This handbook aims to give CISOs important informaƟon they will need to implement Federal cybersecurity at their agencies. It is designed to be useful both to an execuƟve with no Federal Government experience and to a seasoned Federal employee familiar with the nuances of the public sector. At its core, the handbook is a collecƟon of resources that illuminate the many facets of the cybersecurity challenge and the related issues and opportuniƟes of Federal management.
SecƟon 1 outlines the CISO’s role within the agency and in the Federal Government as a whole. The secƟon starts with an overview of the statutory language that defines the CISO’s mandate and the responsibiliƟes agencies have with regards to informaƟon and informaƟon security. Next comes an overview of key organizaƟons and their roles in Federal cybersecurity. The secƟon concludes with a summary of the many kinds of reporƟng the CISO must conduct to keep the agency accountable to government-wide authoriƟes.
In SecƟon 2, the challenge of cybersecurity is broken down into two parts: managing risk across the enterprise and government-wide policies and iniƟaƟves. Each part begins with summaries of key reference documents for that aspect of the challenge.
The risk management porƟon of SecƟon 2 uses as its guide The Framework for Improving CriƟcal Infrastructure Cybersecurity, agencies’ implementaƟon of which was mandated by ExecuƟve Order 13800. To provide a systemaƟc overview of the risk management process, example agency policies are mapped to specific objecƟves in the Cybersecurity Framework Core as well as to key NaƟonal InsƟtute of Standards and Technology (NIST) publicaƟons.
SecƟon 2 concludes with examples of government-wide approaches to cybersecurity. These examples show how an iniƟaƟve or threat can be translated into policy that must then be incorporated into agency-level operaƟons and policy.
SecƟon 3 contains informaƟon to help CISOs manage their organizaƟon’s resources. The secƟon begins with an overview of Federal workforce and hiring authoriƟes and the mechanisms by which a CISO can develop an effecƟve cybersecurity team. An overview of contracƟng follows with summaries of Federal acquisiƟon regulaƟons and contracƟng vehicles. SecƟon 3 ends with a high-level overview of the government-wide services designed to help CISOs beƩer perform their duƟes and improve the cybersecurity posture of their agency and, by extension, the Federal Government as a whole.
The appendices contain links and reference documents that direct CISOs to more detailed informaƟon on the tools, policies, and best pracƟces discussed in this handbook. The “FISMA Responsibility Breakdowns” and the “Governmentwide Policies and PublicaƟons” porƟon were developed specifically for this handbook.
As a whole, this handbook is meant to provide CISOs with a foundaƟonal understanding of their role. The informaƟon is presented in plain language with the expectaƟon that it will be reinforced with detailed analysis of both government-wide and agency-specific resources. The tools, iniƟaƟves, policies, and links to more detailed informaƟon make the handbook an effecƟve reference document regardless of the reader’s familiarity with Federal cybersecurity.