December 9, 2016 By Christopher Burgess 3 min read

In September 2016, the White House announced the appointment of retired Brig. Gen. Gregory J. Touhill as the first federal chief information security officer (CISO). Touhill’s job is to drive cybersecurity, planning and implementation across the government. This announcement is presented as the culmination of several actions undertaken by the executive branch to enhance the cybersecurity posture of the U.S.

Introducing the First Federal CISO

As the new CISO puts his hand on the tiller of federal information security needs, the cybersecurity ship already has four specific initiatives aboard, all of which were initiated during the federal fiscal year 2016. These are the:

Shaping National Cybersecurity Strategy

In July 2016, the administration issued its first Federal National Strategy on Cybersecurity. The strategy included four key initiatives, all of which focus on national cybersecurity issues:

  • Expand the cybersecurity workforce through education and training;
  • Recruit the nation’s best cyber talent for federal service;
  • Retain and develop highly skilled talent; and
  • Identify cybersecurity workforce needs.

In an open letter to Touhill, the (ISC)2, an international nonprofit membership association focused on inspiring online safety, suggested the new federal CISO focus his efforts on a few key areas, including:

  • Cyber versus general workforce needs: It’s important to consider the needs of both the cyber and general workforce when devising security policies.
  • Improving awareness: Increased awareness and vigilance will lead to better cybersecurity practices.
  • Effectively addressing the shortage of talent: The role of the cybersecurity professional is evolving due to the IT skills gap, demand for specialized training, industrywide emphasis on risk management and other factors.

These recommendations should interweave nicely with the foundational direction provided by the White House, specifically the efforts of the CENC. The CENC’s 12-person, bipartisan commission, under the leadership of Thomas Donilon, President Barack Obama’s former national security adviser, and Sam Palmisano, the former chief executive of International Business Machines Corp.

The aim of the CENC will be to create a list of actions that both government and private organizations can take to improve the country’s overall security posture, Donilon said at the CENC’s public meeting on Nov. 21. The report will be reviewed for 45 days — through Jan. 15, 2017 — and then made public.

From the Horse’s Mouth

On Nov. 16, Touhill wrote a blog post, titled “My Priorities as the First U.S. Chief Information Security Officer,” detailing the five initiatives on which he intends to build the CNAP. According to this article, he has plans to do the following:

  1. Harden the workforce. Embrace the Cybersecurity Workforce Strategy and, in doing so, increase awareness among the nation’s cybersecurity workforce and employ best practices in protecting citizens’ information.
  2. Treat information as an asset. Identify the data that needs protecting and protect that data appropriately.
  3. Do the right things the right way. Use industry best practices to reduce the likelihood of cyber incidents and data breaches. Then practice and perfect how data is protected.
  4. Continuously innovate and invest wisely. Outdated equipment and processes allow for vulnerable infrastructure. Leveraging the Information Management Task Force (IMTF), efforts will be made to modernize antiquated systems.
  5. Make informed cyber risk decisions at the right level. Make sure the information required to make decisions is being delivered to the decision-makers.

The first 100 days of the federal CISO’s tenure is ambitious. With the support of private sector expertise, academic resources and the impetus of the IMTF, however, the CISO will march into 2017 with plenty of momentum.

More from Government

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today