Following the news that the White House has ordered federal agencies to immediately adopt basic security practices, including privilege management, in the wake of the OPM security breach, Philip Lieberman, CEO of Lieberman Software explains why this is a positive step for the US government:
“We are really happy that the administration has provided both a mandate and guidance to the Federal Government on proper security processes. For those agencies where the President has the power of appointment and oversight, there is a good chance that those agencies will adjust their priorities immediately. For other Federal agencies and their workers, the story is more complex.
In the US Federal government, what happens or doesn’t is frequently more dependent on budgets (no money was allocated by the President) and the availability of staff or contractors to implement mandates of the President or Legislature. The Legislature must also provide detailed rules and responsibilities for the implementation of policies.
Unfunded mandates and rules without consequence are not an uncommon occurrence in the United States. The effect of those actions can be the creation of laws and rules that never get implemented because there is no money to do so, nor any consequence of not doing so for Federal Government workers. So, if there is no money to create something new, and no penalty for not changing priorities, the status quo is an expected outcome.
It does appear the normal gridlock in Washington, DC has been broken as the result of the OPM event and it is now politically wise for the Legislature to finally pass laws and policies as well provide funding for cyber-security in the Federal Government. Turning on CSPAN in the US this morning I was greeted with politicians presenting bills for consideration with righteous indignation that the events at OPM were outrageous examples of incompetence by others. So, the political machine is moving in Washington, DC and hopefully money will be flowing into cyber-security technology and its implementation.
One of the mandates of the President was the implementation of proper privileged access management. We have been beating this drum in the DC area for a decade and it is nice to have the Whitehouse also now beating the same drum to control access to only those that need it and for only as long as they need it. We further agree that the automation of privileged identity management is a core element of keeping the Federal Government secure and minimizing the consequences of inevitable intruders by also limiting their access even if they use sophisticated hacking technologies.”