Experts tackle guidance to stop cyberattacks

A group of information security analysts in government and industry plans to publish guidance in six months to identify the most effective protections against the vulnerabilities most often exploited in cyberattacks, according to John Gilligan, president of the Gilligan Group and former chief information officer of the Air Force and Energy Department. He leads the effort.

The ultimate goal of the organization, which has not yet been named, is to get the Office of Management and Budget to revise its security guidance and for agencies to incorporate those guidelines, Gilligan said Nov. 21 at a security conference sponsored by 1105 Government Information Group, which publishes Federal Computer Week.

The guidelines would help agencies decide which controls to implement and measure for next-generation security assessments, Gilligan said. Agencies currently conduct and document certification and accreditation of their major computer systems to comply with requirements of the Federal Information Security Management Act. OMB directs agency inspectors general to evaluate the documentation to determine whether the systems meet security requirements. That process still does not assure agency information security, he said.

“FISMA has the right objectives. But agencies spend a lot for security with little confidence that it is effective,” Gilligan said. The guidelines would establish measures and activities so CIOs would have more confidence in agencies' security, he said.

The security experts are from agencies that include the Defense, Justice, Homeland Security and Energy departments, the National Security Agency and Government Accountability Office. They are combining their knowledge to define the most important defensive investments that CIOs could make in cybersecurity, he said.

“People on this list understand offense and already have experience with attacks,” Gilligan said. Gilligan said he anticipates a preliminary view of the guidelines in February.

For example, when Gilligan was the Air Force's CIO, the National Security Agency found that 80 percent of the service's vulnerabilities were due to incorrectly configured commercial software. Gilligan said he worked with NSA, other federal agencies, and Microsoft to create the Secure Desktop Configuration for the Air Force, which OMB later adopted governmentwide as the Federal Desktop Core Configuration.

After the consensus guidelines are published for public comment and revision, the Chief Information Officers Council plans to review them. If they are acceptable, the council will ask OMB to revise its guidance to use the controls highlighted in the consensus guidelines to measure FISMA, said Alan Paller, research director at SANS Institute.

The guidelines would define the security controls that would be best to stop an attack or help an agency quickly recover from known attacks and provide real-world examples of those attacks, he said. The guidelines would also describe how to validate the effectiveness of those controls, typically through automation, such as a computer application, Paller said.

Agencies should pay more attention to correcting known risks to the security of the agency’s mission, he said. “If you know the known bads, fix them. Don’t do just compliance. Know how they got in and stop them; know how they got in, find them,” Paller said.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.