Can Agile Mindset Address Federal Cybersecurity?
In a bid to safeguard national infrastructure and applications from security breaches, federal agencies may ultimately leverage Agile software development best practices -- including so-called Scrum Sprints and perhaps even Continuous Delivery methodologies.
"In the Scrum method of Agile software development, work is confined to a regular, repeatable work cycle, known as a sprint or iteration. Scrum sprints used to be 30 days long, but today many teams prefer shorter sprints, such as one-week or two-week sprints," notes Scrum Methodology.
Now, apply that definition to the U.S. government's growing focus on cybersecurity. Following the high-profile Office of Personnel Management hack, Federal CIO Tony Scott in mid-June launched a 30-day Cybersecurity Sprint. As part of that effort, Federal agencies must:
- Immediately deploy indicators provided by DHS regarding priority threat-actor Techniques, Tactics, and Procedures to scan systems and check logs. Agencies shall inform DHS immediately if indicators return evidence of malicious cyber activity.
- Patch critical vulnerabilities without delay.
- Tighten policies and practices for privileged users.
- Dramatically accelerate implementation of multi-factor authentication, especially for privileged users.
The Cybersecurity Sprint was scheduled to end in mid-July. So far, the government hasn't disclosed any particular outcomes. But next steps will surely emerge.
Once the Sprint concluded, the federal government planned to create and operationalize a set of plans and strategies to further bolster federal and civilian cybersecurity, Scott indicated in a June 2015 blog.
Principle components of that strategy will include:
- Protecting Data: Better protect data at rest and in transit.
- Improving Situational Awareness: Improve indication and warning.
- Increasing Cybersecurity Proficiency: Ensure a robust capacity to recruit and retain cybersecurity personnel.
- Increase Awareness: improve overall risk awareness by all users.
- Standardizing and Automating Processes: Decrease time needed to manage configurations and patch vulnerabilities.
- Controlling, Containing, and Recovering from Incidents: Contain malware proliferation, privilege escalation, and lateral movement. Quickly identify and resolve events and incidents.
- Strengthening Systems Lifecycle Security: Increase inherent security of platforms by buying more secure systems and retiring legacy systems in a timely manner.
- Reducing Attack Surfaces: Decrease complexity and number of things defenders need to protect.
Can Agile Assist?
As the government and businesses attempt to navigate the threat landscape, it's clear that new approaches -- borrowed from Agile Software Development and Scrum Sprints -- will influence the strategies.
However, the latest trend from the Agile mindset may also be the most challenging. It's called Continuious Delivery. The idea is to consistently deliver new enhancements in a never-ending cycle.
Some pundits call Continuous the next chapter of Agile methods. Others consider Continuous Delivery the full-blown successor to Agile. Either way, the Federal government will need more than one 30-day sprint to continuously move its security efforts forward.