How The OPM Breach Galvanized Cybersecurity, And How You Can Help

Steve Charles
Steve Charles

Often overlooked when people parody the famous “One word: Plastics” line from the movie “The Graduate” is the simple fact that plastics really did have a great future. Today you could, and many people do, substitute the word “cybersecurity.” It has a seemingly limitless future.

Nowhere is this clearer than in the aftermath of the great breaches of millions of personally-identifiable data records at the U.S. Office of Personnel Management. For federal contractors with products and services in any way connected with cybersecurity, the massive data exfiltration underscored the need to get serious about security.

Perhaps not intentionally, the Office of Management and Budget’s 30-day “Cybersecurity Sprint” was as much a stunt to show seriousness of purpose as a technology deployment effort to actually boost federal cybersecurity. Still, it provides sales and marketing message guidance by clearly reiterating the government’s cybersecurity priorities. It also indicates the general approach agencies will take to secure their networks.

The White House spelled out those eight priorities in June, just as the OPM breach burst onto the scene, touching off the launch of the sprint: data protection, improved situational awareness, better-trained people, more user awareness, automating processes, resiliency in attacks, lifecycle security, and reducing attack surfaces.

By mapping your products and services to these eight priorities, you can tailor your sales and marketing approaches to show how you can help federal customers in a way that’s consistent with how they are being measured.

The now-concluded 30-day sprint was so named, I believe, to signal a fresh approach with a more appropriate operations tempo. It was a clever and wise choice of words by federal Chief Information Officer Tony Scott. Sprint is borrowed from the agile, iterative development methodology, in which developers write code in short bursts followed by functionality testing by users, which in turn leads to the requirements of the next sprint. In theory, projects have a better chance of finishing on time and being closer to what the user organization actually envisioned.

Like a sort of mini Manhattan Project, the 30-day sprint did galvanize agencies towards a goal. Or more precisely, four goals.

The sprint called for agencies to deploy “indicators” from the Homeland Security Department network scanning and logs. It told them to patch critical vulnerabilities without delay, which is a prime goal of the continuous diagnostics and mitigation program. (Why weren’t they already doing it?)

Also called for in the 30-day sprint: tightening up access policies for systems administrators and other privileged users, and finally, putting in place two (or more) factor authentication.

So how’d they do? As reported by OMB, agencies were able to apply strong authentication to 30 percent more people than presumably had such controls before. The number of privileged users subject to strong authentication rose 40 percent. OMB reported that 13 of the biggest agencies now have strong authentication for 95 percent of privileged users.