- Brigadier General (retired) Gregory J. Touhill was announced as the first Federal CISO earlier this week, and is expected to continue the push toward stronger national cybersecurity measures.
Touhill is currently the Deputy Assistant Secretary for Cybersecurity and Communications in the Office of Cybersecurity and Communications (CS&C) at the Department of Homeland Security (DHS).
The White House explained in a statement that while great progress has been made in bolstering cybersecurity, such as establishing the Commission on Enhancing National Cybersecurity, there is still much more work to be done.
“Strong cybersecurity depends on robust policies, secure networks and systems and, importantly, a cadre of highly skilled cybersecurity talent,” wrote US Chief Information Officer Tony Scott and Special Assistant to the President and Cybersecurity Coordinator J. Michael Daniel. “Building on the Cybersecurity Workforce Strategy to identify, recruit, and retain top talent, the CISO will play a central role in helping to ensure the right set of policies, strategies, and practices are adopted across agencies and keeping the Federal Government at the leading edge of 21st century cybersecurity.”
Furthermore, the White House named Grant Schneider as the Acting Deputy CISO. Currently, Schneider is the Director for Cybersecurity Policy on the National Security Council staff at the White House.
“In creating the CISO role, and looking at successful organizational models across government, it became apparent that having a career role partnered with a senior official is not only the norm but also provides needed continuity over time,” Scott and Daniel explained.
The appointments are part of the administration’s larger plan to bolster cybersecurity measures. In February, President Obama announced the Cybersecurity National Action Plan (CNAP), which will take “near-term actions and puts in place a long-term strategy to enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security.”
As previously mentioned, the White House established the Commission on Enhancing National Cybersecurity. The Commission is comprised of “top strategic, business, and technical thinkers from outside of Government,” according to a White House Fact Sheet.
The Commission will make recommendations on actions that can be taken over the next decade to strengthen cybersecurity in both the public and private sectors while protecting privacy; maintaining public safety and economic and national security; fostering discovery and development of new technical solutions; and bolstering partnerships between Federal, State, and local government and the private sector in the development, promotion and use of cybersecurity technologies, policies, and best practices.
Numerous federal organizations are working to improve how entities approach cybersecurity issues, and are ensuring that CNAP is kept in mind.
For example, the Office for Civil Rights (OCR) released a crosswalk in February 2016 to help covered entities identify “mappings” between the HIPAA Security Rule and NIST Cybersecurity Framework. The guidance was designed to help identify potential gaps between the Security Rule and the NIST CSF.
OCR wanted organizations to understand that certain aspects of the HIPAA Security Rule “correlate directly to the Function, Category and Subcategory Unique Identifiers defined within the NIST Cybersecurity Framework.”
“The crosswalk also supports the President’s Cybersecurity National Action Plan (CNAP) by encouraging HIPAA covered entities and their business associates to enhance their security programs, increase cybersecurity awareness, and implement appropriate security measures to protect ePHI,” OCR explained.