Shows & Panels
- Accelerate and Streamline for Better Customer Service
- Ask the CIO
- The Big Data Dilemma
- Carrying On with Continuity of Operations
- Client Virtualization Solutions
- Data Protection in a Virtual World
- Expert Voices
- Federal Executive Forum
- Federal IT Challenge
- Federal Tech Talk
- Feds in the Cloud
- Health IT: A Policy Change Agent
- Improving Healthcare Outcomes through IT Policy
- IT Innovation in the New Era of Government
- Making Dollars And Sense Out of Data Center Consolidation
- Navigating the Private Cloud
- One Step to the Cloud, Two Steps Toward Innovation
- Path to FDCCI Compliance
- Take Command of Your Mobility Initiative
- Veterans in Private Sector: Making the Transition
Shows & Panels
Search Tags: FISMA
This week host Tom Temin talks with Ron Ross of NIST and Nicole Dean, deputy director of the National Cyber Security Division.
September 16, 2010
People exercise risk management, consciously and unconsciously, every day.
Many of us drive on a daily basis. Some speed, and risk the chance of getting caught, while others are more conservative and drive the exact speed limit. We base our decision on whether or not to exceed the speed limit on the information available to us at the time, including our knowledge, past experiences, or the conditions we see in front of us. We weigh the risks against impacts and consequences, making decisions based upon our tolerance for the outcomes. The same is true for federal cyber risk management.
Securing federal information and assets in cyberspace is the primary driver behind cybersecurity. Even so, other factors help define risk, including the potential for negative publicity if a cyber breach occurs, the impact to budget/performance plans if FISMA grades fall short, or the potential for investigations or congressional hearings if the burning issue of the day burns a bit too bright for too long. Federal cyber risk management fundamentally boils down to making risk decisions based upon an agency's risk tolerance - and the drivers behind an agency's tolerance vary across the federal government.
Risk is defined as the likelihood of a future event that may have unintended or unexpected consequences. Federal agencies make the best cyber risk management decisions by using data and information to evaluate the agency's strengths and weaknesses for delivering on its cyber mission in the context of potential threats.
Agencies must use information and data from various disparate sources across the enterprise to make these decisions, including audit log information, vulnerability data, asset information, the agency's regulatory compliance status, external and internal threat activity, human capital risks to the cybersecurity mission, and many more. As challenging as it may be for agencies to consume large volumes of disparate data, it is a challenge that is essential to overcome for agencies to make the best cyber risk management decisions.
Is this achievable? Absolutely. The business intelligence movement established the foundation allowing agencies to minimize risk exacerbated by ad-hoc decision-making. Leveraging business intelligence capabilities for cybersecurity enables agencies to aggregate data across technical and organizational stovepipes and to provide agency cybersecurity leaders with mechanisms for making informed, risk decisions. By better understanding the cyber landscape, federal cybersecurity leaders can - much like our speeding driver example - understand "how fast" to drive and make better investment decisions when addressing enterprise cybersecurity risks.
Your agency's cybersecurity marching orders may be changing. Former cyber czar Melissa Hathaway joined In Depth with Francis Rose with the latest analysis of bills in Congress that could change the nation's cybersecurity mandate. She tells Federal News Radio that it's down to two bills and one could have an impact on the role of CIOs.
DHS will oversee and provide assistance to civilian agencies to improve how they protect their computer networks. White House cyber coordinator Schmidt says the goal of the memo is to make sure agency roles and responsibilities are clear. Schmidt also calls for more valuable public-private partnerships.
More and more agencies are gearing up to deploy continuous monitoring as a means of complying with FISMA. What is it, and will it come to your agency soon?
VA plans on implementing software to monitor desktop computers every 24 hours. NASA is developing a concept of operations plan to move to real-time oversight. OMB mandated agencies know the status of their networks in real time by November.
Senator Joseph Lieberman thinks his cybersecurity bill will be the one to cross the finish line to the President's desk.
Senator Tom Carper tells Federal News Radio there is a lot of room for improvement.
With as many as 40 different cybersecurity bills in various stages of consideration on Capitol Hill, which one will make it to President Obama's desk? The chairman of one powerful Senate committee is betting his cybersecurity measure will win approval in the Senate, and eventually earn the President's signature before mid-summer.
Senate leaders pledge to pass a comprehensive cybersecurity bill this year. Sen. Lieberman promises a hearing and markup of the legislation before the end of June. Industry experts are concerned over the role DHS will play in regulating critical infrastructure.