Appendix F: Summary of Recommendations

Responsible Party/ies Action Required Submitted to Timeline
(Starting 1 Jan 2018)
Network Modernization & Consolidation
Prioritize the Modernization of High-Risk High Value Assets (HVAs)
1 Department of Commerce (NIST)

Provide a plan for revising Federal Information Processing Standard (FIPS) 199 and FIPS Publication 200. The plan must include:

  • Proposed update to any other relevant NIST Special Publications to support the transition of agency compliance efforts away from low-impact systems and toward high-impact systems;

The updates should include the use of the Cybersecurity Framework, and, where appropriate, incorporate lessons from other control and compliance frameworks.

The updates should review security requirements for other frameworks and system approval processes, and assess the use of overlays of these frameworks into the proposed updates of the relevant Special Publications.

OMB 30 days
2 DHS and NIST

DHS - Provide a report which identifies common areas of weakness in Government HVAs.

NIST – Provide a plan to improve cryptographic agility in the Federal enterprise.

OMB 60 days
3 OMB (in coordination with DHS)

Update the Federal Information Security Modernization Act of 2014 (FISMA) metrics as well as the Cybersecurity Cross-Agency Priority (CAP) Goal metrics to focus on those critical capabilities most lacking in agencies.

Focus review and oversight efforts on driving progress on these capabilities, specifically focused on HVAs.

Government-wide release 90 days
4 DHS Work with agencies, including by issuing direction when appropriate, to support mitigation actions to address common areas of risk identified in the Report to the President on Risk Management in accordance with their authorities. Government-wide release 90 days
5 OMB (in coordination with DHS) Develop a strategy for an approach to improve lines of authority and operating procedures across agencies to reduce enterprise risk and coordinate responses to cybersecurity incidents. [For internal action] 120 days
6 Agency CIOs, CISOs, and SAOPs
  • Review their latest submission of HVAs and make any necessary changes to reflect the latest information on system prioritization in tandem with the assessments made under their risk assessments as part of Section 1 of Executive Order 13800.

DHS and OMB 150 days
7 DHS, OMB, and the NSC

Review HVA lists submitted to DHS by Federal agencies and produce a prioritized list of systems for Government-wide intervention.

Six HVAs will be selected to receive centralized interventions in staffing and technical support.

President’s Management Council 180 days
8 Any agency that has an HVA identified as having a major or critical weakness in either a risk assessment, RVA, SAR, or agency sponsored review

Identify a remediation plan, including a proposal for accelerating modernization within one year and identification of impediments in policy, budget, workforce, or operations. The plan should:

  • Maximize use of shared IT services and consider application and data-level protections and the use of commercial cloud-based architectures; and

Prioritize existing financial and human resources and should identify other systems of concern that may suffer from similar issues not categorized as HVAs.

OMB and DHS 180 days
9 Any agency that has an HVA identified as having a major or critical weakness in either a risk assessment, RVA, SAR, or agency sponsored review

Identify a remediation plan, including a proposal for accelerating modernization within one year and identification of impediments in policy, budget, workforce, or operations. The plan should:

  • Maximize use of shared IT services and consider application and data-level protections and the use of commercial cloud-based architectures; and

  • Prioritize existing financial and human resources and should identify other systems of concern that may suffer from similar issues not categorized as HVAs.

OMB and DHS 180 days
10 DHS (in coordination with OMB, USDS, and GSA) Provide hands-on technical assistance to agencies in bolstering protections for systems identified through the process outlined above as having the greatest need for modernization. [For internal action] 180 days
11 DHS

Expand the availability of DHS RVAs and SARS for agency HVAs and work with OMB to refocus these engagements to concentrate on hands-on technical engineering interventions.

Work with GSA to expand the visibility, offerings, and agency use of the Highly Adaptive Cybersecurity Services Special Item Numbers on IT Schedule 70.

[For internal action] 180 days
12 OMB (in coordination with DHS, GSA, Federal agencies, other stakeholders)

Capture standard operating procedures for the protection of HVAs.

Develop a playbook that agencies can leverage to expand this approach to other systems in a prioritized, risk-based fashion.

Government-wide release 365 days

Network Modernization & Consolidation

Modernize the Trusted Internet Connections (TIC) and National Cybersecurity Protection System (NCPS) to Improve Protections, Remove Barriers, and Enable Commercial Cloud Migration

13 OMB Submit a data call to agencies requesting submission of both in-progress and pending projects for cloud migration. Government-wide release 30 days
14 Agencies

Respond to OMB data call.

Propose a cloud migration plan that highlights needed changes to requisite policies and capabilities to facilitate faster migration.

OMB Commensurate with timelines in the data call request
15

GSA, DHS, OMB, NSC, USDS, and

other relevant parties

Review agency data call responses. [For internal action] 60 days
16 OMB Provide preliminary update to TIC policy that introduces 90-day sprint during which projects approved by OMB will pilot proposed changes in TIC requirements. Government-wide release 60 days
17 Agencies Require collection of metrics that will be used to ensure that any proposed policy change does not introduce an unacceptable level of cybersecurity risk. OMB, DHS, GSA, NSC 90 days
18 GSA, DHS, OMB, USDS, NSC Kick off a 90-day sprint to validate particular case studies for Category 2 cloud migration projects. [For internal action] 90 days
19 GSA, DHS, and OMB For category 3 cloud migration projects, work with agencies to evaluate whether there are common features or capabilities that could be provided efficiently, effectively, and securely by CSPs. This analysis will serve as an input to the FedRAMP JAB’s prioritization of high-baseline CSP offerings available to agencies wanting to migrate high-impact data to the cloud. [For internal action] 90 days
20 OMB, GSA, and DHS Using information gathered from previous actions, proceed with rapid updates to TIC policy, reference architectures, and NCPS operational models to facilitate outcomes in commercial cloud. Government-wide release 180 days

Network Modernization & Consolidation

Consolidate Network Acquisitions and Management

21 DHS Provide GSA and agencies with baseline configuration guidance for Managed Security Services capabilities offered under EIS. GSA 60 days
22 GSA, in coordination with DHS

Develop a comprehensive acquisition strategy that provides a feasibility assessment and roadmap to accomplish the following:

  • Provide a path for all small agencies to more easily and cost-effectively utilize EIS services;

  • Review current security capabilities currently offered under MTIPS to ensure the capabilities provide adequate security within the current threat environment;

  • Identify additional areas of opportunity outside of EIS to consolidate acquisition of cybersecurity services and products; and

  • Determine the feasibility of establishing a centralized acquisition support function within GSA capable of performing cybersecurity-related contract management activities for small agencies.

Government-wide release 90 days
23 GSA Support small agencies in the transition to EIS by consolidating requirements for small agencies. [For internal action] None given
24 GSA Provide guidance to small agencies on how best to leverage its cross-agency acquisition in order to optimize small agencies’ investments and management throughout the procurement process. Small & independent agencies None given

Shared Services to Enable Future Network Architectures

Enable the Use of Commercial Cloud Services and Infrastructure

25 OMB Issue data call that will have agencies identify systems that may be ready for cloud migration and can be migrated securely but have not yet migrated due to perceived or encountered difficulties. Government-wide release 30 days
26 Agencies Respond to OMB data call. OMB Commensurate with timelines in the data call request
27 OMB and GSA Review the impediments to moving to the cloud outlined by agencies and will prioritize an infusion of technical talent, capital, and updated security policy (developed iteratively to solve agency-specific issues) as needed to enable prioritized cloud migrations [For internal action] Conclusion of data call
28 GSA (with OMB)

Work with volunteer agencies to pilot new initiatives to improve the speed, reliability, reusability, and risk acceptance transparency for cloud-based SaaS and shared services ATOs.

Based on the combined efforts, including lessons learned and best practices for extending these pilot activities to a Federal civilian-wide scale, GSA will work with OMB to develop any necessary plans or policy for promoting these initiatives and any other innovative FedRAMP, shared services, or agency-specific efforts across the Federal enterprise.

Government-wide release 90 days
29 OMB, in coordination with DHS and other Federal partners Update the Federal Cloud Computing Strategy (“Cloud-First”), which will provide additional guidance to agencies on the most impactful use cases for cloud adoption and how best to conduct appropriate operational security in cloud environments. Government-wide release 120 days
30 OMB Conduct a thorough review of all relevant policies pertaining to IT modernization, cloud migration, infrastructure consolidation, and shared services, among others, and initiate revisions, rescissions, or other rapid policy updates that may improve the ability of agencies to modernize effectively, securely, and efficiently. If necessary, OMB will issue further guidance that will augment and enhance existing Federal technology and information security policy. Government-wide release 120 days
31 OMB, in coordination with the FAR Council, GSA, and DHS Develop clauses that define consistent requirements for security, privacy, and access to data for use in cloud contracts. Government-wide release 120 days
32 OMB, working with the FAR Council, GSA, and DHS Assemble a tiger team to develop a set of proposed acquisition statutory and regulatory changes that specifically target and help to achieve the modernization goals outlined in this report. The tiger team will look to leverage regulatory reform efforts being conducted under legislative and executive order direction, while at the same time (i) maximizing the use of commercial products and services; (ii) Promoting competition; (iii) Minimize administrative operating costs; (iv) Conduct business with integrity, fairness, and openness; and (v) Fulfill public policy objectives. The tiger team’s recommendations shall be fully coordinated with the appropriate stakeholders before being adopted. Government-wide release 180 days

Shared Services to Enable Future Network Architectures

Accelerate Adoption of Cloud Email and Collaboration Tools

33 OMB Conduct a data call to agencies regarding their current email contracts, prices, and number of mailboxes. Government-wide release 30 days
34 Agencies Respond to OMB data call. OMB Commensurate with timelines in the data call request
35 OMB Convene a task force of agencies to finalize a set of requirements for both low and moderate security postures for email and cloud collaboration. Government-wide release 30 days
36 OMB Establish a comprehensive strategy for driving the accelerated migration of agency email and collaboration tools to the cloud for departments and agencies who have still not adopted cloud-based email. N/A 60 days
37 OMB Issue updated identity policy guidance for public comment. Government-wide release 75 days
38 OMB

Assemble Acquisition Tiger Team, charged with drafting and disseminating a “quick start” acquisition package that can help agencies facilitate rapid license and migration service acquisitions. The package would include:

  • Market research,

  • Acquisition plans,

  • Templates for requesting quotes,

  • Identified sources of supply, and

  • Independent Government Cost Estimate calculation templates.

[For internal action] 90 days
39 Acquisition Tiger Team Send out Request for Information (RFI) or conduct other market research activities to find qualified small business and socio-economic concerns to leverage set aside programs and other authorities to streamline the migration acquisitions to the greatest extent possible to identify qualified 8(a) companies that are able to assist agencies with migrations to email cloud technologies. Public release 90 days
40 OMB Create acquisition/migration cadres, consisting of information technology and acquisition specialists that will be sent to early adopter agencies to help with license and migration acquisitions-related challenges. [For internal action] 180 days
41 OMB, in coordination with GSA Create a pilot new acquisition tactics for cloud email and collaboration licenses including but not limited to those discussed above and outlined in Appendix D. [For internal action] 240 days
42 GSA Continue to work with existing cloud email and collaboration providers, and will prioritize approval of a FISMA-High offering. [For internal action] None given

Shared Services to Enable Future Network Architectures

Improve Existing and Provide Additional Security Shared Services

43 DHS, in partnership with GSA Complete the acquisition strategy for new, long-term task orders to offer CDM lifecycle support for Phases 3 and 4. Government-wide release 60 days
44 DHS

Obtain initial ATO for CDM Group F Platform.

Submit a plan to OMB that details the expectations and timelines for onboarding non-CFO Act agencies to the SSP.

[For internal action] 125 days
45 DHS Complete the data exchanges between the agency- and Federal-level dashboards to provide enterprise-wide situational awareness of an agency’s cyber posture. OMB 150 days
46 DHS, in partnership with the Federal CIO Council Implement a concept of operations for the Federal dashboard as well as procedures to manage cyber risks across the Federal enterprise. [For internal action] 180 days
47 OMB, GSA, and DHS Identify potential offerings to provide SOC as a Service capabilities to other agencies across the Federal Government. [For internal action] 180 days
48 GSA, in coordination with OMB and DHS Lead contracting efforts to also offer commercially available SOC as a Service capabilities to Federal agencies. Government-wide release 180 days
49 Selected Agency/ies Provide a pricing model in alignment with the cloud migration strategy and timeline outlined within the Report. OMB and DHS 210 days
50 DHS Work with SOC-as-a-Service providers to ensure that NCPS and CDM capabilities and outcomes can be achieved and that the visibility remains aggregated across cloud and on premise security capabilities. [For internal action] None given