Nearly 18 months after the Office of Management and Budget (OMB) issued its memorandum on network incident log management and retention for Federal agencies as part of the Biden administration’s cybersecurity executive order, a top cyber official at the National Nuclear Security Administration (NNSA) discussed how his agency is dealing with staffing and standards in order to implement the mandate.
With agencies facing talent gaps and small budgets, implementing OMB M-21-31 hasn’t been an easy task. But NNSA’s Deputy Chief Information Officer Steven McAndrews is confident that this piece of the Federal government’s cybersecurity puzzle will stick.
The OMB memo stems from the cybersecurity executive order, which itself was spurred forward in part by the SolarWinds software supply chain attack in 2020, in which embedded malware went undetected for months and created a backdoor for hackers to spy on Federal agencies.
“These are all pieces of a puzzle that go together,” McAndrews said during a Dec. 6 GovExec panel, referring to the slew of requirements that have since sprung from the executive order. “If we lose one of these pieces [of the order], we’re going to be back to where we were pre-SolarWinds.”
He continued, “I think if we continue to maintain that vision [and] maintain that approach, it has to [stick].”
One way NNSA has been successful in maintaining “no log left behind” is by not only hiring more talent to close the workforce gap, but also ensuring that the agency is in the mix the universities training young, diverse talent to be the next Federal leaders.
“To be honest, we need more talented people. It’s just a supply and demand issue,” McAndrews said. “This summer we actually went on a 13 Fed hiring spree, which has made a tremendous difference in really trying to balance workloads – allow people to have that work-life balance we all want them to have while also being able to forward our mission. It has been truly successful.”
“One of the things I think I’m most proud of is our work with universities.” The agency has put a lot of effort into engaging with young, minority interns, McAndrews said, to get them trained and have them ready to be the next leaders of NNSA organizations.
“It’s been challenging but it’s been rewarding,” he said.
Another challenge that NNSA, and nearly all Federal agencies, face when it comes to acting on M-21-31 is budget constraints.
“We can’t turn a blind eye to the fact that it does come with a significant sticker price to it,” McAndrews said.
When there are budget constraints, the Deputy CIO looks to standardization to help the agency get the best bang for its buck. Standardization on networks across the agency, he said, helps with visibility, which in turn allows defense to quickly respond when there is a threat.
“Really try and figure out what’s the best turn on investment,” he advised. “At the end of the day, we’re going to all get there as a team.”