Our Nation’s security and economic prosperity depend on the stability and integrity of our Federal communications and information infrastructure. In order to address the continuously changing environment of threats posed on our nation’s cybersecurity defenses, the Federal Government must continue its vigorous advancement of technical and policy protection capabilities for national systems, to expand partnerships with the private sector, and to work with Congress to clarify roles and responsibilities.
This National Cyber Strategy outlines how we will (1) defend the homeland by protecting networks, systems, functions, and data; (2) promote American prosperity by nurturing a secure, thriving digital economy and fostering strong domestic innovation; (3) preserve peace and security by strengthening the United States’ ability — in concert with allies and partners — to deter and if necessary punish those who use cyber tools for malicious purposes; and (4) expand American influence abroad to extend the key tenets of an open, inter-operable, reliable, and secure Internet.
The Strategy’s success will be realized when cybersecurity vulnerabilities are effectively managed through identification and protection of networks, systems, functions, and data as well as detection of, resilience against, response to, and recovery from incidents; destructive, disruptive, or otherwise destabilizing malicious cyber activities directed against United States interests are reduced or prevented; activity that is contrary to responsible behavior in cyber- space is deterred through the imposition of costs through cyber and non-cyber means; and the United States is positioned to use cyber capabilities to achieve national security objectives.
Protecting the American people, the American way of life, and American interests is at the forefront of the National Security Strategy. Protecting American information networks, whether government or private, is vital to fulfilling this objective. It will require a series of coordinated actions focused on protecting government networks, protecting critical infrastructure, and combating cybercrime. The United States Government, private industry, and the public must each take immediate and decisive actions to strengthen cybersecurity, with each working on securing the networks under their control and supporting each other as appropriate.
STRENGTHEN FEDERAL CONTRACTOR CYBER- SECURITY:
The United States cannot afford to have sensitive government information or systems inadequately secured by contractors. Federal contractors provide important services to the United States Government and must properly secure the systems through which they provide those services. Going forward, the Federal Government will be able to assess the security of its data by reviewing contractor risk management practices and adequately testing, hunting, sensoring, and responding to incidents on contractor systems. Contracts with Federal departments and agencies will be drafted to authorize such activities for the purpose of improving cybersecurity. Among the acute concerns in this area are those contractors within the defense industrial base responsible for researching and developing key systems fielded by the DOD.
Continuous monitoring is a risk management approach to cybersecurity that maintains an accurate picture of an agency’s security risk posture, provides visibility into assets, and leverages use of automated data feeds to quantify risk, ensure effectiveness of security controls, and implement prioritized remedies. A well-designed and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status.
In today’s environment of widespread cyber-intrusions, advanced persistent threats, and insider threats, it is essential for agencies to have real-time accurate knowledge of their enterprise IT security posture so that responses to external and internal threats can be made swiftly.
*Mitigate the risk and impact of threats to Federal agencies’ data, systems, and networks by implementing cutting edge cybersecurity capabilities.
Manage Asset Security- Implement capabilities that provide observational, analytical, and diagnostic data of an agency’s cybersecurity.
Limit Personnel Access- Implement credential and access management capabilities that ensure users only have access to the resources necessary for their job function.
Protect Networks and Data- Implement advanced network and data protection capabilities to protect agency networks and sensitive government and citizen data.