One of the key pillars of the President’s Management Agenda is to Modernize IT to Improve Productivity and Security. A central pillar of the Administration’s IT Modernization strategy is to improve the skills, leadership abilities, and overall pipeline of talent in the Federal government to address our growing cybersecurity threats. Building security into technology from the beginning is a critical component of the Administration’s modernization efforts and essential to securely delivering effective, efficient, customer-centered services to our citizens.
In recognition of these critical goals, the Chief Information Security Officers Council (CISO Council) sought to produce the “CISO Handbook” – a compendium of key information and actionable templates and processes – to provide a “one stop shop” for new and emerging information security professionals to begin their upskilling into future cybersecurity executives. The Handbook is a foundational document that will help agency leadership drive transformational workforce changes in a standardized, repeatable manner and create greater collaboration and coordination across agencies to address systemic cybersecurity challenges.
The handbook makes significant use of the recently updated Framework for Improving Critical Infrastructure Cybersecurity (also known as the NIST Cybersecurity Framework), agencies’ implementation of which was mandated by the recent Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. To provide a systematic overview of the risk management process and help agencies comply with the Executive Order, the handbook maps example agency policies to specific objectives in the Cybersecurity Framework Core as well as to key NIST publications.
“The Handbook will help CISOs embrace risk management practices like the NIST Cybersecurity Framework in the context of legislation, policy and federal guidance,” says Emery Csulak, CISO at the Centers for Medicare & Medicaid Services. “Breaking the complex conversation of the CISO role and risk management into consumable pieces can only help the community succeed in bringing new talent onboard and meeting our mission needs.”
Perhaps most useful to CISOs and their teams on a daily basis will be the handbook’s extensive and easily searchable appendices, which represent the most complete collection of policies and templates pertaining to Federal cybersecurity ever published in one place. The appendices include a chronological list of Presidential directives, OMB memos, NIST guidance, and other government-wide publications complete with innovative infographics and links to PDFs. The appendices also provide a breakdown of responsibilities assigned by the Federal Information Security Modernization Act of 2014 (FISMA) and a list of government-wide services and acquisition vehicles. These documents are meant to be leveraged by cybersecurity professionals as helpful templates that can help them effectively implement and manage major cybersecurity initiatives.
When asked how he sees the Handbook benefitting the cyber community, Cord Chase, CISO at the Office of Personnel Management, said, “With frequent changes to policies, standards, executive orders, recommendations, and new security entities being stood up, it is only appropriate that the CIO council, in coordination with the CISO council, provide you with a handbook to clarify the cyber security standards. This handbook is for Federal cyber security professionals and CISOs, but it is valuable for other professionals as well.”
The CIO and CISO Council intend to keep the CISO Handbook up to date as major policies or updated guidance are issued to agencies. As updates are made, information will be distributed by the CIO and CISO Councils.