Despite these cuts, one area the new budget doesn't skimp on is cyber security. The President has consistently called for increased focus on cyber security across both public and private sectors, declaring "The cyber threat is one of the most serious economic and national security challenges we face as a nation".
This policy is reflected in Obama's 2014 budget, the introduction to which states:
"We must also confront new dangers, like cyber attacks, that threaten our Nation’s infrastructure, businesses, and people. The Budget supports the expansion of Government-wide efforts to counter the full scope of cyber threats, and strengthens our ability to collaborate with State and local governments, our partners overseas, and the private sector to improve our overall cybersecurity."
This blog post series will examine the increases in cyber-security spending across each federal agency in the 2014 budget. We will start with the Department of Commerce.
Department of CommerceThe Department of Commerce will allocate $754M (an increase of $131M from the 2012 enacted level) to the National Institute of Standards and Technology (NIST), a good chunk going towards NIST's cyber security mission:
"This funding will accelerate advances in a variety of important areas, ranging from cybersecurity and smart manufacturing to advanced communications and disaster resilience."
NIST's own 2014 budget request contains more details about their cyber-security spending, including the following increases:
- Cybersecurity R&D and Standards (+$15 million increase, or roughly 25 additional full-time employee [FTE] equivalent)
- National Strategy for Trusted Identities in Cyberspace (NSTIC) (+$8 million)
- National Initiative for Cybersecurity Education (NICE) (+$1 million, +2 FTE).
When it comes to R&D and Standards (the first line item above), NIST already has well-established role. NIST is the main agency responsible for approving cryptographic standards used all over the world, including the Advanced Encryption Standard (AES) and the various secure hashing algorithms we've all come to know and love. Much of the rest of the world takes its cue on approved cryptographic practices from NIST.
In addition to its cryptographic mission, NIST is responsible for developing security standards and policies for government agencies through its use of "Special Publications", including most notably:
- SP 800-53, "Recommended Security Controls for Federal Information Systems" (similar in scope to ISO 27001)
- SP 800-137, "Information Security Continuous Monitoring for Federal Information Systems and Organizations"
- SP 800-144, "Guidelines on Security and Privacy in Public Cloud Computing"
I recommend that you browse the complete list of NIST's special publications, as there are some good resources there.
NIST runs the NVD (National Vulnerability Database) and the CSRC (Computer Security Resource Center). More information about NIST's computer security initiatives can be found on the NIST Computer Security Division site.
NIST maintains some technical standards related to security automation and the interoperability of security tools like the ones we develop at Rapid7. This family of related standards includes SCAP (Security Content Automation Protocol), OVAL (Open Vulnerability Assessment Language), and XCCDF (Extensible Configuration Checklist Description Format).
In the next part of this series, we will look at the Department of Defense's proposed increases in cyber-security spending.