Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- Mission-critical Apps in the Cloud
- Mobile Device Management
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
Report prescribes pathway for cyber reform without legislation
Wednesday - 3/27/2013, 5:16am EDT
A new report offers a roadmap that purports to offer ways to measure cybersecurity outcomes rather than just processes, while recognizing that no two agencies have the exact same risk profile.
The report, released Tuesday by Safegov.org, in coordination with the National Academy of Public Administration, does not include a call for new legislation. Instead, it proposes agencies revamp their approach to compliance with the existing Federal Information Security Management Act. Rather than periodically auditing whether an agency's systems meet the standards enumerated in FISMA at a static moment in time, agencies and their inspectors general should keep running scorecards of "cyber risk indicators" based on continual IG assessments of a federal organization's cyber vulnerabilities, the authors concluded.
"It would be one way to signal the cyber health of an organization, meaning the capabilities, the processes and the way they're able to identify threats and vulnerabilities in a timely manner," Julie Anderson, the chief operating officer of Civitas and a co-author of the report said in an interview. "It also looks at the state of their workforce, their skill sets, and any upscaling or human capital investment that's needed. It's intended to be a comprehensive way to understand the health of the cybersecurity within an organization."
Julie Anderson, chief operating officer, Civitas
"A one-time per year evaluation is not going to produce information that's useful to a chief information officer or a chief security officer in order to make meaningful improvements," Anderson said. "That evaluation should occur on a real-time basis to identify those vulnerabilities, and then share that information with the CIO so the vulnerabilities can be addressed."
The report was timed to coincide with the beginnings of the implementation of the cybersecurity executive order that President Barack Obama signed on Feb. 12, and with the annual FISMA implementation guidance the Office of Management and Budget is currently developing. Anderson said the authors hope to influence both processes.
The report recommends that OMB issue several mandates to agencies. Among them:
- Inspectors general should adopt the report's approach to evaluating cybersecurity risks and come up with a new FISMA evaluation plan for their agency no later than May.
- The National Institute of Standards and Technology and the Department of Homeland Security should work together to develop cyber "threat models" that agency CIOs can use in order to prioritize which cyber risks are critical to mitigate and which can be accepted.
- IGs should prioritize their oversight plans and reporting in accordance with their agency's risk level.
- CIOs should make sure their inspector general's findings on cybersecurity risk get translated into action at the top management level of the agency or department.
Among them is the Department of Homeland Security's continuous diagnostics and mitigation program, which DHS intends to roll out across the entire "dot-gov" domain later this year through a process in which vendors will offer agencies continuous monitoring as a managed service.
"That's a very important process. It's data that can be shared with an IG. It could also be an input to a cyber risk indicator when we think about the various types of measures that could be used to develop an index," she said.
In another example, the steps federal agencies have already taken to improve and expedite cloud computing services through the FedRAMP program need to be leveraged into other information technology domains and used by inspectors general, Anderson said.
"This is the first program of its kind, in that it has certified outside providers that would conduct a very stringent set of tests on behalf of the government," she said. "We think that's a leading practice that could be built upon because of the specialized skill sets, the human capital and even the organizational capabilities that are in place now because of the investment that GSA has made and the training that's been done there. IGs could have that resource and tap into those third-party providers to help them conduct the FISMA compliance evaluation. It's much like the way the IGs already outsource their financial audits to a major accounting firm, but it would be a third-party provider that has already been blessed by GSA."