2018 National Cyber Strategy: Barely a Wimper
What does this mean for federal contractors?
The September 2018 “National Cyber Strategy” was released by President Trump with barely any discussion or mention of its impacts pro or con. (Of course, the distraction of the Kavanaugh nomination had all but drowned out its release.)
For the most part is is a fairly benign recycling of past administrations “best practices.” This includes mention of holding nation-state actors criminally liable such as the indictment of 5 People Liberation Army (PLA) officers under the Obama Administration. It also is only a trite continuation of the need for even more “information sharing”–thanks CIA and FBI! If you remember how that issue emerged from September 11, 2001. (Also, while I was working on Nebraska Avenue in 2005, there were three different organizations within DHS working this very same issue Neither of these organizations showed any “info sharing” within the agency charged with fixing this shortfall).
However, one item caught our attention. It was the area of strengthening federal contractor cybersecurity standards. This goes to several of our previous blog postings looking at the two competing NIST frameworks, NIST 800-171 and the National Cybersecurity Framework (NCF). While there was no hint which direction the Administration is going the verbiage of the “adoption of consolidated acquisition strategies to improve cybersecurity and reduce overhead costs…” portends that there may eventually be a government-wide standard. (Our vote is with NIST 800-171).
In late 2018, the expectation is that the United States federal government will expand the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, revision 1, Protecting Unclassified Information in Nonfederal Information Systems and Organizations cybersecurity technical publication will apply to the entirety of the federal government. It will require that any company, business, or agency, supporting the US Government is fully compliant with NIST 800-171 no later than the date of a contract award.
The Federal Acquisition Regulation (FAR) Committee’s Case # 2017-016 had an original suspense date of March 2018; that date has come and gone. The latest and expected timeframe for any final decision has moved to an expected timeframe of late 2018. While it is possible that the Federal Acquisition Regulation Committee may further delay NIST 800-171 (or NCF, or other) implementation, it appears a standard will most likely occur during the current Administration.
Let’s hope we have some progress in the US’s cybersecurity strategy…soon
One of the author’s favorite foundational books on “Anonymous”
(Image takes you to Amazon for purchase)
Dr. Russo is currently the Senior Data Scientist with Cybersenetinel AI in Washington, DC. He is a former Senior Information Security Engineer within the Department of Defense’s (DOD) F-35 Joint Strike Fighter program. He has an extensive background in cybersecurity and is an expert in the Risk Management Framework (RMF) and DOD Instruction 8510, which implement RMF throughout the DOD and the federal government. He holds a Certified Information Systems Security Professional (CISSP) certification and a CISSP in information security architecture (ISSAP). He has a 2017 Chief Information Security Officer (CISO) certification from the National Defense University, Washington, DC. Dr. Russo retired from the US Army Reserves in 2012 as a Senior Intelligence Officer.
