by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : August and September 2016
S -10 I N THE LAST 18 months, like never before, federal agencies have come to terms w ith both the importance and complexity of cyber resilience. A number of high-profile data breaches in 2015—followed by the Cyber Spri nt, a government-wide assessment of existing security measures — drove home the point that agencies need to think about cybersecurity in new ways. The traditional focus on preventing attacks, often called perimeter defense, clearly is still necessa ry, but it is not suff icient . Given the inc reasing sophistication of cyberattacks, agencies need to integrate security solutions throughout the enterprise. Agencies also need to recognize that cybersecurity is not just a product or service category. It is a discipline that must be integrated throughout an organization and throughout its key processes. This shift in focus from frontline cyber defense to a more holistic concept of cyber resilience will help agencies become more agile in how they identify, mitigate and, when necessar y, recover from attacks. The case for resilience is urgent. According to the Government Accountability Office (GAO), the nu mber of federal infor mation secur ity incidents increased by more than 1,000 percent between 2006 and 2015. Of particular concern are the attacks on what GAO calls high-i mpact systems, that is, those holding especially sensitive information. Those systems a re frequent targets, according to GAO. I n a recent study, GAO found that 18 major agencies reported more than 2 ,000 security incidents targeting high-i mpact systems, including nearly 500 incidents involving the installation of malicious code. “Increasingly sophisticated threats to infor mation technology systems a nd the damage that can be generated underscore the impor tance of managing and protecting them,” the repor t states. One challenge is that ma ny existing systems are based on outdated technology, according to the Cybersecurity Strategy and Implementation Plan, which the White House issued at the conclusion of the Cyber Spri nt. Over the years, these systems have grow n i ncreasingly complex with the proliferation of hardware and software configurations, “which introduces significant vulnerabilities and opportunities for exploitation,” the plan states. This concer n with legacy systems has prompted several legislative proposals to help agencies fund moderni zation efforts. A bill introduced by Rep. Will Hurd (R-Tx.) and other lawmakers would allow agencies to create their own working capital funds to upgrade or replace old systems. Another bill, introduced by Rep. Steny Hoyer (D-Md.) and based on a White House proposal, would create a government- wide $3.1 billion revolving fund for moder ni zation. Meanwhile, the Office of Management and Budget (OMB) is pushing agencies to change how they monitor the security of their systems. In its recent revision of Ci rcular A-130, the federal gover nment’s overarching information ma nagement policy, OMB directs agencies to move away from “per iodic, compliance - dr iven assessment exercises” and toward “the ongoing monitori ng, assessment , a nd evaluation of federal infor mation resources.” “I n today’s rapidly changing environment, threats and technology are evolving at previously uni magined speeds,” OMB officials wrote in a blog post announcing the new policy. “I n such a setting, the government cannot afford to author ize a system and not look at it again for years at a time.” The administration also is trying to provide agencies with easier access to security ser vices. There a re a plethora of ser vices available through the General Ser vices Admi nistration’s Schedule 70 contract vehicle, but they can be difficult to find . Under the admi nistration’s Cybersecur ity National Action Plan, GSA will create a special item number for such ser vices as network mapping, penetration testing, phishing assessment, and vulnerability scanning. Unfortunately, modernization and policy changes can only go so far in addressing the v ulnerability of federal systems. According to the GAO, some of the most perplex ing security threats get through because of huma n er ror— employees click ing on malicious links or attachments, or reusing their passwords. AGENCIES SHIFT FOCUS TO CYBER RESILIENCE In the post-Cyber Sprint era, agencies are taking a more holistic approach to improving their cyber posture. SPONSORED CONTENT CYBER RESILIENCE
June and July 2016
October and November 2016