A Federal CISO handbook is due out soon from the CISO Council, said Jeff Wagner, Acting Chief Information Security Officer at the Office of Personnel Management. The new guidance aims to cut down on technical language barriers and standardize compliance formatting across the Federal enterprise.
Wagner announced the handbook during a panel discussion Thursday at MeriTalk’s Tenable GovEdge 2018 event. He discussed the handbook when asked how reciprocity can be improved across agencies as they look to balance cyber mandates, policy, CDM and FITARA requirements, and ultimately promote good cross-agency cybersecurity practices.
“I know the CISO Council has taken that task on pretty heavily,” Wagner said. “We have a handbook that’s going to be released relatively shortly, that’s going to outlay, ‘yea verily,’ this is the way everybody does business across the Federal government and standardize it.”
Wagner said compliance processes are being complicated by simple syntax discrepancies.
“Ninety percent of the time, we’re saying the same thing, it’s just formatted on a piece of paper a little bit differently,” he said.
Across government, some officials are hoping it will signal a larger shift in attitudes regarding cybersecurity.
“What we’re really hoping for from the CISO handbook is a culture change,” said Derek Larson, Deputy Director of Cybersecurity Risk and Performance Management for the White House. “It’s not going to be one of those things where it comes out and the week after, everything’s solved. There’s going to be this socialization process, giving everyone adjustment to these new expectations.”
While the handbook could do well to eliminate jargon and unnecessary nuance in security processes, the impetus to collaborate on best practice still needs to be established, said Greg Kushto, vice president of sales engineering at Force 3.
“The handbook will give everybody the instructions for how to do that, but it’s then going to have to be the desire to do that that takes it to the next level,” said Kushto. He noted that policy mandates are not new, and simply ask agencies to articulate the things they are often already doing.
Wagner says that articulation process will be much easier if there’s a consistent way to shout it out loudly across government.
“We’re all doing the same thing. We’re all doing it the same way. And a lot of the reciprocity comes with everyone being comfortable just sitting down and sharing the information,” Wagner said.