The federal CIO pushed hard deadlines in his Cybersecurity Strategy and Implementation Plan. To meet the first, agencies had to grapple with the question: 'What’s a high-value asset?'
After the cyber sprint came the Cybersecurity Strategy and Implementation Plan and the new plans hard deadlines coming due. The first deadline: By Nov. 13, agencies had to identify and report their "high-value assets" to the Office of Management and Budget.
OMB maintained a low profile as the deadline passed, but observers were in agreement that the exercise was a good one, if done thoroughly.
"It's a good step to take on the path to improved resiliency and risk management," said Federal Communications Commission CIO David Bray. (As an independent agency, the FCC doesn't have to follow OMB's directives on the CSIP, but Bray said his agency has already identified high-value assets in its own push.)
"It's a great first step," agreed Ray Rothrock, CEO of security firm RedSeal. "It's a good thing CSIP asks for this."
But what is a high-value asset?
Rothrock noted that high-value assets are not just highly sensitive data, or even data at all.
Social Security numbers on an agency's network are high-value, but less-sensitive information, such as a list of employee names, could also merit high-value classification if that list is exposed to the outside. Routers and switches, too, could be classified as high-value, since they're an appealing target for adversaries seeking to intercept agency traffic.
Faisal Iqbal, CTO of public sector at Citrix, noted that "contextual levels" of security will be key as agencies seek to protect their high-value assets. Some data should be accessible to lower level employees accessing the network remotely; other data should be locked down much more securely.
It's been nearly half a year since the public revelation of the massive Office of Personnel Management breach that accelerated the government's cybersecurity push, and to some, the high-value asset deadline was a long time coming.
"I would have thought people would already know what's important and what's not," Rothrock said.
"The whole data classification challenge, that's not an easy task," Iqbal said, noting that in this case, perhaps it was best that agencies took the time to get things right.
Data center squeeze
As the high-value asset deadline passed, federal CIO Tony Scott told Federal News Radio that he'll soon be putting out guidance on a related subject: data center consolidation.
In the interest of both saving money and getting a better handle on federal data, Scott's guidance won't necessarily focus on cutting down on the government's roughly 12,000 data centers, but it will push shared services, consolidation and cloud.
"Shifting to cloud services is a great way of eliminating data centers and getting to a smaller footprint," Scott said. "I think what you will see is a balanced approach to this that encourages multiple swim lanes, if you will, of getting more effective and efficient IT in that area and not just a focus on numeric achievement, although that could be one of the things."
Of course, some say numerical goals are a must.
"The forthcoming guidance must set far more aggressive goals than are in place now, as the government should be able to run on fewer than 1,000 data centers," said Anthony Robbins, vice president of federal at Brocade. "The challenge is to ensure that those data centers are being fully utilized and operating at peak efficiency."
Citrix' Iqbal noted that, while it's a great opportunity to streamline, not everything needs to go to the cloud.
Scott said the new guidance will come out later this winter.