NYSOTDA
commented
8 years ago The New York State Office of Temporary and Disability Assistance (OTDA) submits the following comments in response to the Office of Management and Budget’s (OMB) request for feedback on its proposed guidance, titled “Improving Cybersecurity Protections in Federal Acquisitions” (Proposed Guidance). While, currently, the Federal government generally classifies data (and how it must be protected) by source, the development and implementation of a risk-based classification of data would facilitate efforts to meet compliance obligations in the flow of data.
Given that many entities receive Federal data from more than one Federal agency/entity, it would be useful if Federal agencies would agree upon, publish and consistently update a step-by-step comprehensive security and compliance standard for use by those entities with whom Federal data is shared from whatever source or agency. Preferably, this standard would be tailored to separately communicate the requirements that are technical (requiring completion by IT professionals) and those that require completion by the business. It would be most helpful if OMB could provide information and instruction in a more formulaic presentation such as that provided in IRS Pub 1075.
Finally, the proposed OMB guidance references other Federal guidance, standards, policies and statutes (collectively, “rules” for this discussion), which then refer to still other rules, all of which change over time. This approach raises two issues for entities receiving Federal data: 1) Entities sharing data with the Federal government are tasked with the difficult job of interpreting (and often reconciling) the referenced rules and then segregating out requirements in some cohesive manner for those maintaining IT systems, as well as for those handling the data in the business; and 2) Updates to the rules can be challenging to track, and entities bound by these rules would benefit from, for instance, updates to checklists available online in real time.
We would encourage OMB to take steps in its Proposed Guidance to begin to address these concerns.
Government Agency guidance and references appear to be incomplete as to cybersecurity related orders, directives, programs, regulations, and standards. Key activities omitted minimally include but are not limited to operational cybersecurity leadership from the DOD Defense Industrial Base Program, the DHS Cybersecurity Framework, Critical Infrastructure Information Sharing and Analysis Centers/Information Sharing and Analysis Organizations, and NIST 800 Series http://csrc.nist.gov/publications/PubsSPs.html Experience, expertise, and innovation are critical to varied endeavors; in cybersecurity Governments and Industries have centers of excellence.