Goal 3: Advance Data and Information Security Protections

PAGE 7 of 10

View Table of Contents


Data and information are the bedrock of CDC’s public health mission. Data come into the agency from surveillance systems around the country and world. CDC scientists and epidemiologists collect, analyze, combine, and share data to keep the American public healthy and safe. The agency recognizes the risks associated with operating a large, global information technology enterprise and must strengthen processes, procedures, and tools to ensure the prevention, detection, and correction of potential incidents. The cyber threat landscape is constantly evolving—today’s new cutting-edge safeguards can be turned into tomorrow’s vulnerability overnight. The advancing sophistication and increasing regularity of significant cybersecurity events require intense focus on digital security. In such a landscape, CDC’s capabilities must also evolve. Safeguards must be more innovative, detection of risks more sophisticated, and responses swifter.

Objective 3.1: Improve data sharing security by automatically protecting data at rest, in motion, or in use.

Objective Description:

As cybersecurity threats continue to evolve, CDC must maintain a secure operating environment that prevents unauthorized access to sensitive public health information or the potential loss of data and information that could result in damage to CDC’s reputation, financial liability, or otherwise impede the public health mission. From an IT perspective, advanced protections must be applied across three key junctures: data at rest, data in motion and data in use. Engineering and implementation of enhanced Information Protection (IP) technologies will improve CDC’s ability to apply automated protective measures at the network perimeter and/or on computing and storage devices using specific attributes such as data origin, current storage location destination, and access permissions. Data loss protection and other security automation efforts improve customer experience and adherence to IT security and compliance policies. To stay ahead of emerging threats, CDC must continue development of monitoring and data loss protection capabilities that neutralize security and privacy risks and threats before they can impact agency IT environments, data, or operations.

Objective 3.2: Advance threat monitoring and response capabilities to predict, prevent, and respond to threats and vulnerabilities.

Objective Description:

To prevent unauthorized access or cyberattacks that disrupt business operations, CDC must proactively detect and remediate application and system vulnerabilities. Comprehensive internal assessments are necessary to integrate all threat information with cyber principles to protect CDC from internal and external threats, which may include phishing, advanced malware, brute force attacks, social engineering, and other targeted attacks that compromise CDC systems and exploit their trusted access to the agency’s network. Many threats, such as those employing advanced malware, hide and persist to exploit vulnerabilities over time. The purpose of such attacks may include viewing, modifying, stealing, or otherwise compromising access to agency systems and information. Continuous monitoring for known attacks and unusual activity provides data that can be correlated and analyzed to identify threats and compromised systems. Vital information must be shared with other agencies and partners to respond to emerging threats and prepare for possible future attacks. Focusing on insider threats is also critical to reduce intentional and unintentional behavior that can lead to costly data breaches and even data loss. Enhancing the agency’s ability to proactively search, detect, investigate, and contain advanced threats will help defend against attacks and mitigate risks to critical CDC systems and data.

Outcome and Mission Impact:

Implementing a next generation cybersecurity program to protect personal health information and other data against hacking, misuse, or identity theft will support the key CDC priority of protecting the public health and business data upon which our mission relies. Protecting the data to which the CDC is entrusted will further allow us to protect our reputation as the world’s premier public health agency and deliver the technology needs of the mission.

The Office of the Chief Information Officer is part of CDC’s Office of the Chief Operating Officer.