October 31, 2014
Both the House and Senate were in recess this week.
Armed Services Committees Chairmen
Rep. Randy Forbes (R-VA) announced this week that he will challenge Rep. Mac Thornberry (R-TX) for the chairmanship of the House Armed Services Committee. The current chairman, Rep. Buck McKeon (R-CA) is retiring at the end of this Congress. While Thornberry has seniority over Forbes, is favored by Republican leaders, has given the National Republican Congressional Committee significantly more than Forbes, and has the endorsement of McKeon, Forbes said that he would make his case to the Republican Steering Committee after the midterm elections. The Steering Committee is the group of 30 House leadership-aligned members who decide by vote who will chair committees with House Speaker John Boehner having weighted votes.
And on the Senate side, Sen. Jack Reed (D-RI) was presumed to be the successor to retiring Senate Armed Services Committee (SASC) Chairman Carl Levin (D-MI). However, this week his spokesman stated that Reed hasn’t made a decision about which committee he would helm, and that he wouldn’t make the decision until after the election. Reed will be the most senior Democrat on SASC and Banking. If Reed opts for Banking, Sen. Claire McCaskill (D-MO) could be the most senior Democrat on SASC.
Financial Industry Regulatory Authority (FINRA)
The Financial Industry Regulatory Authority (FINRA) at a conference this week said that they are in the process of developing their new 2015 examination priorities and will publish them in January 2015. The new priorities are expected to include a more intense scrutiny of brokerage firms’ cybersecurity practices. FINRA is also hiring examiners with technology expertise to assist in reviewing firms’ practices. The new examiners will be looking for measures that firms have in place for securing clients’ data and testing the integrity of firms’ technology. FINRA is an independent, not-for-profit organization authorized by Congress to write and enforce rules governing the activities of securities firms and brokers, and to examine those firms for compliance with those rules. They are increasing their cybersecurity efforts in light of recent hacking events that compromised clients’ personal information and other data.
National Institute of Standards and Technology (NIST)
The National Institute of Standards and Technology (NIST) released their Draft Special Publication (SP) 800-150, Guide to Cyber Threat Information Sharing this week. The purpose of this publication is to assist organizations in establishing, participating in, and maintaining information sharing relationships throughout the incident response life cycle. It explores the benefits and challenges of coordination and sharing, presents the strengths and weaknesses of various information sharing architectures, clarifies the importance of trust, and introduces specific data handling considerations. The goal of the publication is to provide guidance that improves the efficiency and effectiveness of defensive cyber operations and incident response activities, by introducing safe and effective information sharing practices, examining the value of standard data formats and transport protocols to foster greater interoperability, and providing guidance on the planning, implementation, and maintenance of information sharing programs.
The publication recommends implementing the following recommendation, which will enable organizations to make more efficient and effective use of information sharing and collaboration capabilities throughout the incident response life cycle:
- Organizations should perform an inventory that catalogues the information an organization currently possesses, the information that it is capable of producing, and document the circumstances under which this information may be shared.
- Organizations should exchange threat intelligence, tools, and techniques with sharing partners.
- Organizations should employ open, standard data formats and transport protocols to facilitate the efficient and effective exchange of information.
- Organizations should enhance their cybersecurity posture and maturity by augmenting local data collection, analysis, and management functions using information from external sources.
- Organizations should define an approach for adaptive cybersecurity that addresses the full cyber-attack life cycle.
- Organizations should ensure that the resources required for ongoing participation in a sharing community are available.
- Organizations should protect sensitive information by maintaining an ongoing awareness of information security, vulnerabilities, and threats.
- Organizations should establish the foundational infrastructure necessary to maintain its cybersecurity posture and clearly identify the roles and responsibilities for installing, operating, and maintaining these capabilities.
A copy of the draft publication can be found at:
Department of Defense Directives
In the past week Deputy Secretary of Defense Robert Work released three DoD directives, which are broad policy documents used to establish policy, assign responsibilities, and delegate authority to those working in and with the military. The recently released directives focus on the responsibilities of the Under Secretary of Defense for Intelligence, the management of serious security incidents involving classified information, and DoD’s privacy program.
Under Secretary of Defense for Intelligence (USD(I))
Last Friday, the Pentagon issued an updated version (attached) of DoD Directive 5143.01 defining the role of the Under Secretary of Defense for Intelligence. The position was established in the FY03 NDAA to improve management and coordination of defense intelligence programs. This update replaces the version issued in 2005 and reflects changes in the global environment as well as changes in the intelligence mission. Cybersecurity, insider threats, unauthorized disclosures of classified information, and biometrics are all new terms included in the expanded portfolio of the Undersecretary of Defense for Intelligence.
A copy of this directive can be found at:
Management of Serious Security Incidents Involving Classified Information
The Management of Serious Security Incidents Involving Classified Information directive released on Monday now designates unauthorized disclosures of classified information, leaks to the news media, acts of espionage, and certain other information security offenses as “serious security incidents.” The new terminology was adopted to standardize procedures for preventing, identifying, investigating, and reporting such violations when they occur. It replaces a previous directive from 2005. While not every case of mishandling classified information qualifies as a “serious security incident,” the term applies whenever there is an unauthorized disclosure. And the new directive says that “DoD personnel responsible for serious security incidents may be held accountable, as appropriate, in a criminal proceeding, civil judicial action, disciplinary or adverse administrative action, or other administrative action authorized by federal law or regulations.”
A copy of this directive can be found at:
DoD Privacy Program
Finally, the DoD Privacy Program delegates authorities and responsibilities for the effective administration of the DoD Privacy Program.
A copy of this directive can be found at:
Military Intelligence Program (MIP) FY14 Budget
The Department of Defense released the Military Intelligence Program (MIP) appropriated top line budget for FY2014. The total FY14 MIP budget, which included both the base budget and Overseas Contingency Operations appropriations, was $17.4B billion. The MIP budget has decreased by $10 billion over the past five years. It hit its high point in FY10 with $27 billion, FY11 $24 billion, FY12 $21.5 billion, and FY13 $19.2 billion (but reduced by sequester to $18.6 billion). The department determined that releasing this top line figure does not jeopardize any classified activities within the MIP. No other MIP budget figures or program details will be released, as they remain classified for national security reasons.
Department of Defense Acquisition Reform Weekend Meeting
Frank Kendall, Undersecretary of Defense for Acquisition, Technology and Logistics is scheduled to meet with members of the Aerospace Industries Association (AIA) this weekend to discuss Better Buying Power (BBP) 3.0. Kendall released the latest acquisition reform initiative last month. Mary Margaret Evans, who has been tapped as Kendall’s point person on the rollout and industry outreach for the Better Buying Power 3.0 initiative, will also attend the meeting.
The BBP initiative seeks to improve the Department of Defense’s procurement process by providing more incentives for contractors to meet cost and schedule goals, remove some barriers to buying commercial products, incorporate more input from the intelligence community into requirements for future weapons, expanding the Superior Supplier Incentive Program, and getting draft requirements out earlier and incorporating industry feedback into final solicitations. After the rollout, Undersecretary Kendall said his office would collect comments from stakeholders and then release a final product in early 2015.
A copy of the interim release of BBP 3.0 can be found at:
DHS Employee Morale Task Force
A Federal Register notice this week announced that DHS Secretary Jeh Johnson tasked his Homeland Security Advisory Council (HSAC) with establishing a DHS Employee Morale Task Force. The HSAC is comprised of leaders of local law enforcement, first responders, state and local government, the private sector, and academia. The new The DHS Employee Morale Task Force will provide findings and recommendations on how to improve employee morale throughout the DHS enterprise. They will address, among other closely related topics, the following questions: (1) What are the core or root causes of continued low morale in the Department of Homeland Security? (2) How can DHS strengthen its leadership cadre, in order to both enhance mission effectiveness and also increase employee morale? (3) How can DHS work as a whole, across the agencies and recognizing their distinct cultures, to build a greater sense of belonging and improve employee morale? (4) Referencing the 2007 HSAC DHS Morale Assessment: which of those recommendations were successfully implemented? For those items that were not but still remain relevant, what changes should be made to increase the likelihood of successful implementation and organizational adoption? The task force’s findings and recommendations will be submitted to the HSAC no later than nine months from Oct 21, 2014 (date of publication). HSAC will then deliberate and vote on the recommendations during a public meeting. Once approved, the report will be sent to the Secretary for his review and acceptance.
Customs and Border Patrol Commissioner (CBP) Gil Kerlikowske and DHS Secretary Jeh Johnson announced the selection of Kevin McAleenan as the Deputy Commissioner of CBP. McAleenan has served as the Acting Deputy Commissioner of CBP since April 1, 2013. Previously, McAleenan served as the acting assistant commissioner of the CBP Office of Field Operations, and as deputy assistant commissioner, Office of Field Operations. Prior to assuming these positions with CBP Field Operations, McAleenan served in several leadership capacities at CBP and the former US Customs Service. From 2006 to 2008, McAleenan served as the area port director, Los Angeles International Airport. Prior to his government service, McAleenan practiced law in California. He received his Juris Doctor degree from the University of Chicago Law School after earning a Bachelor of Arts Degree, cum laude, from Amherst College.
The House and Senate are in recess until November 12.