Officials talk candidly about workforce cyber hygiene

Placeholder image<p> for article template

Cyber experts from both the public and private sector say better governance and more accountability in the federal workforce are needed in order to improve cybersecurity.

National Institute of Standards and Technology Fellow Ron Ross said the bigger problem "is a governance issue; it's about leadership ... I think we have to turn the corner at some point and start to take a hard look at what we are doing and see what we can do better." Ross spoke at an April 25 event hosted by the Institute for Critical Infrastructure Technology's in Washington.

A household name in the cybersecurity arena, Ross said that, given the size and scope of databases that are now common, it is essential to have that accountability factor. In the case of the Office of Personnel Management, for example, he argued that the breach might have been avoided if there was a better structure governing who the authorizing officials are for systems usage.

ICIT Fellow Dan Waddell added that there needs to be more resources devoted to cybersecurity training for the workforce. "Systems need patching, but people need patching too," he said. And such training can't be limited to the tech specialists, he stressed; getting employees in other departments to internalize good cyber hygiene makes them a greater asset to the organization. It's "not just educating the cyber workforce," he said.

As awareness of the threats posed to agency networks continues to grow, and lawmakers continue to pass more legislation aimed at protection, it adds another level of spotlight on the topic. Thomas Boyden, also an ICIT fellow, said that visibility is another important reason not to risk the "keys to the entire kingdom" by granting even legitimate users unnecessarily broad access. Even within private industry, he said, compartmentalizing access is still a hard shift.

Ross stressed during the event that changing the culture at agencies is integral to the overall success, and challenging institutional bureaucracy is just as important because "those are things that are going to bring you down faster."  And he and his NIST colleagues have been working on Special Publication 800-160 to help encourage such evolutions.  The approximately 300-page document, scheduled to be published for public comment on May 4, explores how agencies can improve their security posture no matter what stage of the lifecycle their systems are in.

"Systems engineering and security engineering [are] a worldwide problem," Ross told FCW after the event. "Therefore the solutions are going to involve government, industry, and academia, and the not-for-profits, all in this great partnership working together to try to really solve this problem once and for all."

"The whole purpose of this document is to give people flexibility no matter where they are in lifecycle to do things that are going to help them be more secure and build systems that are more trustworthy," he said.

About the Author

Aisha Chowdhry is a former staff writer for FCW.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.