This has been an eventful year in government IT. Much of it revolved around cybersecurity – NIST issued its cybersecurity framework early in the year, the Department of Homeland Security’s Continuous Diagnostics and Mitigation blanket purchase order started delivering standardized tools to improve cybersecurity awareness and response, and the Department of Defense started to implement its Joint Regional Security Stacks to establish a standardized cybersecurity profile.
But there were other milestones, as well. The Office of Management and Budget designated four departments to offer financial shared services to agencies. FedRAMP gave its certification to cloud providers interested in providing services. Agencies continued to work through the practical and policy issues surrounding mobility, particularly BYOD.
Here’s a recap of some of the CIOs who worked so hard to bring these changes about.
It was an eventful year for the Pentagon. Halvorsen started 2014 as the Navy CIO, and finishes as the acting CIO for all of DoD. The Joint Information Environment – which, as he stressed at FedTalks last month, is “a concept, not a thing” – made significant strides toward improving the cybersecurity posture for all the military with its implementation of Joint Regional Security Stacks (JRSS), which will provide a standardized architecture for cybersecurity and funnel all Internet traffic through one of five regional centers set up across the globe.
DoD continued its push into cloud computing and improving mobility for all of its personnel. Much of the department’s commitment to these technologies will have an effect across the entire federal government, since there are so many areas where DoD’s customers are not part of the department. For instance, he pointed out that the department spends $235 billion in healthcare, but many if not most healthcare providers are not part of DoD.
DHS established one of its most far-reaching cybersecurity programs in 2014 with the launch of Phase One of its Continuous Diagnostics and Mitigation (CDM) blanket purchase agreement.
The future of cybersecurity depends on the ability of network administrators to keep up with the thousands of security alerts big networks generate on an hourly basis, and to be able to distinguish truly important events from minor problems, ideally in as close to real time as possible. The
collection of tools available to federal, state, local, and tribal governments in Phase One is roughly aligned with the SANS Top 20 Critical Security Controls, which address approximately 80% of cyberthreats.
The next step DHS plans is to release a dashboard that takes threat intelligence from numerous federal agencies and combines them, providing a place where security professionals can see at a glance what the most common or recurring threats are and be prepared to prevent, identify, or remediate them.
The National Institute of Standards and Technology (NIST) is part of the Commerce Department, and opened the year with a bang, issuing its Critical Infrastructure Cybersecurity Framework in February. Between the NIST framework and the Department of Homeland Security’s Continuous Diagnostics and Mitigation BPA, the federal government as a whole paid a lot of attention to cybersecurity issues in 2014.
Cooper, who had retired from government service after serving as CIO at the FAA and DHS’ first CIO, said in a September interview that one of his first tasks would be to get the 12 component agencies – including everything from NIST to the Census Bureau to NOAA, each with very distinct responsibilities and tech needs – to seek ways to collaborate, despite their disparate missions.