Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical...

Seems to me this is a "huddle up" to set the executive agencies (DoD, DOS, NSA, DHS, etc) straight on the expectations of them with regards to IT compliance. This is something Clinton failed to do and/or her people failed to inform her properly on when she was Sec of State.

While much of the order readdresses what is already required of the IT infrastructure, it also gave all the agencies a timeline to verify to the President they are in compliance. This in turn ensures all agency heads are aware of their responsibilities (something Clinton "claimed" she was not) with regards to safeguarding the IT infrastructure. Should another CIO not brief their leadership properly or an agency lead accept risk which could be mitigated (and it wasn't reported as required by the EO), I am hoping the hammer will for once come down.

We need to start holding those who are responsible for accepting and mitigating risk accountable when they fail to comply. If agency leads would take this role more seriously and ensure all IT security needs are prioritized, it will go a long way into improving our cyber security posture.

Maj Kevin "Mac" McLaughlin - For DoD, that works well. For other government agencies, not so much. We have gotten more money in the last few years, but it is nowhere near the money we need. We get the same type of speech every year. After the leadership sees the sticker price, the next comment is we will use it until it breaks. As a matter of fact, we have spares in case they break. Just last month, I bought a new PC Module from national instruments that cost $6k. This was one PC Module that goes into a chassis that has 5 different cards. Each card costs around 2K. I purchased the PC Module with Windows 7, but we had to return it because the software was not compatible with Windows 7. Now we have to upgrade the software and that will cause the facility to be shut down for two months while we test it. That's just one example at one facility for one system. I have an inventory of hundreds of systems. My point, I wish it was as easy for other agencies as it is for DoD.

It's not easy for DoD necessarily and the process is generally the same. Believe me when I say there are tons of legacy systems in the AF. I realize the other agencies do not get nearly the same amount of money, which is why I've always believed cyber needs to come from a different source and process. That would also come with a requirement for DoD / NSA / DHS to lead the efforts in protecting all the others. Question... Is your system assessed as MAC I, II, or III?

Maj Kevin "Mac" McLaughlin - We don't categorize our systems using Mission Assurance Categories. We use NIST 800-53 and based on that we are Moderate. DHS has come down with the CDM program and based on their plan, they have no clue how to handle OT (operational technology). That is our main problem IT and OT are two different things but everyone tries to treat OT like IT without understanding the challenges of securing OT.

I hear you and I've been studying up more on OT recently as they relate to ICS systems. These are expected to by one of our mission sets eventually.