Officials talk candidly about workforce cyber hygiene

Placeholder image<p> for article template

Cyber experts from both the public and private sector say better governance and more accountability in the federal workforce are needed in order to improve cybersecurity.

National Institute of Standards and Technology Fellow Ron Ross said the bigger problem "is a governance issue; it's about leadership ... I think we have to turn the corner at some point and start to take a hard look at what we are doing and see what we can do better." Ross spoke at an April 25 event hosted by the Institute for Critical Infrastructure Technology's in Washington.

A household name in the cybersecurity arena, Ross said that, given the size and scope of databases that are now common, it is essential to have that accountability factor. In the case of the Office of Personnel Management, for example, he argued that the breach might have been avoided if there was a better structure governing who the authorizing officials are for systems usage.

ICIT Fellow Dan Waddell added that there needs to be more resources devoted to cybersecurity training for the workforce. "Systems need patching, but people need patching too," he said. And such training can't be limited to the tech specialists, he stressed; getting employees in other departments to internalize good cyber hygiene makes them a greater asset to the organization. It's "not just educating the cyber workforce," he said.

As awareness of the threats posed to agency networks continues to grow, and lawmakers continue to pass more legislation aimed at protection, it adds another level of spotlight on the topic. Thomas Boyden, also an ICIT fellow, said that visibility is another important reason not to risk the "keys to the entire kingdom" by granting even legitimate users unnecessarily broad access. Even within private industry, he said, compartmentalizing access is still a hard shift.

Ross stressed during the event that changing the culture at agencies is integral to the overall success, and challenging institutional bureaucracy is just as important because "those are things that are going to bring you down faster."  And he and his NIST colleagues have been working on Special Publication 800-160 to help encourage such evolutions.  The approximately 300-page document, scheduled to be published for public comment on May 4, explores how agencies can improve their security posture no matter what stage of the lifecycle their systems are in.

"Systems engineering and security engineering [are] a worldwide problem," Ross told FCW after the event. "Therefore the solutions are going to involve government, industry, and academia, and the not-for-profits, all in this great partnership working together to try to really solve this problem once and for all."

"The whole purpose of this document is to give people flexibility no matter where they are in lifecycle to do things that are going to help them be more secure and build systems that are more trustworthy," he said.

About the Author

Aisha Chowdhry is a former staff writer for FCW.


  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.