What Government IT Leaders Need to Know About OMB's New Cybersecurity Rules
A single password. That is all it took for the cyberattack attack against Colonial Pipeline in May 2021. The attack shut down the line for days and caused widespread disruption with a rise in gas prices, panic buying, and fuel shortages.
Colonial Pipeline Chief Executive Joseph Blount admitted that the company did not have a plan in place to prevent ransomware attacks. The attack used a legacy VPN system that lacked the common safeguard of multifactor authentication. Blount said, “It was a complicated password, I want to be clear on that. It was not a Colonial123-type password.” But as we all know, weak passwords are just a small part of the problem.
The details about the Colonial Pipeline attack were shared at a U.S. Senate committee meeting that had been convened to examine cyber threats to essential U.S. infrastructure. Attacks are on the rise and in 2020 the White House reported 30,819 information security incidents across the federal government. This was an 8% increase from 2019.
The federal government is now being more hard-hitting in its actions to counter cyber risks. The White House, the Cybersecurity and Infrastructure Security Agency, the Office of Management and Budget (OMB), and other related governmental groups are all involved with enforcing stricter cybersecurity measures for government agencies. These new sets of rules will have a big impact on government IT protocols and hopefully lay a strong foundation against future attacks.
The New Cybersecurity Directives from the Federal Government
On August 10, 2021, the Office of Management and Budget (OMB) issued Memorandum 21-30. It directed all agencies to identify the critical software in use or in the acquisition process as defined by the National Institute of Standards and Technology (NIST) within 60 days. Within one year, all agencies must implement the security measures designated by NIST for all categories of critical software included in the initial phase.
These are some of the objectives that the new security measures hope to achieve:
- Protect critical software from unauthorized access and usage.
- Protect the confidentiality, integrity, and availability of data used by critical software.
- Quickly detect, respond to, and recover from threats and incidents involving critical software.
The OMB memo follows on the heels of President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity that was announced in May 2021. It was intended to protect the nation’s critical infrastructure and federal government networks that underlie the country’s economy and way of life. Some of the key points the executive order covered were:
- Remove barriers to threat information sharing between the government and the private sector.
- Improve software supply chain security.
- Create a standard playbook for responding to cyber incidents.
How the OMB Rules Impact Government IT
There is no doubt that there is a need to up the government’s cybersecurity game. But the real work falls on the shoulders of the governmental agencies’ IT teams who are under aggressive deadlines to protect their critical software.
During the initial implementation phase, the OMB directed agencies’ IT teams to focus on standalone, on-premise software that performs security-critical functions or poses similar significant potential for harm if compromised. For example, software that includes applications that provide identity, credential, and access management (ICAM) or operating systems, hypervisors, and container environments.
The NIST is trying to help IT teams by regularly publishing updates about their progress in defining the critical software and providing guidance for IT teams to fulfill the security measures. The NIST plans to collect feedback from both government agencies and the industry throughout the year-long process and refine its initiatives along the way.
Steps for Government IT Leaders to Take
Beyond the obvious of following the OMB’s directives, there are some steps government IT leaders can take to make the process easier and more manageable. These are three areas to focus on:
- Make your plan: It sounds simple, but you should map out what needs to be accomplished, set a timeline, and assign tasks. A solid plan will help to reduce the complexity of the project and accelerate progress. Start with a concrete understanding of the OMB’s directives and then apply them to your own agency.
- Review your policies and practices: Governance for critical software is a major part of both President Biden’s Executive Order and the OMB memo. Make the necessary updates to existing policies or establish new ones that are in sync with your agency’s overall cyber response plan. Think about how you are procuring critical software, how you are evaluating it against threats, and ways to decommission the software when it is no longer needed.
- The CISA is your friend: In addition to the information provided by the NIST, another group to turn to for help is the Cybersecurity and Infrastructure Security Agency (CISA). CISA’s continuous diagnostics and mitigation (CDM) program helps agencies to improve their cyber response capabilities and reduce their threat surface. CISA can provide assistance with meeting the OMB’s deadlines and agencies can leverage the CDM to obtain security event monitoring services, data discovery protection, and loss prevention support.
Cyberlocke is a comprehensive, full-service IT services provider that architects and implements efficient and secure solutions for enterprise and government customers. We specialize in security, cloud, managed services, and infrastructure consulting. Contact Us today to learn more.