Comments: OMB Improving Cyber Security Protections in Federal Acquisitions from Don O'Neill Independent Consultant ONeillDon@aol.com

[oneilldon]

Comments: OMB Improving Cyber Security Protections in Federal Acquisitions Don O'Neill Independent Consultant ONeillDon@aol.com

1. Security Controls As a minimum security controls must include three factor authentication and data encryption.
2. Cyber Incident Reporting The government refusal to accord indemnification to industry partners willing to participate in Cyber Incident information sharing is discouraging industry participation. The government fears that industry will take advantage of any indemnification waiver beyond its intended use.
3. Information System Security Assessments The organization must demonstrate an understanding of the following ten ground truths of Internet Use.
   1. The Internet was established to disseminate data and information.
   2. The Internet is not equipped to control, secure, or protect the data and information being disseminated.
   3. In actual fact the data and information that is transferred about on the Internet is not under control, is not secure, and is not protected beyond the due diligence associated with backup and recovery operations.
   4. Cyber theory is not yet proven and understood even by our best and brightest, has not been validated in actual use with empirical data, and is not yet in widespread use by industry.
   5. Responsibility for controlling, securing, and protecting the dissemination of data and information must lie with those who choose to entrust proprietary data and information to the Internet.
   6. Organizations have proven that they cannot be depended upon to exercise due diligence with respect to the handling of proprietary data and information entrusted to them.
   7. If an organization decides to place its proprietary data and information on the Internet, it must acknowledge acceptance of the risk and take steps to mitigate the risk and its consequences.
   8. With respect to the public commons, organizations with unattended weaknesses and vulnerabilities actually serve as an attraction, even a magnet, for bad actors making everyone less safe.
   9. The most effective, intelligent, and ethical steps to mitigate Cyber Security risk are an organization policy and assured practice to mitigate Cyber Security risk by not putting proprietary data and information it cannot afford to lose on the Internet.
   10. For those who do, acknowledge acceptance of the risk associated with Internet use, encrypt all data and information placed on the Internet, and use three factor authentication to control access to data and information on the Internet including what you have, i.e., card, token, what you are, i.e., iris, fingerprint, and what you know, i.e., password, security question.
4. Information Security Continuous Monitoring To achieve maturity in the assurance of resiliency under stress, the enterprise must satisfy the goal-based argument at each level. Level 1 Ad Hoc o State of Affairs: Inability to advance and exhibiting evidence of apathy, denial, management inaction, and lack of engineering know how. o Issue Areas: Apathy, State of Denial, Management Inaction, Lack of Engineering Know How. Level 2 Enterprise Security Commitment Management o Goal: Demonstrate commitment to security assurance through strategic management, internal processes, and defense in depth. o Focus Areas: Global Software Competitiveness, Competitiveness Versus Security, CSO Leadership Program, Security Return on Investment, Security Assurance Operations. Level 3 Enterprise Business Continuity Process Maturity o Goal: Demonstrate business continuity assurance through compliance management, external processes, and product engineering. o Focus Areas: Global Sourcing, Open Source, Regulatory Compliance, Crisis Management, Aspect Oversight & Assessment, Security Assurance Evaluation Tools. Level 4 System Survivability Engineering o Goal: Demonstrate the achievement of system survivability through the management of faults and failures, sustainability processes, and RMA engineering. o Focus Areas: Resistance, Recognition, Recovery, Reconstitution. Level 5 System of Systems Resiliency Engineering o Goal: Demonstrate the achievement of system of systems resiliency through the management of external interactions and dependencies, the control of distributed supervisory processes, and the practice of Next Generation software engineering. o Focus Areas: Coordinated Recovery Time Objectives, Interoperable Information and Data Exchange, Operation Sensing and Monitoring, Digital Situation Awareness, Distributed Supervisory Control, Information and Data Recovery.
5. Business Due Diligence The Internet was established to disseminate data and information. The Internet is not equipped to control, secure, or protect the data and information being disseminated. In actual fact the data and information that is transferred about on the Internet is not under control, is not secure, and is not protected beyond the due diligence associated with backup and recovery operations.

Responsibility for controlling, securing, and protecting the dissemination of data and information must lie with those who choose to entrust proprietary data and information to the Internet. Organizations have proven that they cannot be depended upon to exercise due diligence with respect to the handling of proprietary data and information entrusted to them. If an organization decides to place its proprietary data and information on the Internet, it must acknowledge acceptance of the risk and take steps to mitigate the risk and its consequences.

The most effective, intelligent, and ethical steps to mitigate Cyber Security risk are an organization policy and assured practice to mitigate Cyber Security risk by taking the following steps:

1. Don’t put proprietary data and information you cannot afford to lose on the Internet.
2. For those who do, acknowledge acceptance of the risk associated with Internet use.
3. Encrypt all data and information placed on the Internet.
4. Use three factor authentication to control access to data and information on the Internet: • What you have, i.e., card, token • What you are, i.e., iris, fingerprint • What you know, i.e., password, security question

[jujueyeball]

3FA?

[oneilldon]

In response to 3FA?

Use three factor authentication to control access to data and information on the Internet: What you have, i.e., card, token What you are, i.e., iris, fingerprint What you know, i.e., password, security question

[scheidelg]

It seems as if specifying three-factor authentication (or two-factor authentication) should be driven by the referenced standards: SP 800-53 Rev. 4 and SP 800-171. While there might be some value to requiring three-factor authentication for various systems and under various conditions, it doesn't seem appropriate to specify that here and override the referenced supporting standards.