Appendix F: Summary of Recommendations

Responsible Party/ies Action Required Submitted to Timeline
(Upon Presidential Approval)
1 ATC, GSA, OMB, DHS, Commerce Release report for industry feedback, adjudicate recommendations, submit final report The President 60 days
Network Modernization & Consolidation
Prioritize the Modernization of High-Risk High Value Assets (HVAs)
2 Department of Commerce

Provide a plan for revising Federal Information Processing Standard (FIPS) 199 and FIPS Publication 200 within the next year. The plan must include:

  • Proposed update to any other relevant NIST Special Publications to support the transition of agency compliance efforts away from low-impact systems and toward high-impact systems;

The updates should include the use of the Cybersecurity Framework, and, where appropriate, incorporate lessons from other control and compliance frameworks.

The updates should review security requirements for other frameworks and system approval processes, and assess the use of overlays of these frameworks into the proposed updates of the relevant Special Publications.

OMB 30 days
3 Agency CIOs, CISOs, and SAOPs Review their latest submission of HVAs and make any necessary changes to reflect the latest information on system prioritization in tandem with the assessments made under their risk assessments as part of Section 1 of Executive Order 13800. DHS and OMB 30 days
4 DHS (in coordination with OMB)

Identify common areas of weakness in Government HVAs and articulate them in a report to include:

  • Recommendations for addressing these risks; and

  • Past and current Risk Vulnerability Assessments and Security Architecture Reviews that DHS has performed on various agency HVAs.

POTUS 60 days
5 OMB (in coordination with DHS) Develop a strategy and framework for an approach to improve lines of authority and operating procedures across agencies to reduce enterprise risk and coordinate responses to cybersecurity incidents. [For internal action] 75 days
6 OMB (in coordination with DHS)

Update the Federal Information Security Modernization Act of 2014 (FISMA) metrics as well as the Cybersecurity Cross-Agency Priority (CAP) Goal metrics to focus on those critical capabilities most lacking in agencies.

Focus review and oversight efforts on driving progress on these capabilities, specifically focused on HVAs.

Government-wide release 75 days
7 DHS Direct Government-wide mitigation actions, consistent with Executive Order 13800, to address common areas of risk identified in the Report to the President on Risk Management. Government-wide release 75 days
8 Any agency that has an HVA identified as having a major or critical weakness in either a risk assessment, RVA, SAR, or IG report

Identify a remediation plan, including a proposal for accelerating modernization within one year and identification of impediments in policy, budget, workforce, or operations. The plan should:

  • Maximize use of shared IT services and consider application and data-level protections and the use of commercial cloud-based architectures; and

  • Prioritize existing financial and human resources and should identify other systems of concern that may suffer from similar issues not categorized as HVAs.

OMB and DHS 80 days
9 DHS, OMB, and the NSC

Review HVA lists submitted to DHS by Federal agencies and produce a prioritized list of systems for Government-wide intervention.

  • Six HVAs will be selected to receive centralized interventions in staffing and technical support.

President’s Management Council 100 days
10 DHS (in coordination with OMB, USDS, and GSA) Provide hands-on technical assistance to agencies in bolstering protections for systems identified through the process outlined above as having the greatest need for modernization. [For internal action] 100 days
11 DHS

Expand the availability of DHS RVAs and SARS for agency HVAs and work with OMB to refocus these engagements to concentrate on hands-on technical engineering interventions.

Work with GSA to expand the visibility, offerings, and agency use of the Highly Adaptive Cybersecurity Services Special Item Numbers on IT Schedule 70.

[For internal action] 100 days
12 OMB (in coordination with DHS, GSA, Federal agencies, other stakeholders)

Capture standard operating procedures for the protection of HVAs.

Develop a playbook that agencies can leverage to expand this approach to other systems in a prioritized, risk-based fashion.

Government-wide release 365 days

Network Modernization & Consolidation

Modernize the Trusted Internet Connections (TIC) and National Cybersecurity Protection System (NCPS) to Improve Protections, Remove Barriers, and Enable Commercial Cloud Migration

13 OMB Submit a data call to agencies requesting submission of both in-progress and pending projects for cloud migration. Government-wide release 30 days
14 Agencies

Respond to OMB data call.

Propose a cloud migration plan that highlights needed changes to requisite policies and capabilities to facilitate faster migration.

OMB Commensurate with timelines in the data call request
15

GSA, DHS, OMB, NSC, USDS, and

other relevant parties

Review agency data call responses. [For internal action] 60 days
16 OMB Provide preliminary update to TIC policy that introduces 90-day spring during which projects approved by OMB will pilot proposed changes in TIC requirements. Government-wide release 60 days
17 Agencies Require collection of metrics that will be used to ensure that any proposed policy change do not introduce an unacceptable level of cybersecurity risk. OMB, DHS, NSC 90 days
18 ATC Kick off a 90-day sprint to validate particular case studies for Category 2 cloud migration projects. OMB, DHS, NSC, GSA, USDS 90 days
19 OMB, GSA, and DHS Using information gathered from previous actions, proceed with rapid updates to TIC policy, reference architectures, and NCPS operational models to facilitate outcomes in commercial cloud. Government-wide release 180 days

Network Modernization & Consolidation

Consolidate Network Acquisitions and Management

20 DHS Provide GSA and agencies with baseline configuration guidance for Managed Security Services capabilities offered under EIS. GSA 60 days
21 GSA, in coordination with DHS

Develop a comprehensive acquisition strategy that provides a feasibility assessment and roadmap to accomplish the following:

  • Provide a path for all small agencies to more easily and cost-effectively utilize EIS services;

  • Review current security capabilities currently offered under MTIPS to ensure the capabilities provide adequate security within the current threat environment;

  • Identify additional areas of opportunity outside of EIS to consolidate acquisition of cybersecurity services and products.

Determine the feasibility of establishing a centralized acquisition support function within GSA capable of performing cybersecurity-related contract management activities for small agencies.

Government-wide release 90 days
22 GSA Support small agencies in the transition to EIS by consolidating requirements for small agencies. [For internal action] None given
23 GSA Provide guidance to small agencies on how best to leverage its cross-agency acquisition in order to optimize small agencies’ investments and management throughout the procurement process. Small & independent agencies None given

Shared Services to Enable Future Network Architectures

Enable the Use of Commercial Cloud Services and Infrastructure

24 OMB Issue data call that will have agencies identify systems that may be ready for cloud migration and can be migrated securely but have not yet migrated due to perceived or encountered difficulties. Government-wide release 30 days
25 Agencies Respond to OMB data call. OMB Commensurate with timelines in the data call request
26 OMB, in coordination with DHS and other Federal partners Update the Federal Cloud Computing Strategy (“Cloud-First”), which will provide additional guidance to agencies on the most impactful use cases for cloud adoption and how best to conduct appropriate operational security in cloud environments. Government-wide release 120 days
27 OMB, in coordination with the FAR Council, GSA, and DHS Develop clauses that define consistent requirements for security, privacy, and access to data for use in cloud contracts. Government-wide release 120 days

Shared Services to Enable Future Network Architectures

Accelerate Adoption of Cloud Email and Collaboration Tools

28 OMB Establish a comprehensive strategy for driving the accelerated migration of agency email and collaboration tools to the cloud for departments and agencies who have still not adopted cloud-based email. N/A 60 days
29 OMB Conduct a data call to agencies regarding their current email contracts, prices, and number of mailboxes. Government-wide release 30 days
30 Agencies Respond to OMB data call. OMB Commensurate with timelines in the data call request
31 OMB Convene a task force of agencies to finalize a set of requirements for both low and moderate security postures for email and cloud collaboration. Government-wide release 30 days
32 OMB Issue updated identity policy guidance for public comment. Government-wide release 45 days
33 OMB

Assemble Acquisition Tiger Team, charged with drafting and disseminating a “quick start” acquisition package that can help agencies facilitate rapid license and migration service acquisitions. The package would include:

  • Market research,

  • Acquisition plans,

  • Templates for requesting quotes,

  • Identified sources of supply, and

  • Independent Government Cost Estimate calculation templates.

[For internal action] 90 days
34 Acquisition Tiger Team Send out Request for Information (RFI) or conduct other market research activities to find qualified small business and socio-economic concerns to leverage set aside programs and other authorities to streamline the migration acquisitions to the greatest extent possible to identify qualified 8(a) companies that are able to assist agencies with migrations to email cloud technologies. Public release 90 days
35 OMB Create acquisition/migration cadres, consisting of information technology and acquisition specialists that will be sent to early adopter agencies to help with license and migration acquisitions-related challenges. [For internal action] 180 days
36 OMB, in coordination with GSA Create a pilot new acquisition tactics for cloud email and collaboration licenses including but not limited to those discussed above and outlined in Appendix D. [For internal action] 240 days

Shared Services to Enable Future Network Architectures

Improve Existing and Provide Additional Security Shared Services

37 DHS in coordination with GSA and Federal agencies

Complete the acquisition strategy for new, long-term task orders to offer CDM lifecycle support.

Award new, long-term task orders through the CDM Program to offer CDM lifecycle support to agencies and provide solution development and implementation for Phases 3 and 4.

[For internal action] 60 days
38 DHS

Obtain FedRAMP assistance in developing a DHS ATO package compliant with the FedRAMP process.

Submit a plan to OMB that details the expectations and timelines for onboarding non-CFO Act agencies to the SSP.

[For internal action] 125 days
39 DHS Complete the data exchanges between the agency- and Federal-level dashboards to provide enterprise-wide situational awareness of an agency’s cyber posture. OMB 150 days
40 DHS, in coordination with the Federal CIO Council Implement a concept of operations for the Federal dashboard as well as procedures to manage cyber risks across the Federal enterprise. [For internal action] 180 days
41 OMB, in coordination with DHS Select agencies to provide SOC-as-a-Service offerings and to lead contracting efforts to offer commercially provided SOC-as-a-service for use across the Federal Government [For internal action] 60 days
42 OMB (Selected Agency/ies) Develop a pricing model in alignment with the cloud migration strategy and timeline outlined within the Report. Government-wide release 90 days
43 DHS Work with SOC-as-a-Service providers to ensure that NCPS capabilities and outcomes can be achieved and that the visibility remains aggregated across cloud and on premise security capabilities. [For internal action] None given
44 OMB (Selected Agency/ies) Create pilot regarding their SOC-as-a-Service capability and identify initial agencies with whom they will collaborate and test access and visibility. [For internal action] None given