While the OPM continues to muddle around in dealing with their breach and telling the public what happened, more news stories are coming out. First, the White House ordered agencies to tighten things up in a security sprint. While using agile terminology is nifty, my guess is that most of these agencies are more familiar with COBOL than agile. Ignoring that, what have they been asked to do (see article)?
Agencies must report their progress to OMB and DHS in 30 days. What happens if their “progress” after 30 days is “no progress” is not explained.
Agencies are supposed to deploy “indicators”set by DHS regarding threat actors techniques, tactics and procedures. What this means in English is that they should look for the same methods the Chinese used to break into OPM at other agencies and report to DHS if they find anything.
Agencies should also reduce the number of privileged users, the length of time they can be logged in and the functions they can perform when using these accounts. Agencies should also limit what administrators can do remotely and examine privileged user activity logs regularly. In English, again, this means that the agencies, other than the NSA, did not learn anything from Edward Snowden and need to reduce the size of this security hole.
Finally, agencies should implement two factor authentication, especially for privileged users.
A team made up of DHS, OMB, NSC and DoD will review the government’s existing policies, procedures and practices in the next 30 days. After that, Tony Scott, the government’s CIO will make recommendations and action plans. Remember, this is the same government which was not allowed to block user’s from accessing personal webmail, no matter if it compromises government security, without first negotiating with the relevant union (see article).
In case I am coming across as sarcastic and annoyed, I am.
These are things that organizations should have been doing years ago and many (but far from all) private organizations are doing. There are no deadlines – just report back in 30 days, no consequences and vague terms like “should” and “reduce”.
In another article, the GSA IG is reporting that contractors had access to personal information of soldier’s families and children without the required background checks, training or even getting non disclosure agreements – as worthless as those are – signed (see article).
Turning a ship as big as the government – even if we are just talking about the executive branch – is a hard thing to do and absent money, people and consequences, is likely an impossible task.
Just my two cents.