IGs to propose cyber maturity model to better gauge federal cyber health

Thursday - 2/6/2014, 4:45am EST

Jason Miller reports.

Download mp3

Federal auditors recognize the government needs a better way to truly measure how agencies are protecting their computers and networks.

The current approach varies too much across the government. It relies on special publications, a 10-year-old law and negotiations with agency chief information officers.

But change may be on the horizon. Both the Council of the Inspectors General on Integrity and Efficiency and the National Institute of Standards and Technology are considering ways to close the gap between the auditors and agencies over the most important metrics to more accurately evaluate the security of the government's computer networks and systems.

The end goal of these efforts could bring more consistency to the cyber auditing process and engender more confidence in its results.

A recent example of this disconnect comes from the State Department. The IG issued a management alert about long-standing problems within the department's cyber operations. But at the same time, State has long been held as the model for others for its use of continuous monitoring and risk-based scoring.

These paradoxical views are part of the reason why some experts are calling for the government to change the way it measures cybersecurity and the impact of the billions of dollars agencies spend each year on it.

"If the IG wants to bring value to the discussion, they need to be certain in what they are measuring and it's respectful of where things are going or have gone over the past year," said a government official familiar with State's cyber efforts, who spoke on the condition of anonymity because the official was not allowed to talk to the press. "They need to look at relevant issues, whether continuous diagnostic and mitigation, or Federal Information Security Management Act reforms, or whatever agencies really are focusing on based on their priorities and risks."

Ever-increasing number of metrics

But it's not just the IGs. Each year, the Homeland Security Department provides federal inspectors general and agencies with an update to what they will be measured against as part of their annual audit under FISMA.

That yearly exercise builds on previous metrics, as well as those published by the NIST and any new agency-specific focus areas. In short, IGs and agencies face a growing list of cyber requirements that many experts say are almost impossible to fully implement.

Experts say since the goals are nearly unattainable, agency resources are diverted from focusing on the 10 or 20 or however many items that really could make a difference in securing their networks.

Instead, some experts say agencies spend billions of dollars that may or may not make a difference. And auditors continue to write reports that highlight problems that rarely change year after year.

Alan Paller, the director of research at the SANS Institute, which offers cybersecurity training, said the reason the number of requirements continue to climb is simple.

"There's no accountability. You can say anything you want if you're an IG or GAO unless Congress says, 'You auditors are responsible for looking at the right stuff or our guys are going to do the wrong thing,'" he said. "It doesn't have to be legislative. It can be through hearings. By bringing the IG in to explain why those problems are not being fixed, what will happen is the IG will be forced to be accountable for the problems not being fixed as opposed to why they exist. So right now, you can come in as a GAO guy and talk about how bad the stuff is, but you haven't been responsible for actually telling Congress why you have written the same report six times and it hasn't gotten fixed. I'm going to tell you the reason is because your guidance is irrelevant or impossible to implement. And as soon as you have to say that, 'Oops, we told them to do the wrong thing,' you'll fix it."

Paller said in large organizations, both public and private sector, the auditors drive the behavior. He said until the auditors understand the cyber issues more deeply, agencies, IGs and Congress will continue to be unsure of their network security.

"If you want to fix this, you have to change the way you think about cybersecurity in the federal government, from 'Those CIOs are doing the wrong thing,' to "Who's telling them what they have to do? And is there any responsibility on the part of the people telling them what they have to do to ensure they are prioritizing them?'" Paller said. "Until you say there is accountability for the people writing those reports and they have to at least prove that these things can be done. If you're NIST and you write this stuff, you have to prove it can be done in your own agency. You have no right to tell someone else what to do if you don't do it yourself."