Agencies taking enterprisewide approach to IT security

Agencies are taking more of an enterprise approach to improve their cybersecurity instead of trying to fix problems as they come up on a bureau by bureau basis. Of course, chief information officers say their tactics received a huge lift from the rash of data breaches last year.

“Security is not in isolation of anything else we do,” said Lisa Schlosser, CIO at the department of Housing and Urban Development. “Incidents keep the executive’s attention for a week or so, but the CIO must constantly take on the leadership role and explain why security important to the agency’s entire mission.”

The Defense Department is one successful example of taking an enterprise approach to information technology security, said John Hunter, DOD’s director of operations in the Office of the Assistant Secretary for Defense Defensewide Information Assurance Program.

Hunter said the mandated use of the Common Access Card to log into DOD’s network has made the military’s systems more secure, and another initiative to standardize the use of intrusion detection, intrusion prevention and asset management software from McAfee across all of DOD’s 5 million computers will provide additional benefits.

“Information assurance, situational awareness and command and control are the real focus in DOD to increase our security posture,” Hunter said April 19 during a breakfast on cybersecurity and the Federal Information Security Management Act in Bethesda, Md., sponsored by the Armed Forces Communications and Electronics Association’s Bethesda chapter.

Hunter said a command tasking order from the Joint Task Force Global Network Operations likely will be handed down to all military services and agencies in the next few months that would mandate the use of the McAfee software.

“We are working on the implementation plan to start this summer DOD wide,” he said.

DOD tested the software across all military agencies with 23,000 users from July to November 2006 and beyond a few minor issues, found it make a big difference in securing desktops and the network, Hunter said.

Also, the Department of Veterans Affairs had to address its vulnerabilities agencywide.

Robert Howard, VA’s CIO, said the agency has encrypted almost every laptop and now are moving onto mobile devices.

“Centralizing the control of [information technology] no question helped ensure every laptop will be encrypted,” Howard said. “Without the central authority, encrypting laptops would have taken months, if not years.”

The panelists also said VA’s move to centralized IT authority is the model most would like to reach.

Ed Meagher, Interior Department’s deputy CIO, said the VA model is “the only one that makes sense.” Schlosser added that it is an “amazing thing to centralize IT” control.

“The most important thing we have to do is get people out of the choice to do IT security,” he said. “We need to make it as automated as possible, especially in managing the desktops and servers.”

Meagher said agencies still struggle with controlling their network environment.


  • Cybersecurity
    CISA chief Chris Krebs disusses the future of the agency at Auburn University Aug. 22 2019

    Shared services and the future of CISA

    Chris Krebs, the head of the Cybersecurity and Infrastructure Security Agency at DHS, said that many federal agencies will be outsourcing cyber to a shared service provider in the future.

  • Telecom
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA softens line on looming EIS due date

    Think of the September deadline for agencies to award contracts under the General Services Administration's $50-billion telecommunications contract as a "yellow light," said GSA's telecom services director.

  • Defense
    Shutterstock photo id 669226093 By Gorodenkoff

    IC looks to stand up a new enterprise IT program office

    The intelligence community wants to stand up a new program executive office to help develop new IT capabilities.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.