Every incoming US president seems to set up a committee to look into, and make recommendations for, computer/information/cyber- security.
In due course these committees issue their reports. A standard feature has been the recommendation that there be more exchange of information. Business usually welcomes this until they realize that "exchange of information" means business tells the government everything, and government tells the rest of the world nothing.
Since the report this time comes from the Office of Management and Budget, it only addresses government agencies, and, I am delighted to say, doesn't mention "exchange of information."
This report is a mere 22 pages long, which must be some kind of record for brevity. Of course, being only 22 pages long, it can only mention four points. They are:
1) (US Federal) Agencies don't understand security, and don't have the capability to address it. The action OMB suggests to fix this, is to get everyone to use the Cyber Threat Framework, which is NIST publication 800-37, the Risk Management Framework to Federal Information Systems. Like all NIST publications it is a comprehensive piece of work, and completely unsurprising to anyone who has ever applied a development lifecycle to security.
2) Agencies haven't standardized security. Agencies should standardize security.
3) Agencies don't know what it happening on their networks. Agencies should a) consolidate to a Security Operations Center (SOC), or b) migrate to SOC-as-a-Service.
4) Security isn't standardized (see point 2). So agencies should do risk assessments and report on a quarterly basis? Are they ever going to do any other work? And, given the concern with standardization elsewhere in the report, it is odd that there is no mention in this section of a standard for risk assessment, risk assessment reporting, or metrics to be reported.
If anyone has any illusions about the utility of government security reports, this will be disappointing. As it is, it's merely useless.
Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413
This message may or may not be governed by the terms of