Username
Password
	Remember Me
	» Lost your Password?

Archives page

Posts Tagged ‘cyber security’

GTSC Releases 2019 Annual Report: Fostering Collaboration to Cast a Wider Shadow on the Homeland Security Market

The Government Technology & Services Coalition, the foremost organization for government contractors in the homeland security mission space, released its 2019 Annual Report at their Annual Meeting.

GTSC’s 2019 Annual Report: Fostering Collaboration to Cast a Wider Shadow on the Homeland Security Market, catalogs the non-profits activities and progress toward a trusted community to protect the nation.

The theme: Fostering Collaboration to Cast a Wider Shadow on the Homeland Security Market highlights the effectiveness of the over 200 contracting companies that have joined together to collaborate to bring the best solutions to the homeland security market. The organization saw 25% growth among its mid-tier members, contractors with revenue between $25 million and $1 billion, and saw over one million page views at their news site, Homeland Security Today (www.HSToday.us). In addition to engaging to improve procurement for all contractors, the organization works to provide a level playing field, increase competition, and assure that smaller companies with innovative solutions have an opportunity to share with the public sector officials that need them. The organization has attracted new government partners, and sustained vibrant partnerships with its traditional supporters.

“We are extremely happy that our approach to collaboration, facts, and practical solutions has been embraced by the homeland security community. We have worked very hard to create a community of trusted relationships between the public and private sector to work together to protect our nation. We work daily to bridge the communication gap and lack of understanding between those who are accountable for the mission, and those who support them to achieve it. Our non-profit’s work, our mission, has always been to support those on the front lines, executing our nation’s laws, to keep our children, citizens, and cities safer against all threats.” said Kristina Tanasichuk, CEO & Founder, at the release.

“Our partnership with GTSC is incomparable,” said Alba M. Alemán, CEO of Citizant and GTSC’s Mid-Tier Company of the Year. “GTSC, has been paramount in developing trusted relationships between industry and agency leaders to bring forward unique perspectives, so that those agencies will be better served and able to achieve mission-critical objectives. Moreover, to be a part of such an elite network of like-minded professionals passionate about national security and core infrastructure missions, is both energizing and humbling.”

GTSC was founded in 2011 by small business CEOs in the homeland security market to find ways to improve procurement and acquisition of innovative technologies, give small businesses a voice in the federal market, and provide a trusted community for those tasked with securing the country. The organization has evolved to represent the ecosystem of the homeland security market with small, mid-tier, and large companies engaged to collaborate, mentor, and network to achieve mission. In 2017, the non-profit purchased the Homeland Security Today media platform.

“As a fairly new business having started in 2012, I have been a part of various organizations and associations. GTSC has been the ONLY one that has consistently supported businesses and government entities with a passion for both sides. I can proudly say that Potomac Management Solution’s growth and success has been directly contributed to the programs, guidance and overall structure of GTSC!” said Diane McCain, CEO of Potomac Management Solutions and GTSC’s Small Business of the Year.

GTSC and Homeland Security Today also hosts the Annual Holiday Hero Awards recognizing those on the front-lines on watch every single day to protect our country from threats to homeland security. The awards recognize private citizens and public sector officials doing exceptional work on behalf of the homeland.

The 2019 Annual Report catalogs the numerous programs, meetings, networking opportunities, charitable events, and workgroups supported by the organization and the leaders and members shaping those activities.

Click here to view the report.

Sorting out the ODNI’s World Threat Assessment

DNI James Clapper has delivered the Intelligence Community’s annual Worldwide Threat Assessment to Congress. In downbeat opening remarks, he reeled off a depressing set of numbers: 60 million people around the world are reckoned to have been displaced; central government authority has collapsed in seven countries; violent extremists are operationally active in 40 countries; and 59 countries face a significant risk of instability. Clapper called instability the “new normal.”

The threat assessment itself was as usual divided into GLOBAL and REGIONAL sections. Both displayed a high proportion of bad news to good.

IC’s View Of Global Threats

Cyber

Not surprisingly, CYBER took pole position on the list of GLOBAL threats, with new concerns relating to the Internet of Things and the deployment of Artificial Intelligence technologies. While the list of bad actors still includes Russia, China, Iran, North Korea, and terrorists generally, new vulnerabilities are anticipated from augmented reality and virtual reality systems. Referencing the Juniper Networks hack, Clapper noted that, in the cyber realm, the trend away from crude denial-of-service to sophisticated attacks designed to undermine data integrity has continued.

Terrorism

The global threat from TERRORISM has undergone a significant change over the last 12 months. According to the Assessment, Al-Qaeda has been “severely degraded.” ISIL’s emergence as the pre-eminent threat has increased concerns about both “terrorist travel” and home-grown violent extremists (HVEs) in the U.S, with other terror groups including Boko Haram and al-Shabaab discussed primarily in terms of their relation to ISIL. Finally, the Assessment notes that the difficulties experienced by host nations in relation to massive population displacements may make refugees targets for terrorist recruiters.

Weapons of Mass Destruction

The IC’s perception of the threat presented by WMD has been little modified since the 2015 Assessment, with continuing concerns about North Korea, China and Russia. The picture in Iran is more complex. While the diplomatic initiatives culminating in the State Department’s Joint Comprehensive Plan of Action (JCPOA) have provided the international community with improved oversight of the country’s nuclear program, it is still concerned with enhancing its security, prestige, and regional influence. Widespread reports about ISIL’s use of mustard gas have resulted in Iraq joining Syria as a potential site for chemical weapon deployments.

Lastly, the increasing availability of genetic technology has led to GENOME EDITING appearing on the WMD list.

Outer Space

IC’s assessment of threats in SPACE shows a substantial increase in the number of potential actors, with some 80 nations now participating. Russia and China have developed new COUNTERSPACE capabilities. Russia, which has touted its use of satellite capabilities in support of its Syrian campaign, likely considers countering the U.S. space advantage to be a critical component of warfighting.

Counterintelligence

The COUNTERINTELLIGENCE threat environment remains complex, with Russia and China still heading up a long list of potential state and non-state actors who would seek to penetrate and influence U.S. national decision making. Increasingly sophisticated IT is now the primary vehicle for their actions.

Organized Crime

IC’s assessment of the threat from ORGANIZED CRIME has shifted to place additional emphasis on drug trafficking, but human and wildlife trafficking, and the role of crime in promoting corruption are still referenced.

Human Security

In HUMAN SECURITY, atrocities, global displacement, and climate change have joined extreme weather and infectious disease as significant threats. The growing global consensus on climate change is viewed as cause for optimism, but the health threat presented by the Zika virus is taken as indicative of the potential risks of entirely new diseases arising from human encroachment into animal habitats.

IC’s View Of Regional Threats

IC takes the view that, while great power competition is increasing, the geopolitical environment continues to offer opportunities for the U.S. to co-operate with other nations. However, an international environment defined by such a mix of competition and cooperation will likely undermine existing international institutions.

In the MIDDLE EAST, SYRIA continues to dominate the agenda because of the four million refugees displaced by conflict into Turkey, Lebanon, Jordan, Iraq. IC assesses that the country’s government will be able to make gains against ISIL, but won’t be able to fundamentally alter its battlespace. Conditions in IRAQ are considered to be improving as ISIL rule falters and sectarian strife is reduced. However, the Iraqi Sunni population’s fearfulness of the Shia-dominated government in Baghdad may hinder efforts at uniting against ISIL.

IRAN presents an enduring threat despite its adoption of the JCPOA and release of 10 U.S. sailors because of its support for regional terrorism and for the Assad regime. In LIBYA, the conflict between two governments in Tripoli and Tobruk has hardened divisions within the country, and damaged the economy, leaving a power vacuum that has been exploited by terror groups. YEMEN’s conflict also remains stalemated, but all sides — plus international backers like IRAN — have expressed willingness to participate in peace talks. LEBANON continues to struggle with spillover from SYRIA. EGYPT faces persistent threats from domestic terrorists directed primarily against state security forces. TUNISIA also faces an ongoing terror threat and high unemployment, but its year-old democratic government gives some hope for the future.

TURKEY, still key to U.S. objectives in the region, is dealing with renewed concerns about the actions of its Kurdish minority, now being courted by Russia in relation to its Syria campaign. It is also dealing with a substantial refugee problem arising from the conflict in SYRIA.

In EURASIA, Russia continues to reassert its status as a great power, using its expanded role and continuing military success in Syria for leverage. Putin’s standing remains at a record high two years after the land grab he orchestrated in Ukraine, despite its negative impact on Russia’s steadily contracting economy. UKRAINE, MOLDOVA and BELARUS are seeking equilibrium with their increasingly strident neighbor. Regional tensions between GEORGIA and RUSSIA and between ARMENIA and AZERBAIJAN remain high, and it seems likely that RUSSIA will seek to increase its influence in the area because of its concerns about terrorist instability.

CHINA continues to dominate the entire context of ASIA, extending its influence on the world stage while conducting an ongoing program of ambitious economic and legal reforms. In NORTH KOREA, Kim Jong Un has strengthened his unitary power and renewed focus on the country’s military program via provocative and threatening behaviors including this year’s missile launches and underground nuclear tests. The new bloc presented by the ASEAN community of Asian nations may curtail CHINA’s ambitions, but the cohesiveness of the group is undercut by the different developmental levels of its member states. Elites run everything and corruption is normal.

In SOUTH ASIA, AFGHANISTAN remains unstable, with a deteriorating security situation that is likely to result in yet more fighting this year. ISIL’s new Khorasan branch will remain quiescent, but Taliban forces under the leadership of Mullah Akhtar Mohammad Mansur present a renewed threat. Tensions between INDIA and PAKISTAN remain at an elevated level. In PAKISTAN, Sheikh Hasina’s continuing efforts to undermine the political opposition will provide openings for terror groups like ISIL, which has already claimed responsibility for a series of attacks on foreigners.

IC no longer considers SUB SAHARAN AFRICA’s stability to be badly compromised by the Lords Resistance Army or Al-Qa‘ida in the Lands of the Islamic Maghreb (AQIM), and the threat from Ebola has for the moment abated. However, NIGERIA’s government must still faces a significant challenge from Boko Haram. Long-running political disputes continue in SUDAN and SOUTH SUDAN, and DRC, BURUNDI and CENTRAL AFRICAN REPUBLIC are all dealing tensions arising from broken democratic processes. In SOMALIA, the elected government is reliant on African Union support to exert its authority over al-Shabaab forces in regions of the country outside the capital.

In LATIN AMERICA, droughts, gang violence and political instability are all driving migration to the U.S. The Assessment notes that the exodus from CUBA to the U.S. grew by 76 per cent in 2015, driven by the slow pace of economic reform in the country and fears of a U.S. repeal of the 1966 Cuban Adjustment Act. VENEZUELA and BRAZIL both face economically-driven political instability.

The full assessment is here: http://www.dni.gov/files/documents/Unclassified_2015_ATA_SFR_-_SASC_FINAL.pdf

Kristina Tanasichuk is CEO & Founder of the Government Technology & Services Coalition, a non-profit, non-partisan organization of small and imd-sized companies working in homeland and national security. She is also the president of InfraGardNCR, a public private partnership between the private sector and the FBI to shari information to protect our nation’s critical infrastructure, and the president and founder of Women in Homeland Security.

Take the Cyber Security Survey Today

Annually, the Government Technology & Services Coalition joins forces with InfraGard of the National Capital Region to survey our members and other private sector companies to help understand the cyber security environment, threats and trends. We do this during Cyber Security Awareness month to bring attention to this critical homeland and national security issue and to constantly inform our products and services to help you identify, mitigate and prevent cyber attacks.

This cyber security survey was created to produce an estimate of cyber security incidents occurring in the private and non-profit sector, focusing heavily on companies operating in the Washington, D.C. region. The survey seeks to understand the private sector’s awareness, understanding, preparedness and gaps related to cyber security intrusions and attacks. The results will provide the basis for enhancing or initiating efforts to strengthen the information sharing and awareness to inform our public private partnerships and create meaningful programming and tools to combat the cyber threat.

Survey Scope: The survey collects data on the type and frequency of computer security incidents in which a computer was used as the means of committing a crime against the company or as a conduit through which other intrusion and/or criminal activity was perpetrated. It also collects data about the type and size of the company, cyber security practices, and computer infrastructure.

Reporting Period: The reporting period for this survey is calendar year 2013.

Survey Confidentiality: Your responses to this survey will be seen by individuals from the sponsoring entities who agree to uphold the confidentiality of your responses and use the information only for statistical/reporting purposes from which no individual company or entity will be identified.

Beating the Cyber Security Drum

Every year, the Government Technology & Services Coalition beats the drum of cyber security – particularly during October’s Cyber Security Awareness Month.

We pull out the cute little monster virus icons, we parade a series of sessions, webinars and blogs about the perils of ignoring cyber security, and try to provide some tangible steps for small firms – or really ALL firms — to implement to be responsible partners to their Federal clients.

There is still quite a bit of complacency — but the threat – to our nation and to our assets is very real. Most recently, the Senate Armed Services Committee found that Chinese government hackers have repeatedly infiltrated the computer systems of major U.S. companies including government contracting firms of all sizes – to find out about the movement of U.S. troops and military equipment.

U.S. Transportation Command, or Transcom, was aware of only two of the intrusions. Gaps in reporting requirements and a lack of information sharing left the U.S. military largely unaware of the computer compromises of its contractors.

What the Senate Armed Services Committee really found – is that cyber security, information sharing, defending our systems MATTERS NOW. And that protecting “our systems” is protecting a complex ecosystem of both public and private entities enmeshed through so many access points it is virtually impossible to untangle them all. Detecting the patterns of attack requires a complex collaboration between government and industry.

Although efforts to address cyber security are still “in process” – for contractors the writing is on the wall.

Currently – cyber security is still “voluntary.” To satisfy President Obama’s Executive Order on Improving Critical Infrastructure Cyber security – this year we saw the release of two reports that map out the future of cyber in procurement: The DOD- GSA report on Improving Cybersecurity and resilience through acquisition and the NIST’s Cyber Security Framework — a description of what should be in a cyber security program.

The “mandatory” is coming: late last year, DOD required companies handling ‘unclassified controlled technical information’ to implement security controls and report incidents within 72 hours of discovery. This is only the beginning.

Lawmakers are using the tools at their disposal to tighten up security through procurement — a provision was added to the annual National Defense Authorization Act to tighten requirements for defense contractors to report cyber attacks by known or suspected government actors.

So, everyone is – or should be — preparing. But there are still important questions like, “when are my systems ‘secure’? what happens when I am the victim of an attack? What if I’ve done all the right things?”

To find some answers, most contractors are watching the examples. USIS – a government contracting firm that performed background investigations for the government – is currently front page news. After detecting a breach, the company reported it to the Department of Homeland Security. Subsequently their contracts pertaining to background checks with both DHS and OPM were suspended.

At first blush, that sends an ominous message. However, the reality of “cyber” is that every company is vulnerable and every company from Lockheed Martin to the much smaller USIS have fallen victim to hackers, breaches, attacks of one kind or another.

What we are learning every day is that partnerships – BEFORE an attack – will make or break our success. And that “waiting” is not a strategy.

So you’re probably thinking, well that’s all well and good Kristina. What does it mean for me?

It means that if you are working with Federal clients, this is that moment when you look up from the weeds to see the trees:

FIRST: Join the FBI’s InfraGard – or have your CISO join. The public private partnership’s mission is to protect the critical infrastructure of the United States and its roots rest squarely in cyber – protecting our digital infrastructure. They provide invaluable alerts, lots of training and information to assure you are ahead of the curve and know who to call, when.

SECOND: Join an organization, network, information sharing exchange that will educate you about the cyber requirements coming down the pike. Learn what is required – and build your cyber security practices beyond that. Cyber security is a new cost of doing business with the Federal government and you need to be ahead of the curve.

THIRD: Use the free resources available to you to develop your cyber plan and educate your employees. GTSC has a slate of resources available to help small and mid-sized companies educate their employees and the FCC has developed a free cyber security planner for business. StaySafeOnline.org has the resources and information to educate your workforce are there – you just need to use them.

Kristina Tanasichuk is CEO and founder of the Government Technology & Services Coalition. She is also President and founder of Women in Homeland Security and Executive Vice President of the InfraGard National Capital Members Alliance. She has worked in homeland security and domestic infrastructure for nearly 20 years.

Mitigating the Insider Threat Through Personnel Surety Counterintelligence

The Department of Homeland Security in coordination with US Customs and Border Protection are at the forefront of preventing insider threats within its law enforcement operations. These threats take the form of overt actions because of gaps in coordination and process mistakes that lead to self-created but preventable vulnerabilities.

To assure this continued success, a Personnel Surety Counterintelligence mission must be put in place through a management and implementation functionality that will meet the following objectives:

• Assess and audit the effect of the insider threat through risk analysis threat algorithms

• Establish a collaborative information-sharing personnel surety data base system that tracks action requirements and assigns accountability on a continuous basis

• Build a personnel surety counterintelligence business process into each law enforcement mission area, both operational and technologically supported through stakeholder collaboration

• Create a culture built around a robust personnel surety plan to ensure that a need to share for operational success supersedes the need to protect information

• Identify the insider threat and vulnerabilities through a continual monitoring system of checks and balances

• Counter the inadvertent mistakes that lead to the insider threat through the deployment of technologies that drive mission success and efficiencies

Coordinating the Government’s Personnel Surety Mission

The multi-faceted challenges of working in today’s mission-critical environmental and multiple enterprise coordination formats require innovative approaches that stress stakeholder creation and participation with built-in accountability, under an umbrella set of governance parameters. This is especially true in the world of counter-intelligence / insider threat in light of the number of initiatives currently underway to protect the United States government information infrastructure. It is imperative that the following initiatives be established:

• Establishing a government-wide personnel surety process and management discipline supported by standardized and relevant technologies

• Coordinating the activities of multiple operational centers, including sharing information about malicious activity and establishing common operating standards and procedures to: track information sharing, require acknowledgement of information received, and provide reports of counter-actions taken

• Deploying technology advancements in order to counter the threats both from an IT and behavioral perspective

• Engaging the private sector, as a partner, to extend the envelope of protection beyond the government’s firewall in a manner that is clear and manageable to that sector

These initiatives are designed to break the pattern of information silos and to overlay new paradigms that will mandate sharing and accountability to protect lives and critical mission information while providing stakeholders tangible metrics for their participation.

They also address the technology aspects required to support this new paradigm by ensuring that the most appropriate tools are in place, under the most cost-effective basis.

Establishing Enterprise-Level Governance

As recent events have proven, internal barriers may well be the biggest stumbling blocks to “connecting the dots” on a threat and preventing violence.

Deployment of a CBP Enterprise Program Management Office (EPMO) is a successful methodology that will enable CBP to break through such barriers and establish an enterprise-level governance functionality that will assure the success of the insider threat mission. An insider threat EPMO will allow CBP to:

• Coordinate the Counterintelligence Mission Focus across all of the Federal Mexican Police Department

• Deploy technologies that drive mission success and efficiencies

• Establish performance metrics and measurable outcomes linked to meeting the counterintelligence insider threat mission

Successfully Deploying the EPMO

A successful Counterintelligence EPMO will require the following focus to its activities:

• Developing and documenting a clear understanding of the mission

• Establishing an executive Governance Board

• Organizing with a focus on meeting the counterintelligence mission

• Deploying operations that protect the mission from internal/external threats

• Leveraging technology to enable the counterintelligence mission

• Establishing a disciplined standards-based foundation

It is critical that CBP establish an EPMO to serve as a central program management body, one which both manages and coordinates core insider threats and counterintelligence activities. The EPMO performs much of the program management related work for individual programs as well as the organization at an enterprise level, while still valuing the individual program contributions and objectives.

Establishing and sustaining this focus for the EPMO will require that four themes be addressed: statutory and other mandatory drivers, organization and supporting processes, technology requirements, and cultural change.

1. Statutory and Other Mandatory Drivers

Any EPMO is responsive to the statutory and / or regulatory drivers that established the mission for a sponsoring agency, augmented by internal agency directives or other mandated requirements. It is critical that information on these be gathered, analyzed, and clearly understood. After this it must be coalesced into a charter statement that all stakeholders will commit to support and follow under a program organization that has been developed and accepted in a collaborative process. Specific mission performance objectives may then be developed. Successful implementation of these is a function of establishing a common operating environment that has two components: process and supporting technology.

2. Organization/Process

The processes defining the EPMO’s operating framework must promote the effectiveness, efficiencies, and collaboration necessary to successfully meet the established counterintelligence insider threat mission. Once established, these characteristics must be sustained by adopting a regular process or review through which the operational and control processes of the EPMO are assessed, revised and opportunities for improvement are incorporated. The effective EPMO deploys Key Performance Indicators (KPIs) measuring key processes, especially those that touch the counterintelligence insider threat customer.

The EPMO monitors the KPIs to identify reductions in performance, and as a result, to proactively deploy revised and improved processes. Incorporation of standards and ratings to insure ongoing performance maturity is essential in order to ensure that the stakeholders of the EPMO are receiving the best information and are participating in decision-making as appropriate.

3. Technology

Even while most EPMOs operate in a highly automated environment, the successful counterintelligence insider threat EPMO team understands the use of technology is not the answer to all problems. That team also understands that well-deployed technology remains a critical, but supporting, component to highly qualified personnel and a well-run EPMO organization.

These technologies should be “smart”, scalable, flexible, extensible, and self-monitoring. The requirements for deployment must be based on the automation of a collection of previously manual processes and should provide short-term tactical efficiencies in response time, effectiveness, and productivity. It cannot disrupt processes, unless it is part of a well-understood process improvement strategy. It must be well understood and require users and customers to be well-trained and able to quickly incorporate the technology capabilities into the responsibilities assigned to them.

4. Culture

The EPMO must be staffed by program, change, technology, and counterintelligence professionals who are directly accountable to the counterintelligence mission and to the Department’s strategic objectives. The individuals in the EPMO must have the necessary credentials, as well as managerial, consultative and functional counterintelligence experience, necessary to operate a Department level counterintelligence program office. While necessity often requires that personnel and resources are gathered from other parts of the Department, once those resources are assigned or brought into the EPMO, the mission of the EPMO takes precedence; any adherence to previous cultural and organizational barriers become of secondary priority.

The above four goals must be addressed via a specific implementation process consisting of three primary phases: Initiation, Planning, and Execution, coupled with ongoing Assessment and Update once all facets of the EPMO have been deployed. Each phase has its own input requirements and results in deliverables which are critical to day-to-day execution of the mission objectives.

The advantages of this phased approach are multiple:

• An over-arching mission definition is established, to ensure that all participating agencies are operating to the same goals and objectives

• Agency and other users are provided hands-on guidance to support them through collaborative / facilitated involvement and integration into the counter- intelligence program

• EPMO establish standards, processes and performance measures as well as measuring tools

• Agencies left with flexibility in the management of individual counter- intelligence activities while adhering to enterprise business rules

• Some impact on organization and may require changes in organization structure and / or roles and responsibilities

• Relieves agencies and program teams of much of the responsibility and details of program management-related activities

• Allows users to focus on the counterintelligence activities, resolution of technical issues, and threat adjudication under a common set of ground rules and information-sharing environments

Conclusion

The need for a successful counterintelligence program demands a direct approach to establishing coordination. Therefore, the Counterintelligence / Insider threat EPMO would provide the most robust construct for securing enterprise wide coordination and help break down the organizational silos preventing success. The EPMO will provide a personnel security program as well as counterintelligence / insider threat coordination to the entire enterprise: from the Executive level to managers, to Federal Officers, to professional staff, to security personnel, to IT personnel, and finally, to IT Security personnel down to administrative and clerical staff.

Contributing Author:

Bill Carroll is a co-founder and the President of the EnProVera Corporation, a Service Disabled Veteran Owned Small Business and Native American Owned Small Disadvantaged Business. Prior to EnProVera, he was the Managing Partner of Strikeforce Consulting. Bill has over 40 years of experience in law enforcement, in the U.S. Government, and in the Government Contracting Industry. He retired from the U.S. Government in 1998 after a distinguished career in the Immigration and Naturalization Service (INS). Bill was the Director of the INS Washington District Office and Deputy Director of the Los Angeles District Office.

Get a Data Breach Response Plan

As data breaches proliferate in and outside the government, companies are faced with serious ramifications if not addressed by leadership. With the DOD-GSA Cyber Resilience Rules looming, the NIST framework on the horizon and cyber security identified as the major priority for Congress and the Administration, GTSC’s Capacity Building session on data breach will focus on your company preparedness, incident response, notification and legal responsibilities when experiencing a data breach. Attendees will receive a Data Breach Response Guide and walk through hands-on procedures and considerations for your data breach policy. This is a must-attend for all small and mid-sized businesses working in the homeland and national security field.

May 22, 2014 | 8:30 am – 11:30 am
Arlington, VA

About Michael Bruemmer

Michael Bruemmer is Vice President of the Experian®Data Breach Resolution group at Experian Consumer Services, the leading provider of online consumer credit reports, credit scores, credit monitoring, other credit-related information, and protection products. With more than 25 years in the industry, Michael brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Michael is a Certified Information Privacy Professional and Certified in Healthcare Compliance. He currently resides on the Ponemon Responsible Information Management (RIM) Board, the International Security Management Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board. >>READ More.

GTSC Submits Comments on GSA-DOD Cybersecurity & Resilience

GTSC working in collaboration with Brian Finch, of Strategic Partner Dickstein Shapiro and GTSC members Robert V. Jones, CEO of PReSafe Technologies, Larry Grant, CEO, EnProVera and Gary Daemer and Mark Dale, InfusionPoints submitted comments to the Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition. GTSC’s comments focused on clear and achievable cyber requirements that will not provide a competitive disadvantage for small and mid-sized companies. Additionally, GTSC highlighted that an “LPTA” environment is not conducive to robust cybersecurity and that procurements that seek best value are more appropriate. Please email us if you’d like a copy of our comments.

THE PRIVACY & CIVIL LIBERTIES ASSESSMENT REPORT: WHAT DOES IT REALLY TELL US? A CHIEF PRIVACY OFFICERS’ PERSPECTIVE

The week of April 7, 2014, with little notice or fanfare, the Department of Homeland Security issued its first annual Executive Order 13636 Privacy and Civil Liberties Assessment Report 2014. The report addresses the privacy and civil liberties impacts of certain agencies’ undertakings with respect to critical infrastructure cybersecurity and resilience. It is revealing as much for what it says, as it doesn’t say, with regard to the protection of privacy and civil liberties in the Executive Branch. The report is a study of contrasting approaches to privacy and civil liberties among first tier federal agencies.

On February 12, 2013, the President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, and Presidential Policy Directive (PPD) 21, Critical Infrastructure Security and Resilience. Combined, the documents call for the federal government to work with the private sector to strengthen the security and resilience of the Nation’s infrastructure – the vast majority of which is privately owned – and do so in a way that protects the privacy and civil liberties of Americans.

As set forth in the EO 13636 Report, departments and agencies are required to do the following:

Develop a technology-neutral voluntary cybersecurity framework;
Promote and incentivize the adoption of cybersecurity practices;
Increase the volume, timeliness, and quality of cyber threat information sharing;
Explore the use of existing regulation to promote cyber security; and
Incorporate strong privacy and civil liberties protections into every initiative to secure our CI.

Additionally, PPD-21 requires that departments and agencies:

Develop a situational awareness capability that addresses both physical and cyber aspects of how infrastructure is functioning in near-real time;
Understand the cascading consequences of infrastructure failures;
Evaluate and mature the public-private partnership;
Update the National Infrastructure Protection Plan to take into account cyber aspects of infrastructure; and
Develop a comprehensive research and development plan.

The Department of Homeland Security (DHS) is the lead agency under the EO and PPD. And, under Section 5 of the Executive Order, Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of DHS, in consultation with the Privacy and Civil Liberties Oversight Board and in coordination with the Office of Management and Budget, are responsible for issuing a privacy and civil liberties assessment, with contributions from the privacy and civil liberties officials of the other agencies covered under the Executive Order (the Departments of Commerce, Defense, Health and Human Services (HHS), Justice, Transportation, Treasury, and Energy; the Office of the Director of National Intelligence (ODNI); and the General Services Administration (GSA)).

“Protections” include the Fair Information Practice Principles and any other privacy or civil liberties policies, principles or frameworks. The Fair Information Practice Principles to be used are those found in Appendix A of the National Strategy for Trusted Identities in Cyberspace, which mirrors the DHS Fair Information Practices (FIPPs), set forth in DHS Privacy Policy Guidance Memorandum 2008-1, The Fair Information Practice Principles: Framework for Privacy Policy at the Department of Homeland Security.

At close to 50 pages, DHS’s section was the most comprehensive, robust assessment contained in the report. The two DHS offices addressed their authorities, frameworks, and involvement with the Administration’s critical infrastructure cybersecurity efforts, and then the four areas in which DHS was carrying out its responsibilities under EO 13636 and PDD 21: Cybersecurity Information Sharing–Sharelines; Expansion of the Enhanced Cybersecurity Services Program; the DHS Private Sector Clearance Program; and the DHS Loaned Executive Program. For each of the four areas, the DHS assessment provided a concise discussion of the agency’s actions, past and present, and the implications for privacy and civil liberties. Importantly, DHS addressed in very meaningful ways the circumstances under which it would use PII. After each area, the assessment listed recommendations to DHS, for a total of seven recommendations, many of which encourage increased transparency, oversight, and education.

The other departments and agencies assessments were far shorter, with far less detail. Significantly, many are sector-specific agencies in sectors with vast amounts of PII about American citizens. This month alone, the Government Accounting Office called out the SEC (GAO-14-419) to improve controls over financial systems and data, the IRS (GAO-14-405) and most notably, the overall lax Federal agency response to data breaches involving PII (GAO-14-487T). This sector-specific PII might well be the target of future cyber incidents, and it certainly would be connected to any future incidents, yet most of the other agencies required by the E.O. could only muster cursory assessments under 10 pages in length.

For example, Treasury, the sector-specific agency for banking and finance, lightly assessed its involvement in four pages with three programs, Critical Infrastructure Private Sector Clearance Program, Voluntary Critical Infrastructure Cybersecurity Program, and Identification of Critical Infrastructure at Greatest Risk. Treasury provided no meaningful discussion of the FIPPs in its assessment, a requirement of the Executive Order.

Defense assessed of the Defense Industrial Base (DIB). Specific initiatives included: the DIB Cyber Security/Information Assurance (CS/IA) Program and the DIB Enhanced Cyber Security Services (DECS). Importantly, Defense noted that a “specific cyber incident may include PII that is incidental to, or embedded in, the information the DIB company has shared with [Defense] for cyber security analysis.” In the absence of a list of affected DIB companies, and the type and amount of PII that could be the subject of a cyber incident, the Defense assessment failed to provide a meaningful discussion of the privacy impacts associated with such sharing.

Justice’s assessment was surprisingly short, four pages, especially given that the Justice Privacy and Civil Liberties Officer is a senior position within the Department and an equal of DHS’s Chief Privacy Officer. The Justice assessment focused on iGuardian, “an unclassified web portal designed to accept cyber intrusion complaints from the private sector.” As the ACLU noted, Justice’s remark that only information that is “relevant” is maintained is dubious in a post-Snowden world, given that all information in the digital realm may be relevant to law enforcement and intelligence agencies.

Commerce’s very brief assessment focused on the National Institute of Standards and Technology’s (NIST) work on the Cybersecurity Framework in collaboration with industry. In fairness to Commerce, NIST has not yet issued its final version of the Framework, arguably limiting its ability to provide a thorough assessment of NIST’s efforts.

HHS – the sector-specific agency for health care – assessment ever so briefly touched on the various aspects of EO 13636 and PPD 21 with which it was involved: Cybersecurity Information Sharing; Cybersecurity Framework; Voluntary Critical Infrastructure Cybersecurity Program; and Identification of Critical Infrastructure at Greatest Risk. Transportation was the same, lightly touching on: Cybersecurity Information Sharing; Development of Cybersecurity Framework; The Cybersecurity Framework; Voluntary Critical Infrastructure Cybersecurity Program; and Identification of Critical Infrastructure at Risk. Energy’s assessment focused on its PPD-21 responsibilities related to the energy sector. Surprisingly, Energy failed to discuss those responsibilities from a civil liberties perspective.

ODNI assessed the implications of its issuance of “instructions for the Intelligence Community (IC) to ensure the timely production of unclassified cyber products to the U.S. homeland that identify a specific targeted entity”, otherwise known as “tearlines.” The ODNI assessment provided a passable discussion on the FIPPs, but in transitioning to the agency’s Intelligence Community responsibilities, it appeared to be accepting as true that any already collected PII was properly corrected. In light of the Snowden revelations and the bulk collection of telecommunications and internet service provider data, this part of the assessment rings hollow.

Finally, GSA addressed its responsibilities under the EO to work with Defense to make recommendations “on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.” GSA came to the remarkable conclusion that its joint report with Defense on acquisition “does not directly impact privacy and civil liberties as personally identifiable information (PII) is not collected, used, or disseminated.”

Taken as a whole, it is clear that privacy is not protected in an equal fashion across the Executive Branch. Many agencies do not grasp the policy implications of the FIPPs. Some did not even bother to address them. Lastly, there was an overall lack of transparency in the agencies’ critical infrastructure cybersecurity efforts. And that may be the most important aspect of this report: it shows how far tier one agencies have to go to get privacy right.

Contributing Author: Hugo Teufel

Hugo Teufel is the former Chief Privacy Officer of the U.S. Department of Homeland Security. An attorney, he assists public and private sector clients in a wide range of areas including privacy and security; investigations, compliance, and corporate governance; defense and homeland and national security; government contracts formation, administration and litigation.

Comments on Cyber Requirements for Alliant II & Alliant Small Business Needed

Information assurance, IT security and cybersecurity are issues with increasing critical focus and importance within the federal space. In that view the concept of a Cyber Security Risk Management Plan has emerged as a possible solution to bridging the gap between industry and government while checking all the boxes in FIPS200 (http://csrc.nist.gov/publications/PubsFIPS.html) and the underlying guidance as published by The National Institute of Standards and Technology (NIST). We would be interested in and value your opinion regarding the proposed approach to addressing an overarching cyber security plan for IT government contracts.

More information and the proposed plan are here.

1. This request for comment is one of several such requests being conducted through “GSA Interact” to obtain public and private sector input on the contract requirements as they are developed. The purpose of this activity is to collaborate with government and industry to gain sufficient input and feedback regarding the pre-planning phase of the follow on contracts to the very successful Alliant and Alliant Small Business Governmentwide Acquisition Contracts (GWACs).

2. The ultimate goal of including these requirements in the Alliant contracts is strengthening the cybersecurity and resilience of the Federal government by improving cybersecurity risk management in the solutions procured by agencies through the Alliant GWACs. The proposed Contract Cybersecurity Risk Management Plan will become part of the base contract and is intended to provide a high level summary of an industry partner’s plan to address common, high level security requirements that are pertinent to any information technology project/order. It is not intended to duplicate the more detailed security deliverables that may be associated with an order requiring an authorization to operate.

3. It is important for stakeholders to note that this effort is intended is to align with the recommendations made by GSA and DoD in the joint report “Improving Cybersecurity and Resilience through Acquisition,” which can be downloaded at this link: http://www.gsa.gov/portal/content/176547. The interagency working group that drafted the recommendations has been directly involved in developing this draft language with the Alliant program office, and the ongoing implementation of the report’s recommendations will also be informed by input received in response to this request for comment. The team that drafted this contract language also plans to develop a template for the Cybersecurity Risk Management Plans, and overlays (as referenced in the aforementioned report) for the Alliant II ordering guidance. Public input on the plan template and overlays will also be sought.

4. Interested parties are encouraged to respond to this request for comment in any way that provides relevant input about any aspect of the draft document, including “redline” or “track changes” versions of the actual document. In addition, addressing the draft in the context of the following questions may be instructive.

a. In general, is the approach articulated in the draft document a workable way to achieve the goals of the effort? What, if anything needs to be added or removed?

b. Is the Cybersecurity Risk Management Plan, as described, adequate and appropriate to provide increased cybersecurity and resilience in the Alliant contracts and orders?

c. In addition to information security controls derived from the Cybersecurity Framework and other relevant NIST guidance and international standards, what other management safeguards that address business cyber risk should be included in the Contract Cybersecurity Risk Management Plan?

d. Should the Cybersecurity Risk Management Plan requirement “flow down” to subcontractors?

e. How should the Cybersecurity Risk Management Plan be priced in firm fixed price contracts when the Government unilaterally requires an update to an accepted plan? When a company submits an update to an accepted plan of its own accord?

f. Should the Government establish a minimum weighting for the Cybersecurity Risk Management Plan if/when it is used as a comparative source selection evaluation factor?

g. What should the Government use as minimum acceptance criteria for Cybersecurity Risk Management Plans?

h. Do the security-related areas listed in paragraphs (b)(3)(i)-(iii) provide an objective and measurable basis for comparative source selection evaluation of the Cybersecurity Risk Management Plans?