s critical infrastructure through an integrated analytical approach evaluating the potential consequences of disruption from physical or cyber threats and incidents. OCIA identifies critical infrastructure where cyber incidents could have catastrophic impacts to public health and safety, the economy, and national security. OCIA builds on the work of the Department s Homeland Infrastructure Threat and Risk Analysis Center (HITRAC) and manages the National Infrastructure Simulation and Analysis Center (NISAC). 15
16 DHS and Contractors DHS Office of the Assistant Secretary for Cybersecurity and Communications (CS&C) within NPPD is responsible for enhancing the security, resilience, and reliability of the Nation s cyber and communications infrastructure. CS&C houses the National Cybersecurity and Communications Integration Center (NCCIC), a 24x7 cyber situational awareness, incident response, and management center. The CS&C Stakeholder Engagement and Cyber Infrastructure Resilience (SECIR) division is the DHS primary point of engagement and coordination for national security/emergency preparedness (NS/EP) communications and cybersecurity initiatives for both government and industry partners. Relevant to contractors, the SECIR s include the following: works with government and industry to promote and enhance the security and resilience of NS/EP communications and cyber infrastructure. maintains meaningful lines of communication and engagement. leads the development of strategic risk assessments and the delivery of key mitigation capabilities to owners and operators. leads the development and implementation of education, outreach, and awareness, and cyber workforce and NS/EP communications development initiatives. 16
17 The U.S. Department of Homeland Security (DHS) The Department s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) response to significant privatesector incidents and deploys teams for site assistance visits. It also has established close working relationships with industry through partnerships like the Protected Critical Infrastructure Information (PCII) Program, which enhances voluntary information sharing between infrastructure owners and operators in the government. Perhaps the two most important DHS cybersecurity programs are Continuous Diagnostics & Mitigation ( CDM ) and the National Cybersecurity Protection System ( EINSTEIN ). Under CDM, DHS works with the General Services Administration ( GSA ) to establish and fund government-wide Blanket Purchase Agreements used to provide Federal agencies a basic set of tools to support the continuous monitoring of information systems. The goal of EINSTEIN is to provide the Federal government with an early warning system, improved situational awareness of intrusion threats to Federal Executive Branch civilian networks, near real-time identification of malicious cyber activity, and prevention of that malicious cyber activity. 17
18 The National Institute of Standards and Technology (NIST) National Institute of Standards and Technology (NIST), a technical, nonregulatory agency that provides a unique interface with industry for the development of technical standards. Its Computer Security Division's (CSD) Computer Security Resource Center (CSRC) facilitates broad sharing of information security tools and practices, provides a resource for information security standards and guidelines, and identifies key security web resources to support users in industry, government, and academia. NIST s National Cybersecurity Center of Excellence (NCCoE) works with members of industry to identify broad cybersecurity challenges. NIST s National Strategy for Trusted Identities in Cyberspace (NSTIC) individuals and organizations utilize secure, efficient, easy-to-use and interoperable identity credentials to access online services in a manner that promotes confidence, privacy, choice and innovation. President Obama s E.O directed NIST to establish a technology-neutral, voluntary cybersecurity framework. 18
19 Law Enforcement The U.S. Department of Justice (DOJ) and the Federal Bureau of investigation (FBI) are the principal agencies responsible for investigating and prosecuting cyber crimes. Several agencies have combined efforts to create the Internet Crime Complaint Center (IC3) as a single destination for collecting data on Internet related crimes and referring them to the proper authorities. DOD operates the Defense Cyber Crime Center (DC3) as the operational focal point for the DIB Cyber Security/Information Assurance (CS/IA) Program. DHS operates its Cyber Cop Portal to facilitate information sharing for investigators anywhere in the world working on cybercrime cases. The National Computer Forensic Institute trains local law enforcement officers to conduct network intrusion electronic crimes investigations and friends functions. 19
20 Joint Report, Improving Cybersecurity and Resilience Through Acquisition GSA and DOD released a joint report in 2014 entitled Improving Cybersecurity and Resilience Through Acquisition. The report contained six recommendations aimed at strengthening the cyber resilience of the federal government by improving management of the people, processes, and technology affected by the federal Acquisition System. Specifically, the report recommended the following government actions: instituting baseline cybersecurity requirements as a condition for certain contract awards; training the relevant government workforce in new cybersecurity acquisition practices; developing common cybersecurity definitions and increased clarity of key cybersecurity terms; creating a government-wide cybersecurity risk management strategy that identifies a hierarchy of cyber risk criticality for acquisitions to permit the government to identify acquisitions that present the greatest cyber risk; requiring the government to procure certain items solely from original equipment manufacturers ( OEM ), authorized resellers, or other trusted sources; increasing government accountability by holding key decisionmakers accountable for decisions regarding the threats, vulnerabilities, likelihood, and consequences of cybersecurity risks. 20
21 The Relationship Between the Federal Government and Its Contractors The past few years have seen a dramatic increase in the amount that the Federal government is exercising its regulatory and contracting powers to govern the cyber activities of contractors. E.O recognized the need to integrate cybersecurity into the federal acquisition process. It directed the GSA and DOD to prepare recommendations for the President on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration. 21
22 Key Areas of Legal Issues Government Contracts Cybersecurity Compliance and Policy Insurance Labor & Employment Trade Secrets Privacy 22
23 Overview of the Federal Cybersecurity Landscape for Contractors No comprehensive federal data security law to date Numerous federal statutes, executive orders, regulations, and policies Hundreds of NIST standards NIST Framework Continuing gaps and vagueness regarding expectations of contractors Yet USG increasingly allocating risks to contractors State laws protecting 23
24 Federal Legal and Policy Framework Governing Contractors The Federal Information Security Management Act ( FISMA ) NDAA FY 2013 Reporting Requirements Executive Order Controlled Unclassified Information E.O Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive NIST Information Security Documents NIST Cybersecurity Framework Industrial Security Requirements NISPOM DOD s Defense Industrial Base Cyber Security/Information Assurance Program GSA and DOD Working Group Report, Improving Cybersecurity and Resilience through Acquisition 24
25 What is the NIST Cybersecurity Framework? E.O mandated NIST establish a voluntary, risk-based framework to guide organizations in critical infrastructure sectors in the creation, assessment, and improvement of their cybersecurity programs. Framework is not directed at all organizations, mandatory, or prescriptive. Framework is a useful methodology for organizing a program to identify, assess and respond to cyber threats, and for referencing other standards from NIST. 25
26 Compliance Requirements Proposed FAR Rule on Basic Safeguarding of Contractor Information Systems DFARS Rule on Safeguarding DOD Unclassified Controlled Technical Information DOD s Counterfeit Prevention Policy and DOD s Proposed Rule for Electronic Parts Inconsistent Agency Cybersecurity Guidance Flowing Down Cybersecurity Requirements Safeguarding the Supply Chain Uneven and Unrecoverable Costs of Compliance 26
27 Legal Risks to Government Contractors Federal contractors that fail to implement adequate cybersecurity measures face greater legal risk than their commercial counterparts. These risks include a lack of and inconsistent Government rules, regulations, and standards. Although agencies such as the DOD, the GSA, and NIST have been particularly engaged on the topic, the Government lacks even a unified set of cybersecurity-related definitions. Furthermore, while some agencies address cybersecurity by assigning risks to contractors through regulations and guidance, others do so through individually negotiated contract terms. No comprehensive, considered balance of risk allocation that applies across the Government. 27
28 Impact of Cybersecurity Requirements On Traditional Government Contractor Risk Noncompliance with the terms of a Government contract may result in the Government s termination of that contract for default. Federal agencies also use contractor performance to make both responsibility determinations yes/no assessments on a contractor s capabilities, systems, and resources to perform a solicited contract. Past performance evaluations, which consider a contractor s prior performance as an indicator of results on future contracts. Companies that fail to comply with applicable cybersecurity rules or that otherwise do not take a responsible approach to cyber threats, also may face administrative suspension and debarment. Suspension and debarment also have collateral impacts on business with state and local governments and in some commercial areas. 28
29 False Claims Act (FCA) The False Claims Act (FCA)196 imposes civil liability on any person who knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval or knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim. 29
30 The Cyber Risk Paradigm Cyber risks present real and present danger to business operations, costs and, for some, continued viability. Cyber risks are a legal problem, an operational problem, and a governance problem not simply a technological one. Corporate leaders have a fiduciary responsibility to understand and manage cyber risks. Leaders must bring together key components of the organization to develop joint ownership of risks and a comprehensive approach to cybersecurity. 30
Middle Class Economics: Cybersecurity Updated August 7, 2015
Middle Class Economics: Cybersecurity Updated August 7, 2015 The President's 2016 Budget is designed to bring middle class economics into the 21st Century. This Budget shows what we can do if we invest
More informationPreventing and Defending Against Cyber Attacks November 2010
Preventing and Defending Against Cyber Attacks November 2010 The Nation s first ever Quadrennial Homeland Security Review (QHSR), delivered to Congress in February 2010, identified safeguarding and securing
More informationPreventing and Defending Against Cyber Attacks June 2011
Preventing and Defending Against Cyber Attacks June 2011 The Department of Homeland Security (DHS) is responsible for helping Federal Executive Branch civilian departments and agencies secure their unclassified
More informationPreventing and Defending Against Cyber Attacks October 2011
Preventing and Defending Against Cyber Attacks October 2011 The Department of Homeland Security (DHS) is responsible for helping Federal Executive Branch civilian departments and agencies secure their
More informationWritten Testimony. Dr. Andy Ozment. Assistant Secretary for Cybersecurity and Communications. U.S. Department of Homeland Security.
Written Testimony of Dr. Andy Ozment Assistant Secretary for Cybersecurity and Communications U.S. Department of Homeland Security Before the U.S. House of Representatives Committee on Oversight and Government
More informationCyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record
Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record Roberta Stempfley Acting Assistant Secretary for Cybersecurity and Communications
More informationSECTION-BY-SECTION. Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012.
SECTION-BY-SECTION Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012. Section 2. Definitions. Section 2 defines terms including commercial information technology product,
More informationActions and Recommendations (A/R) Summary
Actions and Recommendations (A/R) Summary Priority I: A National Cyberspace Security Response System A/R 1-1: DHS will create a single point-ofcontact for the federal government s interaction with industry
More informationJOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015
JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement
More informationDecember 8, 2011. Security Authorization of Information Systems in Cloud Computing Environments
December 8, 2011 MEMORANDUM FOR CHIEF INFORMATION OFFICERS FROM: SUBJECT: Steven VanRoekel Federal Chief Information Officer Security Authorization of Information Systems in Cloud Computing Environments
More informationRecent Data Security Developments for Government Contractors
Recent Data Security Developments for Government Contractors November 4, 2015 Attorney Advertising Speakers Jonathan Cedarbaum Partner WilmerHale Barry Hurewitz Partner WilmerHale Ben Powell Partner WilmerHale
More informationTHE WHITE HOUSE Office of the Press Secretary. FACT SHEET: Administration Cybersecurity Efforts 2015
FOR IMMEDIATE RELEASE July 9, 2015 THE WHITE HOUSE Office of the Press Secretary FACT SHEET: Administration Cybersecurity Efforts 2015 From the beginning of his Administration, the President has made it
More informationThe Comprehensive National Cybersecurity Initiative
The Comprehensive National Cybersecurity Initiative President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we
More informationAn Overview of Large US Military Cybersecurity Organizations
An Overview of Large US Military Cybersecurity Organizations Colonel Bruce D. Caulkins, Ph.D. Chief, Cyber Strategy, Plans, Policy, and Exercises Division United States Pacific Command 2 Agenda United
More informationCRISIS MANAGEMENT AND FIRST AID: WHEN GOVERNMENT CONTRACTORS ARE THE HEADLINERS WELCOME
CRISIS MANAGEMENT AND FIRST AID: WHEN GOVERNMENT CONTRACTORS ARE THE HEADLINERS WELCOME CYBER CRISIS MANAGEMENT: ARE YOU PREPARED? Evan Wolff David Bodenheimer Kelly Currie Kate Growley Overview Cybersecurity
More informationHow To Improve Federal Network Security
Department of Federal Network Trusted Internet Connections (TIC) Update for the Information and Privacy Advisory Board July 29, 2009 Federal Network (FNS) Federal Network Branch Branch Vision: To be the
More informationU.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems
U.S. Office of Personnel Management Actions to Strengthen Cybersecurity and Protect Critical IT Systems June 2015 1 I. Introduction The recent intrusions into U.S. Office of Personnel Management (OPM)
More informationCyber Incident Annex. Cooperating Agencies: Coordinating Agencies:
Cyber Incident Annex Coordinating Agencies: Department of Defense Department of Homeland Security/Information Analysis and Infrastructure Protection/National Cyber Security Division Department of Justice
More informationEXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503. October 30, 2015
EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503 October 30, 2015 Executive Summary Strengthening the cybersecurity of Federal networks, systems, and data is one
More informationGAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement
GAO For Release on Delivery Expected at time 1:00 p.m. EDT Thursday, April 19, 2007 United States Government Accountability Office Testimony Before the Subcommittee on Emerging Threats, Cybersecurity,
More informationLegislative Language
Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting
More informationTHE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, 2013. February 12, 2013
THE WHITE HOUSE Office of the Press Secretary For Immediate Release February 12, 2013 February 12, 2013 PRESIDENTIAL POLICY DIRECTIVE/PPD-21 SUBJECT: Critical Infrastructure Security and Resilience The
More informationCybersecurity and Corporate America: Finding Opportunities in the New Executive Order
Executive Order: In the President s State of the Union Address on February 12, 2013, he announced an Executive Order Improving Critical Infrastructure Cybersecurity (EO) to strengthen US cyber defenses
More informationComputer Network Security & Privacy Protection
Overview Computer Network Security & Privacy Protection The Nation s electronic information infrastructure is vital to the functioning of the Government as well as maintaining the Nation s economy and
More informationIntegrating Cybersecurity with Emergency Operations Plans (EOPs) for Institutions of Higher Education (IHEs)
Integrating Cybersecurity with Emergency Operations Plans (EOPs) for Institutions of Higher Education (IHEs) Amy Banks, U.S. Department of Education, Center for School Preparedness, Office of Safe and
More informationGAO CYBERSECURITY. Progress Made but Challenges Remain in Defining and Coordinating the Comprehensive National Initiative
GAO United States Government Accountability Office Report to Congressional Requesters March 2010 CYBERSECURITY Progress Made but Challenges Remain in Defining and Coordinating the Comprehensive National
More informationCyber Incident Annex. Federal Coordinating Agencies. Coordinating Agencies. ITS-Information Technology Systems
Cyber Incident Annex Coordinating Agencies ITS-Information Technology Systems Support Agencies Mississippi Department of Homeland Security Mississippi Emergency Management Agency Mississippi Department
More informationIntegrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education
Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education Amy Banks, U.S. Department of Education, Center for School Preparedness, Office of Safe and Healthy Students Hamed Negron-Perez,
More informationSTATEMENT BY DAVID DEVRIES PRINCIPAL DEPUTY DEPARTMENT OF DEFENSE CHIEF INFORMATION OFFICER BEFORE THE
STATEMENT BY DAVID DEVRIES PRINCIPAL DEPUTY DEPARTMENT OF DEFENSE CHIEF INFORMATION OFFICER BEFORE THE HOUSE OVERSIGHT AND GOVERNMENT REFORM COMMITTEE S INFORMATION TECHNOLOGY SUBCOMMITTEE AND THE VETERANS
More informationTHE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY
THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY DISCLAIMER Views expressed in this presentation are not necessarily those of our respective Departments Any answers to questions are our own opinions
More informationCybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues
Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues Todd Bertoson Daniel Gibb Erin Sheppard Principal Senior Managing Associate Counsel todd.bertoson@dentons.com
More informationUpdate on U.S. Critical Infrastructure and Cybersecurity Initiatives
Update on U.S. Critical Infrastructure and Cybersecurity Initiatives Presented to Information Security Now! Seminar Helsinki, Finland May 8, 2013 MARK E. SMITH Assistant Director International Security
More informationCybersecurity Enhancement Account. FY 2017 President s Budget
Cybersecurity Enhancement Account FY 2017 President s Budget February 9, 2016 Table of Contents Section 1 Purpose... 3 1A Mission Statement... 3 1.1 Appropriations Detail Table... 3 1B Vision, Priorities
More informationNetwork Security Deployment Obligation and Expenditure Report
Network Security Deployment Obligation and Expenditure Report First and Second Quarters, Fiscal Year 2015 June 16, 2015 Fiscal Year 2015 Report to Congress National Protection and Programs Directorate
More informationCYBER SECURITY GUIDANCE
CYBER SECURITY GUIDANCE With the pervasiveness of information technology (IT) and cyber networks systems in nearly every aspect of society, effectively securing the Nation s critical infrastructure requires
More informationStatement for the Record. Dr. Andy Ozment Assistant Secretary, Cybersecurity and Communications U.S. Department of Homeland Security
Statement for the Record Dr. Andy Ozment Assistant Secretary, Cybersecurity and Communications U.S. Department of Homeland Security Before the United States House of Representatives Committee on Homeland
More informationANNUAL REPORT TO CONGRESS: FEDERAL INFORMATION SECURITY MANAGEMENT ACT
ANNUAL REPORT TO CONGRESS: FEDERAL INFORMATION SECURITY MANAGEMENT ACT OFFICE OF MANAGEMENT AND BUDGET February 27, 2015 TABLE OF CONTENTS INTRODUCTION: FEDERAL CYBERSECURITY YEAR IN REVIEW... 6 SECTION
More informationWhat The OMB Cybersecurity Proposal Does And Doesn't Do
Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com What The OMB Cybersecurity Proposal Does And Doesn't
More informationDHS. CMSI Webinar Series
DHS CMSI Webinar Series Renee Forney Executive Director As the Executive Director for the Cyberskills Management Support Initiative (CMSI), Ms. Forney supports the Undersecretary for Management (USM) for
More informationHow To Protect Your Data From Being Hacked
Cyber Division & Manufacturing Division Joint Working Group Cyber Security for the Advanced Manufacturing Enterprise Manufacturing Division Meeting June 4, 2014 Michael McGrath, ANSER michael.mcgrath@anser.org
More informationStatement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education
Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education Before the U.S. House Oversight and Government Reform Committee Hearing on Agency Compliance with the Federal Information
More informationNo. 33 February 19, 2013. The President
Vol. 78 Tuesday, No. 33 February 19, 2013 Part III The President Executive Order 13636 Improving Critical Infrastructure Cybersecurity VerDate Mar2010 17:57 Feb 15, 2013 Jkt 229001 PO 00000 Frm 00001
More informationLegislative Language
Legislative Language SECTION 1. DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY AUTHORITY. Title II of the Homeland Security Act of 2002 (6 U.S.C. 121 et seq.) is amended (a) in section 201(c) by striking
More informationDepartment of Homeland Security
Department of Homeland Security Cybersecurity Awareness for Colleges and Universities EDUCAUSE Live! July 24, 2014 Overview Dramatic increase in cyber intrusions, data breaches, and attacks at institutions
More informationDelaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP
Changing Legal Landscape in Cybersecurity: Implications for Business Delaware Cyber Security Workshop September 29, 2015 William R. Denny, Esquire Potter Anderson & Corroon LLP Agenda Growing Cyber Threats
More informationTechnological Evolution
Technological Evolution The Impact of Social Media, Big Data and Privacy on Business Government Regulation, Enforcement and Legislation on Privacy, Cyber Security and Social Media Jeff Brueggeman Vice
More informationCyberprivacy and Cybersecurity for Health Data
Experience the commitment Cyberprivacy and Cybersecurity for Health Data Building confidence in health systems Providing better health care quality at lower cost will be the key aim of all health economies
More informationSeptember 10, 2015. Dear Administrator Scott:
September 10, 2015 Tony Scott United States Chief Information Officer Administrator, Office of Electronic Government and Information Technology Office of Management and Budget 725 17th Street, NW Washington,
More informationI. U.S. Government Privacy Laws
I. U.S. Government Privacy Laws A. Privacy Definitions and Principles a. Privacy Definitions i. Privacy and personally identifiable information (PII) b. Privacy Basics Definition of PII 1. Office of Management
More informationSTATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration
STATEMENT OF Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration BEFORE THE HOUSE COMMITTEE ON HOMELAND SECURITY SUBCOMMITTEE
More information(U) Appendix D: Evaluation of the Comprehensive National Cybersecurity Initiative
(U) Appendix D: Evaluation of the Comprehensive National Cybersecurity Initiative (U) Presidential Directive NSPD 54/HSPD 23, Cybersecurity Policy, established United States policy, strategy, guidelines,
More informationTITLE III INFORMATION SECURITY
H. R. 2458 48 (1) maximize the degree to which unclassified geographic information from various sources can be made electronically compatible and accessible; and (2) promote the development of interoperable
More informationUS Cyber Marathon. David Ambrose, Chief Security Officer and Chief Privacy Officer Bureau of the Fiscal Service U.S. Department of the Treasury
US Cyber Marathon David Ambrose, Chief Security Officer and Chief Privacy Officer Bureau of the Fiscal Service U.S. Department of the Treasury Context: US Government Scope/Scale 320M US citizens 4.1M Government
More informationSTATEMENT OF SYLVIA BURNS CHIEF INFORMATION OFFICER U.S. DEPARTMENT OF THE INTERIOR BEFORE THE
STATEMENT OF SYLVIA BURNS CHIEF INFORMATION OFFICER U.S. DEPARTMENT OF THE INTERIOR BEFORE THE HOUSE COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM SUBCOMMITTEE ON INFORMATION TECHNOLOGY AND SUBCOMMITTE
More informationE X E C U T I V E O F F I CE O F T H E P R E S I D EN T
EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503 THE DIRECTOR M-05-24 August 5, 2005 MEMORANDUM FOR THE HEADS OF ALL DEPARTMENTS AND AGENCIES FROM: SUBJECT: Joshua
More informationPublic Law 113 283 113th Congress An Act
PUBLIC LAW 113 283 DEC. 18, 2014 128 STAT. 3073 Public Law 113 283 113th Congress An Act To amend chapter 35 of title 44, United States Code, to provide for reform to Federal information security. Be it
More informationNASA OFFICE OF INSPECTOR GENERAL
NASA OFFICE OF INSPECTOR GENERAL OFFICE OF AUDITS SUITE 8U71, 300 E ST SW WASHINGTON, D.C. 20546-0001 April 14, 2016 TO: SUBJECT: Renee P. Wynn Chief Information Officer Final Memorandum, Review of NASA
More informationCLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS
CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS NEW YORK Jeremy Feigelson jfeigelson@debevoise.com WASHINGTON, D.C. Satish M. Kini smkini@debevoise.com Renee
More informationTestimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology
Testimony of Dan Nutkis CEO of HITRUST Alliance Before the Oversight and Government Reform Committee, Subcommittee on Information Technology Hearing entitled: Cybersecurity: The Evolving Nature of Cyber
More informationFEDERAL INFORMATION SECURITY. Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness
United States Government Accountability Office Report to Congressional Committees September 2013 FEDERAL INFORMATION SECURITY Mixed Progress in Implementing Program Components; Improved Metrics Needed
More informationNATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL
NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL FY 2015 INDEPENDENT EVALUATION OF THE EFFECTIVENESS OF NCUA S INFORMATION SECURITY PROGRAM UNDER THE FEDERAL INFORMATION SECURITY MODERNIZATION
More informationDHS, National Cyber Security Division Overview
DHS, National Cyber Security Division Overview Hun Kim, Deputy Director Strategic Initiatives Information Analysis and Infrastructure Protection Directorate www.us-cert.gov The strategy of DHS, as defined
More informationGAO CRITICAL INFRASTRUCTURE PROTECTION. Comments on the National Plan for Information Systems Protection. Testimony
GAO United States General Accounting Office Testimony Before the Subcommittee on Technology, Terrorism and Government Information, Committee on the Judiciary, U.S. Senate For Release at 10 a.m. Tuesday,
More informationU.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report
U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Evaluation Report The Department's Unclassified Cyber Security Program - 2012 DOE/IG-0877 November 2012 MEMORANDUM FOR
More informationThe Council of the Inspectors General on Integrity and Efficiency s Cloud Computing Initiative
The Council of the Inspectors General on Integrity and Efficiency s Cloud Computing Initiative September 2014 Council of the Inspectors General on Integrity and Efficiency Cloud Computing Initiative Executive
More informationThe U.S. Department of Homeland Security s Response to Senator Franken s July 1, 2015 letter
The U.S. Department of Homeland Security s Response to Senator Franken s July 1, 2015 letter 1. In what ways do private entities currently share with, and receive from, the government cyber threat information?
More informationSTATEMENT OF MARK A.S. HOUSE OF REPRESENTATIVES
STATEMENT OF MARK A. FORMAN ASSOCIATE DIRECTOR FOR INFORMATION TECHNOLOGY AND ELECTRONIC GOVERNMENT OFFICE OF MANAGEMENT AND BUDGET BEFORE THE COMMITTEE ON GOVERNMENT REFORM SUBCOMMITTEE ON GOVERNMENT
More informationCybersecurity: Mission integration to protect your assets
Cybersecurity: Mission integration to protect your assets C Y B E R S O L U T I O N S P O L I C Y O P E R AT I O N S P E O P L E T E C H N O L O G Y M A N A G E M E N T Ready for what s next Cyber solutions
More informationGAO Information Security Issues
GAO Information Security Issues Presented to: Federal Audit Executive Council April 18, 2012 1 Agenda Snapshots of Federal Information Security Highlights of Selected GAO Reports GAO Focus Areas List of
More informationCYBERSECURITY RISK MANAGEMENT
CYBERSECURITY RISK MANAGEMENT Evan Wolff Maida Lerner Peter Miller Kate Growley 233 Roadmap Cybersecurity Risk Overview Cybersecurity Trends Selected Cybersecurity Topics Critical Infrastructure DFARS
More informationPresidential Summit Reveals Cybersecurity Concerns, Trends
Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com Presidential Summit Reveals Cybersecurity Concerns,
More informationApril 28, 2014. Ms. Hada Flowers Regulatory Secretariat Division General Services Administration 1800 F Street, NW, 2 nd Floor Washington, DC
April 28, 2014 Ms. Hada Flowers Regulatory Secretariat Division General Services Administration 1800 F Street, NW, 2 nd Floor Washington, DC RE: Information Technology Sector Coordinating Council (IT SCC)
More informationSTATEMENT OF JOSEPH DEMAREST ASSISTANT DIRECTOR CYBER DIVISION FEDERAL BUREAU OF INVESTIGATION BEFORE THE
STATEMENT OF JOSEPH DEMAREST ASSISTANT DIRECTOR CYBER DIVISION FEDERAL BUREAU OF INVESTIGATION BEFORE THE HOMELAND SECURITY COMMITTEE SUBCOMMITTEE ON COUNTERTERRORISM AND INTELLIGENCE AND SUBCOMITTEE ON
More informationInformation Systems Security Line of Business (ISS LoB)
Information Systems Security Line of Business (ISS LoB) Information Security and Privacy Advisory Board George Washington University Washington, DC March 22, 2007 Agenda Background Status Next Steps Background
More informationHow Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner ross.buntrock@agg.com 202.669.0495
How Cybersecurity Initiatives May Impact Operators Ross A. Buntrock, Partner ross.buntrock@agg.com 202.669.0495 Agenda! Rise in Data Breaches! Effects of Increase in Cybersecurity Threats! Cybersecurity
More informationFederal Cybersecurity Programs
Federal Cybersecurity Programs A Resource Guide October 2014 THE NATIONAL GOVERNORS ASSOCIATION (NGA), founded in 1908, is the collective voice of the nation s governors and one of Washington, D.C. s,
More informationANNUAL REPORT TO CONGRESS: FEDERAL INFORMATION SECURITY MANAGEMENT ACT
ANNUAL REPORT TO CONGRESS: FEDERAL INFORMATION SECURITY MANAGEMENT ACT OFFICE OF MANAGEMENT AND BUDGET May 1, 2014 Identical Letter Sent to: The Honorable Tom Coburn The Honorable Elijah Cummings The
More informationDiane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899
Submitted via email: cyberframework@nist.gov April 8, 2013 Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 Re: Developing a Framework
More informationOne Hundred Thirteenth Congress of the United States of America
S. 2519 One Hundred Thirteenth Congress of the United States of America AT THE SECOND SESSION Begun held at the City of Washington on Friday, the third day of January, two thous fourteen An Act To codify
More informationMission Assurance and Security Services
Mission Assurance and Security Services Dan Galik, Chief Federation of Tax Administrators Computer Security Officer Conference March 2007 Security, privacy and emergency preparedness issues are front page
More informationCybersecurity & the Department of Homeland Security
Cybersecurity & the Department of Homeland Security Recommendations of the Aspen Homeland Security Group s Cyber Working Group for the Department of Homeland Security The Aspen Institute Homeland Security
More information2 Gabi Siboni, 1 Senior Research Fellow and Director,
Cyber Security Build-up of India s National Force 2 Gabi Siboni, 1 Senior Research Fellow and Director, Military and Strategic Affairs and Cyber Security Programs, Institute for National Security Studies,
More informationDepartment of Homeland Security
DHS' Efforts to Coordinate the Activities of Federal Cyber Operations Centers OIG-14-02 October 2013 Washington, DC 20528 / www.oig.dhs.gov October 24, 2013 MEMORANDUM FOR: The Honorable Suzanne Spaulding
More informationDepartment of Defense DIRECTIVE
Department of Defense DIRECTIVE NUMBER 5205.16 September 30, 2014 USD(I) SUBJECT: The DoD Insider Threat Program References: See Enclosure 1 1. PURPOSE. In accordance with sections 113 and 131 through
More informationIT-CNP, Inc. Capability Statement
Securing America s Infrastructure Security Compliant IT Operations Hosting Cyber Security Information FISMA Cloud Management Hosting Security Compliant IT Logistics Hosting 1 IT-CNP, Inc. is a Government
More informationTHE WHITE HOUSE Office of the Press Secretary
FOR IMMEDIATE RELEASE February 13, 2015 THE WHITE HOUSE Office of the Press Secretary FACT SHEET: White House Summit on Cybersecurity and Consumer Protection As a nation, the United States has become highly
More informationCompliance Risk Management IT Governance Assurance
Compliance Risk Management IT Governance Assurance Solutions That Matter Introduction to Federal Information Security Management Act (FISMA) Without proper safeguards, federal agencies computer systems
More informationDepartment of Homeland Security
Implementation Status of EINSTEIN 3 Accelerated OIG-14-52 March 2014 Washington, DC 20528 / www.oig.dhs.gov March 24, 2014 MEMORANDUM FOR: FROM: SUBJECT: Bobbie Stempfley Acting Assistant Secretary Office
More informationSubject: Critical Infrastructure Identification, Prioritization, and Protection
For Immediate Release Office of the Press Secretary The White House December 17, 2003 Homeland Security Presidential Directive / HSPD-7 Subject: Critical Infrastructure Identification, Prioritization,
More informationChairman Johnson, Ranking Member Carper, and Members of the committee:
UNITED STATES OFFICE OF PERSONNEL MANAGEMENT STATEMENT OF THE HONORABLE KATHERINE ARCHULETA DIRECTOR U.S. OFFICE OF PERSONNEL MANAGEMENT before the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
More informationS. 2519 AN ACT. To codify an existing operations center for cybersecurity.
TH CONGRESS D SESSION S. 1 AN ACT To codify an existing operations center for cybersecurity. 1 Be it enacted by the Senate and House of Representa- tives of the United States of America in Congress assembled,
More informationStatement for the Record of
Statement for the Record of Roberta Stempfley Acting Assistant Secretary Office of Cyber Security and Communications National Protection and Programs Directorate Department of Homeland Security and Sean
More informationCybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015
Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission June 25, 2015 1 Your Panelists Kenneth L. Chernof Partner, Litigation, Arnold & Porter LLP Nicholas
More informationDepartment of Defense DIRECTIVE
Department of Defense DIRECTIVE NUMBER 5400.11 October 29, 2014 DCMO SUBJECT: DoD Privacy Program References: See Enclosure 1 1. PURPOSE. This directive: a. Reissues DoD Directive (DoDD) 5400.11 (Reference
More informationDecember 17, 2003 Homeland Security Presidential Directive/Hspd-7
For Immediate Release Office of the Press Secretary December 17, 2003 December 17, 2003 Homeland Security Presidential Directive/Hspd-7 Subject: Critical Infrastructure Identification, Prioritization,
More informationNATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL
NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION S COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA)
More informationComparison of Information Sharing, Monitoring and Countermeasures Provisions in the Cybersecurity Bills
April 4, 2012 Comparison of Information Sharing, Monitoring and Countermeasures Provisions in the Cybersecurity Bills The chart below compares on civil liberties grounds four bills that seek to promote
More informationNational Initiative for Cyber Security Education
2014/PPWE/SEM2/007 Agenda Item: 5 National Initiative for Cyber Security Education Submitted by: United States Women Business and Smart Technology Seminar Beijing, China 23 May 2014 NICE OVERVIEW Women
More informationWhite Paper on Financial Industry Regulatory Climate
White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during
More information