Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:15 PM
Connect Directly

New White House Cybersecurity Plan Creates Federal CISO

Cybersecurity National Action Plan aims to increase federal cybersecurity spending by 35 percent to modernize IT and address skills shortage, IoT.

As part of a $4 trillion budget bill sent to Congress President Obama called for the US federal government to increase its cybersecurity spending by 35 percent in fiscal year 2017, to $19 billion. The spending boost is one piece of a new Cybersecurity National Action Plan announced by the administration today.  

National Cybersecurity and Federal CISO

The government is still smarting from the major breach at the Office of Personnel Management so one of the key goals of CNAP is to harden federal agencies' internal information security. The proposal includes $3.1 billion for an IT Modernization Fund to retire, replace and modernize legacy IT systems used within the federal government.

Some of that budget will be spent on a new position: the first federal chief information security officer, responsible for driving these changes across the government. It's a senior executive position operating within the Office of Management and Budget, with top-secret security clearance. The position reports to the administrator of the Office of E-Government and Information Technology. The advertised salary range is $123,175 to $185,100.

"Finding a seasoned cyber ‘chief’ willing to take this job at the posted salary level, with no relocation or bonus consideration, will be a very big challenge,” says Dan Waddell, (ISC)managing director and director of US government affairs.

Mark Aiello, president of infosec staffing company Cyber360 is less diplomatic in his assessment.

"This job reminds me of the famous Groucho Marx line about not wanting to join any club that would have him as a member," says Aiello. "I would not want to hire anyone who would want this job."

Although he acknowledges that someone might want this job to "make a difference," they might also want it only to pad their resume or connections and leave within a year or two. Why?

In Aiello's description, the pay is "horrible," the application process "overly burdensome," and the selection process "political." It will be impossible to succeed in the job, largely because the position reports to the equivalent of a CIO -- not the ideal reporting structure for a CISO who needs to be an agent for change.

"It will be thankless and they will become a scapegoat for the inevitable breach," says Aiello. In his opinion, a better solution to hiring a new federal CISO, is to rotate CISOs in from other government agencies for one- to two-year engagements.

“For quite some time, the cybersecurity community at large has been mystified by why there hasn't been a Federal CISO, and now, it looks like we're going to get our wish," says Justin Harvey, Chief Security Officer of Fidelis Cybersecurity. "However, there isn't enough clarity in the announcement that explains exactly what this person is going to be responsible for. More importantly, is the Federal CISO going to have enough control over resources, policy, strategy and operations to have an impact? This plan needs a single owner to be held accountable for cybersecurity while also holding each individual government agency's feet to the proverbial fire for their compliance."

“This Federal CISO will have their work cut out for them, namely, this is centered around having each agency classify their sensitive data," says Harvey. "I am surprised this was explicitly called out, which means that some agencies have not already done this. In the cybersecurity industry, one must first classify what is sensitive in the enterprise before writing policy and implementing technical controls."

"One thing stands out as a real positive to me," says (ISC)2's Waddell. "As a result of the OPM Breach and other agency failures to mitigate risk in a timely fashion, the President has recognized the value of recruiting, retaining and training 'versatile cybersecurity professionals who can effectively facilitate between IT and the mission and business functions,' and [he] plans to charge the new CISO with the priority of addressing this effort."

The administration is also conducting a review to determine where the government can reduce its use of Social Security numbers as identifiers, and it's converted all card readers used by the Treasury Department to Chip-and-PIN.

"The President’s Cybersecurity National Action Plan aims to modernize agencies’ technology and user behavior and we believe it is a broadly positive step forward," says Harley Geiger, director of public policy for Rapid7. "If implemented, the proposal will help support federal agencies that are very much in need of more secure IT to help prevent or mitigate more serious breaches. We hope Congress and the Administration will collaborate to execute this plan."

Skills Shortage

The CNAP also includes a number of measures to address the cybersecurity skills shortage -- particularly the one suffered by the government. It would enhance student loan forgiveness for those who take cybersecurity jobs in the federal government and invest $62 million in grants, scholarships and other programs to enhance the infosec workforce.

It would also develop a cybersecurity Core Curriculum and establish the CyberCorps Reserve, which would provide scholarships to individuals who want cybersecurity education and jobs in the federal government.

"The security industry has talked at length about the latest hacks and breaches, but we haven’t brought enough urgency to solving the cybersecurity talent shortage," says Chris Young, general manager and executive vice president of Intel Security. "More than 209,000 cybersecurity jobs in the U.S. alone were unfilled in summer 2015, and cybersecurity leaders expect 1.5 million more jobs than takers by 2019. Right now, Intel has more than 250 security jobs available in the U.S. We are excited to work with the U.S. government to help make the CyberCorps idea a reality and put us on a path to helping address the cybersecurity workforce shortage."

"I wholeheartedly agree and support the effort to expand the Scholarship for Service program," says (ISC)2's Waddell. "The extreme shortage of qualified professionals, the demand for specialized training, the silver tsunami [aging workforce] and the focus on managing risk is reshaping the role of the cyber practitioner. Efforts like these will help make the federal government attract a greater number of students to the field and better prepare the workforce of the future."


CNAP also sets out plans for improving the private sector's security.

The National Center for Cybersecurity Resilience -- a team-up of the Departments of Homeland Security, Commerce, and Energy -- will create a place for organizations to test the security of their systems in a controlled environment "such as by subjecting a replica electric grid to cyber-attack," according to the White House fact sheet.

DHS and other industry partners are creating a new Cybersecurity Assurance Program that will conduct security testing and certification of Internet of Things devices.

Also, the National Cybersecurity Alliance, the government will partner with technology companies to increase public cybersecurity awareness about basic issues like using strong passwords, and help regular citizens better secure themselves.


Today, using an Executive Order, President Obama created a permanent Federal Privacy Council, which "will bring together the privacy officials from across the Government to help ensure the implementation of more strategic and comprehensive Federal privacy guidelines," according to the White House fact sheet.

(Such a group might help with issues that arise from the EU-US Privacy Shield.)

“I'm pleased with the Obama administration's CNAP plan as this is the most forward-thinking, down-to-earth plan we've ever seen from a Presidency on cybersecurity," says Harvey. "It's exciting to see what this administration is thinking and doing, and what could be in store for the country with the next president."

"These proposals merit a mix of near-term action and longer-term consideration, and I am encouraged that the Administration drew heavily on recommendations and best practices from private industry," says Ryan Gillis, vice president, Cybersecurity Strategy and Global Policy at Palo Alto Networks. "However, the ultimate significance of today’s announcements depends heavily upon Congress and the next Administration to implement.  Recognizing that this is a highly polarized election year, we have a precedent of bipartisan cooperation on key cybersecurity initiatives over the last few years, including the NIST Cybersecurity Framework and passage of several pieces of legislation.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/14/2016 | 2:31:03 PM
Re: So who's applying?
I would not even consider it while Obama is in office.
Sara Peters
Sara Peters,
User Rank: Author
2/10/2016 | 11:15:18 AM
So who's applying?
I really want to know... are any of you thinking of applying for the Federal CISO gig? Would you consider it? I can see why it would be a nightmare job for some people and a dream job for others, and I'm not sure where I would fall on that spectrum myself.
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...
PUBLISHED: 2020-01-26
A vulnerability in the CLI of the Cisco SD-WAN Solution vManage software could allow an authenticated, local attacker to elevate privileges to root-level privileges on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerabi...
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplie...
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker c...
PUBLISHED: 2020-01-26
[CVE-2020-3131_su] A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service (DoS) condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability i...