It’s not easy to make everyday “Cybersecurity Awareness Day“. But the Navy and the Nuclear Regulatory Commission are sure trying.

During October, DHS sponsors National Cybersecurity Awareness Month.

The month-long message is: If Americans—including federal employees and contractors—follow a few simple steps to keep themselves safe online, not only will you keep personal as­sets and information secure, but you will also help to improve the overall security of cyberspace.

But continuous, ongoing real-time success depends upon vigilance. And vigilance is hard. It’s not easy to make everyday “Cybersecurity Awareness Day”—especially in this day of dimin­ishing resources and competing priorities.

One sure way to make vigilance easier is to use automation to make cybersecu­rity simpler and easier for the end user. There are lots of tools on the market, but still more need to emerge that integrate security capabilities in products and ser­vices early in the life cycle so it is easier and less complex.

But, which tools to buy? Where should scarce government investment dollars go?

Navy Investments—In The Clouds?

Navy CIO Rob Carey told the Federal Executive Forum audience that his big priority right now is developing a cyber­security capability investment model.

“We are really trying to get to the place where we can know where we would spend our next set of resources, what we get for it, and why,” said Carey.

Carey said the Navy, Army, Air Force, DHS and other agencies have a plethora of tools, but are still presented with challenges; therefore questions remain about what to buy and how to justify these buys to agency heads.

“I think we need to come through this model development so that we will understand as the threat continues to evolve, we can evolve our model points and go from there,” explained Carey.

“I would pattern this after Carnegie Mellon’s capability ma­turities model and have five step gradients and things like that, but it’s important for us to know how we would spend our next dollars and on what.”

Carey further described how the Navy is working hard to con­solidate the Navy IT footprint and more centrally manage their infrastructures.

“You know that infrastructure has still got to support the mis­sion; so reducing the footprint and adding an identity component to control information access will enable us to examine things like Cloud computing,” noted Carey.

“Cloud computing is a fabulous technology to reduce costs. However, it moves the security layer towards the data and we are not there yet.”

Then there is the issue of balancing access and security.

“There’s a lot of activity around Cloud computing, open infor­mation, Internet usage, web enablement. At the same time all of us in the business understand what the proper levels of security are,” explained Carey.

For Carey that means understanding that security and access are a polarity that has to be managed; and policies and procedures apply the same to a C4 net­work in Pacific, to the Commerce Depart­ment in DC or even to DHS.

“You have to balance those two vari­ables. So coming up with that model that allows that is really an important feature that we are all working on.”

Nuclear Priorities

Pat Howard, Chief Information Se­curity Officer at the Nuclear Regulatory Commission, reiterated what Carey said about “built in, not baked on” security.

“Mainly it’s a matter of ensuring that security requirements are built in from the beginning,” said Howard.

“We always want to position ourselves as part of the system development life cycle; to know what is going on, make people aware of the role that the IT security team plays. And be in a posi­tion to make good recommendations that are risk based, that are cost effective, and that meet the business need.”

What Howard talks about isn’t easy. “It’s not as simple as it may sound. There are governance issues, technology issues, hav­ing the right people on board that can evaluate the technologies in association with the business needs. There are not that many of those people around. We have to team with industry to get those kinds of talents and skills. That’s a continuing long term priority.”

Most immediately though, Howard is responding to the changes in FISMA annual requirements that call for the use of the CyberScope, which is a web-based application that collects data from each federal agency, to assess IT security.

“I think probably every agency level CISO is looking hard at themselves about how they are going to be able to do that; how to understand the requirements fully and to look at the nature of reporting and how it has changed,” noted Howard.

“DHS is playing a much larger role in that. So the ground has moved a little bit then; we are all adjusting as we move towards continuous monitoring and implementation of the consensus audit guidelines.”

That emphasis on cybersecurity is showing some results at NRC internally declared Howard.

“We are a regulatory agency and one area that we had a gap in over recent years is the security standards for nuclear reactor industry; those are now in place and that’s a pretty big stride forward for us as a regulatory agency.”

Internally Howard said NRC is showing progress in opera­tionalizing security, really “getting to that point of continuous monitoring and being able to have full situational awareness of the threats that we are confronting.”