The United States is under attack. Our federal systems face unprecedented threats, and every federal employee is on the front line of this cyberwar.
Protecting our information systems is a top priority for all levels of leadership. The White House has budgeted $769 million for fiscal year (FY) 2013 (up from $459 million for FY 2012) for the National Cyber Security Division of the Department of Homeland Security (DHS). Teri Takai, Department of Defense Chief Information Officer, has a single quote on her homepage: “Information is our greatest strategic asset.” Her 10-Point Plan for IT Modernization emphasizes leveraging automated tools and continual assessments to strengthen cybersecurity. At the RSA® Conference 2012, there was talk of U.S. and Canadian government agencies adopting the SANS 20 Critical Security Controls (20CSC) as a standard.
Potential cyber attackers are guided by many principles, some of them centuries old. The Chinese military strategist Sun Tzu wrote, “Speed is the essence of war. Take advantage of the enemy’s unpreparedness; travel by unexpected routes and strike him where he has taken no precautions.” This strategy is a proven recipe for successful cyber attacks. As cyberdefenders, we must take precautions to prepare for these incidents. We, too, have principles and guidelines to orient our defenses. One of the best tools available for protecting federal systems is the 20CSC.
The 20CSC represent “a prioritized baseline of information security and measures and controls.” John Gilligan, former CIO of the U.S. Air Force and the U.S. Department of Energy, led the development of this document; it represents a consensus of government and nongovernment experts. It is not legislation, nor is it a formal government standard. Why, then, is this a better approach than the ten-year-old Federal Information Security Management Act (FISMA)? And how will adoption of the 20CSC ultimately enhance security and operations overall?