The White House Office of Management and Budget (OMB) is preparing to release new federal cybersecurity and IT policy updates that could significantly reshape how agencies defend networks and comply with security requirements, according to a senior OMB cyber official.
Nick Polk, branch director for federal cybersecurity at OMB, said Tuesday that the White House is nearing completion of a broad overhaul of federal cyber policy, with a release expected as soon as “the next couple days.”
“We’re really looking towards this administration to better rationalize different cyber policies and IT policies and dedicate resources to the areas of greatest threat,” Polk said at AFCEA Bethesda’s EIE Preview Event: Speakers with Sneakers in Washington.
“And I know that we say that a lot, and we’ve been saying that since there was federal IT, but this time we’re actually going to do it,” he said.
Polk spoke broadly of the coming policies and suggested upcoming changes could remove some particularly burdensome compliance requirements that have persisted for years.
At a high level, Polk said OMB’s work is focused on two broad categories that will shape future federal tech and cyber policy: defending against highly targeted attacks on specific individuals, and reducing the success of widespread, opportunistic attacks that exploit known vulnerabilities.
The first category draws on defensive practices already used at agencies such as the State Department. Polk cited State’s “Big Yellow Taxi” program as a leading example, describing how the department concentrates enhanced monitoring and sensing on individuals most likely to be targeted by adversaries, including senior leaders and personnel working on sensitive national security matters.
“That’s like, you know, when the adversary is going for a very targeted-type attack, and we know that that is a frequent method they use,” Polk said.
The second category focuses on what Polk described as the persistent threat of opportunistic cyberattacks that leverage known vulnerabilities to gain an initial foothold in government systems.
“If you want to get in good with your boss and you work with the Ministry of State Security or the SVR, the easiest way to do it is just to exploit a known vulnerability and get into a system,” Polk said. OMB, he added, is focused on ensuring those attacks succeed “in the least amount of cases possible.”
“A big part of that, which is something [we’ve been] working on very recently, is ensuring that we have the right telemetry, and we’re sharing that data among agencies,” he added.
Notably, Polk said that Federal Chief Information Officer Greg Barbaccia is working every day to “move away from the over-prescriptive, compliance-based approach.”
“It’s something that we are working towards on a regular basis. I actually hope we’ll have good news for you all in the next couple days,” he teased. “I can’t say exactly what … but we are hoping to take a pretty big step to remove some very burdensome compliance requirements in the near future, and we will continue to do so.”