This entry is part of a wonderful series, [slider title="Cyberczar"]Entries in this series:
- A Strategy to Secure the Federal Cyberspace
- President Obama Announces a "Cyber Czar"
- Talking Points: A STRATEGY TO SECURE THE FEDERAL CYBERSPACE
Friends and other readers,
Please find below a Strategy Paper that I wrote to express my thoughts about information security in the USA and what I think must be done to improve it.
As always, comments to me are welcome.
If you would like a PDF copy, please email me.
A Strategy to Secure The Federal Cyberspace
Thoughts on a mission possible
Numerous people have stated over the years that the federal information security sphere is an unmanageable creation. A creation with "too many fathers", conflicting priorities, political red tape, and one that is far too big to grasp. While these are all valid criticisms, a leader with the proper drive, resources, and ability to build consensus and harness collaboration, would be able to reach and maintain manageability of this sphere.
In this document I put forward my thoughts on how to do so. This task is a hard one. I believe no single person can do it alone, and that the leadership to form and coordinate the right combination of public and private partnership and a sense of common mission are essential to the task.
I do not believe a single thesis, however lengthy, can encompass the whole spectrum of challenges. While comprehensive, this essay is not meant to contain the detailed solution to the problem. This being said, I do list some of the measures that I would to contribute, and highlight some of the difficult paths that must be crossed, to reach that desired outcome: a well-secured information realm, where the business of our civilian government can be maintained and operated with minimized risk and greater efficiency than the currently employed model.
The twentieth century has largely been seen as The American Century. As the world was reaching the end of the Industrial Age and the Information Age was coming into its own, people, including myself, came unto these shores seeing America’s unlimited horizons in our future. America’s greatest asset has proven to be our enhanced knowledge that information, and information technology has provided us. The strategic advantage this information provides allows us to lead in advanced research, bringing us vast wealth, but also vast problems; we are the most spied-upon country in the world.
This is the updated version of this paper, including corrections and updates found after continuing research and feedback from trusted advisors. I welcome any input regarding the contents of this paper, in keeping with the spirit of collaboration towards our common goal.
_ _ _
Information security management is impossible in a vacuum. We must build on four decades of lessons learned and establish our practice using the best available minds to assure our leadership in information security. After reviewing some of the vast amounts of data available, it is only fitting to echo the Government Accountability Office (GAO) recommendation to "make the federal government a model in cyber security."
While not new, I propose these principles to the organization of the national cyber security effort. These tenets are Public / Private Collaboration, Information Sharing, and Directed Research. In the following pages I provide expansion on these ideas.
Some of the ideas put forward in the "2003 National Strategy to Secure Cyberspace", document (NSSC-2003) are worth following; however, I do not agree with the prioritization nor with some of the stated goals. I will expand further on this statement in the following sections.
_ _ _
One of the issues that continually hamper remediation efforts is that an equal sense of urgency is placed on all of the efforts needed to advance good cyber security. While a sense of urgency is appropriate to cyber security, we must organize our efforts into several priorities. In broad strokes, I would break down the categories into: Known and dangerous vulnerabilities which present imminent risk will become part of the Urgent Plan; Quantified goals and design methods to address these would be put into the Tactical Plan (three year); and longer reach opportunities, especially those which require new investments, additional planning, and are known to require a longer period of time would become the heart of the Strategic Plan (five year).
It is pragmatic and wise to divide and conquer the problems according to their risk, the amount of investment, and time required to achieve a true change. The priorities established in 2003 Cyberspace have changed because the situation has become highly fluid. Further, the rapidity with which events are presenting themselves has outpaced our ability to foresee and address them in a properly deliberated and cogent fashion. It is evident that there are cyber security must be addressed in the here-and-now and those challenges which can be placed into a well defined time table are to be dealt with in a thorough and well monitored fashion.
_ _ _
It would be beyond foolhardy to imagine that a government, even as powerful, large and resourceful as the government of these United States, can do everything that needs to be done on its own. In this aspect, I would adopt both the 2003 Cyberspace and the GAO’s findings that collaboration with industry is the key to a successful solution to this complex and ever-evolving challenge.
In the following pages, I will expand on what I see as the essential steps that must be taken, and with whose assistance. One point that I would like to make clear: Government - Private sector cooperation will have to be a two-way street. The government must lead and contribute, and the private sector must respond in kind. Ideas on collaboration, including:
- And timings
will be covered in this document.
_ _ _
As the current debate raging on Capitol Hill, and elsewhere, shows us, there is tremendous interest in the roles of this position. This position, which in effect is the Chief Information Security Officer of the United States, requires careful definition. Particularly the position’s scope, its place within the Administration, and its reporting structure must be well thought-out. Additionally, this official’s role in determining the information security facet of the Budget should be clearly specified. This paper addresses my vision for this position – what I believe would be required in order to deliver on a scope defined herein.
The person entrusted with securing the information essential to our United States should have a clearly defined role. This role should not generally change between one Administration and another, and consideration be made as to making this official have a term appointment, and should be flexible enough to evolve as the threat scenario changes .
Allow me to clarify that the term "information security" is not identical to "IT security." The responsibility of this job is much bigger than protecting the computer infrastructure. I am referring here to any information assets, which may include, for example, physical protection of Internet Peering Points; Business Continuity and Disaster Readiness; strong authentication and other methods to mitigate the human factor; and standardization of what is applicable for use in solving repeatable process. The examples are long and varied, the important part is that this comprehensive approach is understood and addressed.
There are at least two focal points for this role.
Firstly, this person will set the rules, policies and standard of diligence for all Federal agencies (excluding the Defense and Intelligence Community.) In this first role, the person is acting as the Chief Information Security Officer for the Federal Government; and as such, agency CISOs should have dotted-line responsibility to this office. This role will also have an advisory capacity to help define the roles of other agency Information Security Officers ,, . Additionally, this person is also the one to represent the civilian Federal government in its relationship with the public, with industry, and with the intra-governmental transactions.
The second focal point for this role is acting as the guardian of the civilian information infrastructure in the United States. In this role, the responsibility to provide guidance and protection to our varied Supervisory Control and Data Acquisition (SCADA) systems, for example, is a major responsibility. The SCADA systems, while owned and managed by private industry, are depended upon for the delivery and smooth and efficient operation of large part of the Government services delivery to our public. Clearly, a strong relationship is demanded here with private industry, with the public, and with academic institutions to deliver on the requirement of this role.
The time has come for a line has to be drawn in the sand. What are the relevant systems, locations, networks, people and reach of this role? This question must be answered.
As I will detail further in a section below, I believe that one of the responsibilities of this role, one necessary for the person to perform his or her duty, is the definition of scope. Clearly, this paper is too narrow to define all the tasks that need to be performed. However, statements are made in an abbreviated form covering a subset of them. The number assigned to each task does not necessarily refer to the task’s priority.
Task 1: Assign all civilian agencies a date by which their systems, networks, locations and boundaries (at the topological layer) are fully defined and that this definition communicated to the office of the CISO. The meaning of this task is the establishment of the exact content needed to be collected; the format in which this communication is to take place; whom, at each agency, will be responsible for the assembly and the collection of this data; and how the data will be updated and maintained when collected .
Task 2: Define the crossover and shared points between agencies; between agencies and the public; and between agencies and non-civilian governmental entities .
Task 3: Inventory the information protection assets that exist within each agency. This task refers to all resources – from personnel to tools, et al .
Task 4: After successful completion of tasks 1 through 3, define the criticality, arising from either mission need or data sensitivity, of each and every system and data asset in a manner similar to Department of Defense classification level, and further specified in FIPS Publication 199 .
Task 5: Perfect the definition of information protection assets to include critical and important non-governmental resources that must be safeguarded.
Placement and Reporting Structure
This position will bear responsibility for the entire civilian government. Placing it within the Department of Homeland Security (DHS) sends the wrong message that the other agencies would not have to abide by its decisions. Further, in Industry sectors that are not traditionally related to defense, a conflicting set of requirements, such as those from the Department of Commerce, may exist.
To send a uniform, measured and coherent voice, I believe that this position should exist within the Executive Office of the President. Just as the nation’s Chief Information Officer (CIO) and Chief Technology Officer (CTO) co-ordinate efforts from that office, so should the CISO, working closely with his peers, to the breadth of the civilian government. The Office of Management and Budget (OMB) will be one ideal place for such an endeavor, where the functions of the office can physically take place.
Day-to-day oversight of this position should be given to the Chief of Staff, however, the person should report directly to the President of the United States in regards to progress on all Urgent, Tactical and Strategic plan tasks. Additional oversight is provided, of course, by the system of government we call Checks and Balances that allows the United States Congress to demand reports and performance of certain tasks.
As we have learned lessons during the time passed since the creation of this position at the Department of Homeland Security, this position must have at its disposal a federal purchasing authority. The ability to make budgetary decisions, for specific and for government-wide tasks , not only for efficiency but also especially for the ability to affect performance, is essential.
Since Cyber Security is an evolving challenge, and since we are addressing different time horizons here, we must ask Congress to allocate a multi-year budget to this opportunity. The sheer size of the challenge demands the ability to focus on proper solutions, whether short- or long-term, and discourages a quick-fix approach.
_ _ _
The Three Tenets
I propose to organize this Herculean effort upon three tenets. These pillars reflect my belief that this is not a job that can be done by one person alone. This role must be supported by an organization, and by the office where it belongs. As I described above, this role’s scope is beyond the Federal agencies alone. The constant sharing, update, testing, verification and enhancement of the data needed and generated by this role is essential and mission critical.
Public / Private Collaboration
For collaboration to work, a real two-way sharing of ideas is needed. Due to hard and excellent work of many generations of security professionals, the United States government employs some of the brightest minds in the field of information security. The research and development done is paid for, and is done to the benefit of all our citizens. Likewise, innovation is usually seen as the purview of private industry. From Silicon Valley to Syracuse, smart and entrepreneurial men and women have invented and thought, in non-traditional ways, of solutions to problems that are faced by all information users, regardless of the source of their paycheck.
In many countries, sharing of progress is a self-understood, defined, and deeply ingrained process. I propose the official increase of the sharing efforts already done on our shores:
Task 6: Create an Official advisory board of industry and government luminaries to advise the Chief Information Security Officer in his or her duties .
Further, why not utilize the formal organizations within the government, even within the Defense and Intelligence agencies, to advise and test the protective measures, electronic and others, which sensitive industry has in place? While the legal framework for performing such action has to be clarified, doing so will pit the best-of-the-best "red teams" versus the most important private sector data and that data’s guardians. Only improvement can come out of such effort.
While I clearly anticipate that this plan will generate a lot of consternation within the reading audience, I sincerely believe that other countries (China, Israel, France, to name just a few) are already, and have for a while, used exactly this type of sharing to the betterment of their nation, and the possible detriment of ours.
Task 7: Recommend legislative changes, where needed, to allow utilization of public capabilities to test and enhance defenses of sensitive industries .
The term "Information sharing" is not limited to testing of a sector’s capabilities. The Federal government should monitor for directed attacks targeting sensitive industry sectors and both warn targeted companies and participate in the sector’s defense. Actively participating in a defense of a pharmaceutical company under electronic attack is not different than assigning an anti-aircraft missile battery to guard the same company’s buildings against bombers. Actively warning a bank against a targeted attack is not different than assigning police personnel to guard the bank’s entrances.
During the horrific attack on September 11, 2001, the terrorists targeted some of the most visible symbols of United States pride. The Twin Towers, standing tall in our most visible city, represented to some the Wealth, Reach and Power of our United States. The Pentagon represents the Might and Force of our military power.
Imagine what would have happened if the targets in New York City would have been slightly different: What if the New York Federal Reserve Board, with its Wealth of Nations in gold bullion was hit? What if a certain data center "hoteling" -point was targeted?
These are not rhetorical questions. These are real, soul-search demanding questions that should be researched, addressed, and protected. The loss of life answer will not be easily known. The financial and transactional loss, and with it, the following damage to our nation (and indeed, the global economy) would have been disastrous.
Task 8: Demand disaster preparedness and business continuity programs will be developed, maintained, tested and updated by all identified sensitive sectors, with the aid, support and verification of the United States government.
As the task above, while obvious in its necessity to most, is costly, I urge that a public debate on its priority, essential nature, and cost mitigation, shall take place. I expect this task to be a very hard "sell" to many elements in the private sector.
Since more and more of our information business is handled by companies and networks that are global in reach, I would recommend a more active participation in worldwide Standards organizations. Chief among those is the International Standards Organization, the ISO.
Some of the excellent work performed in the United States, for example, in the fields of Disaster Recovery, be it covered under Continuity of Government (COG), Continuity of Operations (CoOP), or civilian data recovery (for example, the work by the Disaster Recovery Institute), can contribute vastly the developing International Standard that will come out of the British Standard (BS) 25999. Likewise, the International Standard 27001 and its related family can be applied to global organizations. These standards are easily audited and have the additional benefit of more easily available people resource to implement.
I applaud the National Institute of Standards and Technology (NIST) participation in these efforts, and in particular in the excellent work done on revision 3 (draft) of the NIST Standard SP800-53  and the revision’s " Introducing a three-part strategy for harmonizing the FISMA security standards and guidelines with international security standards including an updated mapping table for security controls in ISO/IEC 27001"
Task 9: Champion, with the National Institute for Standards and Technology (NIST), the United States’ participation and Leadership in worldwide Standards Organizations.
No discussion of information sharing will be complete without mention of the Information Sharing and Analysis Centers, the ISACs. The theory behind the creation of the ISACs was a sound one. The execution of most ISACs, however, is anemic at best.
The funding for programs which contribute to the ISACs, such as through DHS’s National Protection and Programs Directorate (NPPD) and/or Information Analysis and Infrastructure Protection Directorate (IAIP) (formerly including the National Infrastructure Protection Center (NIPC)), has been not only sporadic, but frequently in doubt from one budgetary year to the next. We must change this now. National Infrastructure Protection is no less important than Civil Defense. Collaboration within industry groups must be immune from anti-trust laws, and allowed to be, or even demanded to be, free-flowing, continuous, and documented.
Task 10: A documented knowledge-sharing effort must be funded for critical industries. This effort should be coordinated and protected by legislation so thoughts and information will be free flowing.
"Information protection" does not define a fire-and-forget attitude. Constant research and betterment of our posture, defensive as well as other, is essential to our economic survival. The federal government should take its rightful place as the Champion, supported and demander of par-excellence education, research and development of information security tools, techniques, procedures and understanding.
We should invest in centers of excellence within schools, from the high-school level to universities, which will encourage awareness of information security. Awareness is foundation to all information security efforts. Without awareness, we shall surely fail.
We should contribute to the development of nuclei of understanding and to the clusters of knowledge that will operate within research universities. These clusters will encourage thinking about information security problems and solutions, and will, most assuredly, enhance further the economic success of the United States by providing generations of scholars.
We should consider the formation of a cadre of thinkers, following in the example of AmeriCorp, available to advise the government and industry, on best and future practices in the realm of Information Security. This would be a substantial expansion of the National Science Foundation (NSF), the Office of Personnel Management (OPM) and the Department of Homeland Security’s Scholarship for Service  program .
Task 11: Work together with the Department of Education and Congress to develop scholarships, curricula and mentoring abilities made available to public and private institutions to enhance learning within the field of Information Security.
_ _ _
The breadth of the job ahead demands priority assignation. The same weight cannot be placed on every goal; the same priority cannot be given to every task. We know there is plenty to be done. As a matter of pragmatism, we must quantify the risks and the available resources.
Breaking the challenge down into a three-tier plan makes our approach and resource planning and allocation more feasible. Some items will require immediate consideration and mitigation. I would place those in the Urgent Plan. Known problems that require a measured and well-executed approach will be put into the Tactical Plan, to be addressed within one to three years. Finally, those large tasks for which resources and plans must be marshaled belong in the Strategic Plan, to be addressed within a three to five year execution horizon.
For multi-year funding issues, please refer to the BUDGET section above.
The Urgent plan
The very first task of any information security program is to create awareness of the opportunity to improve, the benefits of information security, and the drawbacks to being insecure. Every dollar spent in what is generally referred to as "Awareness" is returned many fold in the form of informed professionals, watchful personnel and ab initio securely defined systems, tasks and procedures.
The role of Information Security, as a part of the inherent design of processes, is to facilitate progress. Without information security, tools that we rely on for the performance of our daily jobs, and even our daily life, will not be possible. As some examples describe, government services, currently offered in a portal form, would not be available; medical insurance would be unfeasible; and credit would not be extensible.
A coherent and far-reaching information security awareness program must be developed. This program will be communicated through the auspices of educational facilities from the secondary school level and beyond. A workplace program for organizations that manage and access critical and sensitive systems must be thought out. Such a plan should not have to come from the Federal government, but should be encouraged and perhaps even mandated by funding and emphasis on information security.
Task 12: Invest, develop and encourage Information Security Awareness programs in the educational system and in sensitive information asset-related industry .
The Urgent Plan would contain items that define obvious and easy-to-exploit vulnerabilities. These will include assets currently under attack and assets whose vulnerabilities are either already known or are predictable to assess. This "Vulnerable" list will form the core of the Urgent Plan’s goals.
Task 13: With the aid of the information gleaned from Task 1; assemble a collection of easily exploitable and vulnerable assets.
Further, items whose protection is critical to safety and security of the United States information sphere belong in this plan. Even if a known vulnerability does not exist, the review of these items’ security is essential. This Business Impact Analysis (BIA) is essential to the delivery of services performed using those critical information assets.
Task 14: As a continuation of Tasks 4, 5 and 13 above; assemble a priority list of sensitive and critical information assets that must be addressed in the Urgent Plan.
It may seem obvious, but I feel I must state the fact that the Urgent Plan should not be seen as a fire-and-forget, disposable, plan. New items would be added and existing items removed, as they are addressed. This plan will continue in effect in perpetuity, constantly updated and honed.
Task 15: Continue maintaining and managing the Urgent Plan, with an eye towards advances in technology, our understanding of the evolving information security landscape and the inherent effects, which this progress will bring.
The Tactical Plan
In addition to the input from tasks above, a collection of known problems and opportunities to improve on our information security posture must be distilled to create the Tactical Plan. I would recommend the analysis of laws, regulations, policies and procedures, and, in some cases, propose the creation of same with a long-term view toward the changing threat landscape.
In conjunction with the utilization of best practices, together with the input from the standard process above, a desired-state goal will be promulgated. Working jointly with agency CISOs, there is a need to formulate a plan to achieve that state.
Task 16: Work with agency CISOs to plan a coherent tactical roadmap, with measureable progression milestones, achieving a desired state of information security readiness.
Collaboration with private industry and academe will reveal additional layers of information assets, outside the Federal sphere proper, which must be protected and safeguarded. These assets should be integrated into the plan and the advisory board, stipulated in Task 7 (above), will advise, involve and assist in the planning and reviewing of protection for these assets. I applaud the GAO’s recommendation to "Place greater emphasis on cybersecurity research and development, including consideration of how to better coordinate government and private sector efforts" here.
Task 17: Utilize the formal advisory board to help derive substantive improvement in other-than-governmental information assets’ security posture.
Finally, the full cooperation of Academe and of non-civilian agencies will yield the ability to perform exercises, such as Cyber Storm, to test, evaluate and measure the increase in protection of information assets, in a comprehensive format, a format that is simply not available today.
Task 18: Leverage America’s utilization of its Academic leadership together with non-civilian agency capabilities to stress-test the system and measure its capabilities, weaknesses, and room for enhancement.
The Strategic Plan
We know some of the tasks ahead to be enormous. Several of these tasks require legal change, financial allocation, lengthy preparedness or even a sea-change in understanding and approach to information security.
The key shall be not to shy away from a task simply because of its breadth, scope or cost. Where necessary, we should ask for legal advice and support. When resource availability is a concern, we must work with Congress and the Office of Management and Budget (OMB) to resolve the challenge. If preparation is the key, we must plan ahead and gear-up to the challenge.
Task 19: Analyze the tasks falling within the Strategic Plan to properly prepare and define their scope, timing and resource demand. Use this analysis to detail the need and forecast the requirements to fulfill these tasks.
Since not all information needed to populate this plan is known at this time, the plan ought to continue to evolve. The plan would be originated utilizing information from the systems known, and from information gathered from performing the urgent and tactical tasks above.
This plan comes with the requirement for awareness and dedication that does not allow room for fear nor hesitation with regard to the enormity of its breadth, scope or potential cost.
_ _ _
A successful Information Security program requires devoted and attentive participation from all stakeholders. The CISO should lead by example and encourage the contribution of as many sectors of our industry, academia and culture as possible.
I would ask for voluntary participation in the Advisory board (see Task 7, above) from information security thinkers, industry leaders and legal advisors, to augment the knowledge already held by the government and create new way to address challenges. In compliance with the "Federal Advisory Committee Act Amendments of 1997" , I would invite experts on privacy as well as on commerce to advise and contribute to the effort ahead.
The government must lead the effort of protection of its assets. Each agency must be responsible and accountable for its own "house."  In addition to this, basic, responsibility, the agencies’ capability to contribute to the entire effort must be evaluated and considered.
The "trial" programs allowing certain government knowledge-sharing with private industry must be codified. These efforts have the potential to increase by orders of magnitude the protection with which our sensitive industry is equipped. The knowledge shared will have the benefit of enhancing the Public trust, protecting our culture and assuring delivery of essential services.
Task 20: Work with private industry and Congress to codify information sharing from the government to industry and vice-versa.
Task 21: Create a formal process where information sharing, such as described in Task 20, can take place.
Further, the government must improve on the build of the basic ISACs. The potential to prevent large-scale damage and to prepare similar organizations to a known and already defended-from attack is simply too important and time critical to leave unutilized.
For sensitive regulated industries, such as the Financial Sector, a formal form of Incident Response is needed. Voluntary cooperation with suggested guidelines or even standards, as the case is, mostly, today, would leave the country unevenly and inadequately protected from evolving threats.
Task 22: Work with industry, Congress and various Government agencies to define and codify the minimum Incident Response program requirements for sensitive industry sectors.
The government should not and must not enact, demand, deploy and address information security concerns in a vacuum. Industry ought to participate and contribute from its knowledge, development and discovery to the enhancement of our information security posture.
Agility and flexibility, not typically the bulwark of governments, must be utilized to respond to rapidly changing threat scenarios. New tools maximizing efficiency and redundancy should be made available and shared with government functions.
Additionally, for cost and efficiency reasons, the acquisition, deployment and usage of Commercial-Off-the-Shelf (COTS) products should be maximized. Only in very specific cases will development of a special tool or technique be required by the civilian government.
Naturally, the addition of government customers will require industry to adapt, grow, and support additional capabilities, which might be at this time nonexistent or neglected. This is an opportunity for tremendous growth for industry.
If "Information Security Awareness" is the foundation to a successful information security program, such program’s capstone is leading research that our institutions of higher learning perform.
Much as the Internet was developed with the government’s help in a series of universities, so would many future developments in information security.
The United States government ought to champion offering incentives to both institutions and students, as well as to employers, to teach and research information security and related subjects.
From time to time, there will be the need for specific, pointed examination of a certain opportunities for improvement. These opportunities should be communicated to Academe and jointly incentivized to assure the timely and comprehensively addressing of issues raised.
Task 23: Propose the creation of a national Information Security Education Board, whose tasks are to facilitate communications, help direct research, and propose topics for education and study.
This Board will be specifically involved with Information Security and work with the Chief Information Security Officer. It is different from the Federal Bureau of Investigation’s (FBI) National Security Higher Education Advisory Board and will have different focus and goals.
_ _ _
I created this document to show how I would go about enhancing Information Security for a federal government and for us, the American Public at large. Knowing that securing our Information space is a large and trans-generational job, I listed what I see as the steps to be taken to address the pressing need in the nation today.
Not all the ideas in this document are wholly mine. This document also builds on others’ ideas: from Howard Schmidt to Rod Beckstrom; from Professor Eugene Spafford to Doctor Eugene Schultz’, and many others. Where those ideas make sense, credit goes to my mentors; where these do not, criticism goes to me.
As I stated in the opening, I welcome any input regarding the contents of this paper. Please send such input to my email address on the first page.
Thank you for your kind attention and support.
_ _ _
With experience in Academe, Industry and Government, Ariel Silverstone is a thought leader on the future of Information Security and the Internet.
Mr. Silverstone is an independent consultant. He was the Director, Office of the CTO, for Symantec and Chief Information Security Officer for Temple University and for Bell Canada’s Teleglobe unit. He has a wealth of experience with both physical and information security. He holds both the CISSP (for security) and the CBCP (for business continuity planning) certifications, as well as many others. Having been involved in the computer industry for over 18 years, he contributed to over 20 published books and many articles and consults nationally and internationally.
_ _ _
 The document can be found at www.dhs.gov/xlibrary/assets/National_Cyberspace_Strategy.pdf
 As an example, I refer to section 801 of the "9/11 Commission Act of 2007" that provided for multiple year appointments "Implementing the Recommendations of the 9/11 commission act of 2007", Pub L. No. 110-53, Â§801(c)2B
 Noting the guidelines defined under FISMA, OMB Directives and the Clinger-Cohen Act.
 The term "FISMA" refers to the "Federal Information Security Management Act" (Pub L. No. 107-347? Title III, Â§Â§301-305) (2002).
The term "Clinger-Cohen Act" refers to Division E of the "National Defense Authorization Act for Fiscal Year 1996", as renamed in
Pub. L. 104-208. Such Division was formerly named the "Information Technology Management Reform Act (1996)".
This Task further expands on the OMB’s Directive, found at (Implementation of Trusted Internet Connections (TIC), 2007)
 This Task further expands on the OMB’s Directive, found at (Protection of Sensitive Agency Information, 2006)
 See further NIST Publication 199 (Standards for Security Categorization of Federal Information and Information Systems, 2004)
 In a manner not violating Anti-Deficiency Acts, and in particular, not violating 31 U.S.C. Â§Â§ 1341(a), 1342, or 1517(a),
 One good example for such advisory council is ACT-IAC. More information is available at the Federal CIO Council website (www.CIO.gov)
 For example, an expansion of the "E-Government Act of 2002" (Pub L. No. 107-347) might be advised.
 For the full draft, please see (SP Draft Publications, 2009) at http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-53-Rev.%203
 More information on the Federal Cyber Service’s Scholarship for Service program can be found at https://www.sfs.opm.gov .
 One very successful example is the Federal CIO University. (More details at http://www.cio.gov/index.cfm?function=cio_university_FAQ)
 Again, expanding greatly on FISMA mandates and OMB Guidelines.
 By "Federal Advisory Committee Act Amendments of 1997" I refer to Pub. L. 105-153.
 Expanding greatly and detailing FISMA mandates and OMB Guidelines.