1. PMC Update on Cyber Sprint June 18, 2015 1

2. Overview: 30-Day Cyber Sprint 1.Interagency Cyber Sprint Team: Launched June 11 and executing against the following work streams High Value Asset Review Two-Factor PIV Best Practices Cybersecurity Shared Service Offerings Incident Response Rapid Recovery Emerging Technologies Resources 2.Agency High Priority Actions Strong Authentication – Privileged and All Users DHS’s Critical Vulnerability Report Indicators of Compromise Scans High Value Asset Identification and Protection Reviews Privileged Users and their Activities Reviews GOAL: Dramatically and Rapidly Improve Federal Cybersecurity 2

3. Agency High Priority Actions Dashboard To follow-up on the priority cybersecurity action items sent by the Federal CIO, OMB has developed a new Dashboard to help track progress The scheduled FISMA and PMC quarterly process will continue. However, given the current threat environment we will collect additional information from agencies in order to drive priority, executive attention to 5 key actions (which are a subset of the actions required in the PMC process) that all agencies must take immediately OMB is working with the Chief Information Security Officers to fully integrate the FISMA reporting metrics into the PMC quarterly process by the start of FY 2016 3

4. Components of the Dashboard The Cyber Sprint Priority Actions Dashboard will track the following actions: Strong Authentication – status of information normally reported for the Cybersecurity CAP Goal DHS’s Critical Vulnerability Report – status information from DHS’s weekly report Indicators of Compromise (IOC) – status of agency scans for these IOCs across their internal networks High Value Assets – identification and review of security protections of high value assets Privileged Users and their Activities – review Privileged Users and their activities to reduce the number as much as possible 4

5. Agency High Priority Actions Targets 100% PIV based Strong Authentication * for Privileged Users by June 26, 2015 75% PIV based Strong Authentication for all users by July 15, 2015 No critical vulnerabilities should go unmitigated for more than 30 days Indicator of Compromise (IOC) scans started within 24 hours of DHS issuance Meet agency self-defined targets for reduction in the number of Privileged Users by July 15, 2015 High Value Assets identified and initial agency security protection reviews completed by July 15, 2015 *- Personal Identity Verification (PIV) or alternative solutions that provides NIST 800-63 Level-4 assurance of the user's identity 5

6. New information to be collected from agencies Agency High Priority Actions Dashboard Agency sort order: Privileged user %, Not mitigated after 30 days or more, Unprivileged users % 6

7. Agency Tools and Support Cyber Sprint Knowledge Portal Repository of solutions for implementing priority actions Example, solution for PIV Implementation on Apple Devices DHS Assessment Teams Cyber Sprint Team identified Top 10 High Value Assets DHS dedicating teams to assessing these assets over the next few weeks Digital Service – Cybersecurity Experts Cybersecurity Experts being identified Will support cyber sprint activities Agencies will also have access to candidates 7

8. Agencies will be required to submit updated information on the following dates: June 26 July 10 July 15 (as part of quarterly FISMA and CAP Goal reporting) OMB will establish a MAX Collect Exercise to collect this information – details will be sent to Agency CIOs by early next week Cyber Sprint Priority Actions Dashboard will be updated and shared following these submissions Next Steps 8