In federal information technology circles, it’s become a truism that agencies spend way too much time and effort doing paperwork in pursuit of cybersecurity, and not nearly enough time watching over systems and implementing best practices to make sure those systems are better secured than they were the day before.
A new report offers a roadmap that purports to offer ways to measure cybersecurity outcomes rather than just processes, while recognizing that no two agencies have the exact same risk profile.
The report, released Tuesday by Safegov.org, in coordination with the National Academy of Public Administration, does not include a call for new legislation. Instead, it proposes agencies revamp their approach to compliance with the existing Federal Information Security Management Act. Rather than periodically auditing whether an agency’s systems meet the standards enumerated in FISMA at a static moment in time, agencies and their inspectors general should keep running scorecards of “cyber risk indicators” based on continual IG assessments of a federal organization’s cyber vulnerabilities, the authors concluded.
“It would be one way to signal the cyber health of an organization, meaning the capabilities, the processes and the way they’re able to identify threats and vulnerabilities in a timely manner,” Julie Anderson, the chief operating officer of Civitas and a co-author of the report said in an interview. “It also looks at the state of their workforce, their skill sets, and any upscaling or human capital investment that’s needed. It’s intended to be a comprehensive way to understand the health of the cybersecurity within an organization.” The approach relies, in part, on a redefined role for agency inspectors general, who currently assess their agency’s systems once a year in order to determine whether they comply with FISMA’s cybersecurity dictates. The report’s authors imagine a more cooperative relationship between CIOs and IGs, and believe that not only should agencies themselves be continuously monitoring their systems to seek out cyber vulnerabilities, but IGs should themselves be continuously assessing whether their agency is actually measuring potential vulnerabilities and responding to them in real-time.
“A one-time per year evaluation is not going to produce information that’s useful to a chief information officer or a chief security officer in order to make meaningful improvements,” Anderson said. “That evaluation should occur on a real-time basis to identify those vulnerabilities, and then share that information with the CIO so the vulnerabilities can be addressed.”
The report was timed to coincide with the beginnings of the implementation of the cybersecurity executive order that President Barack Obama signed on Feb. 12, and with the annual FISMA implementation guidance the Office of Management and Budget is currently developing. Anderson said the authors hope to influence both processes.
The report recommends that OMB issue several mandates to agencies. Among them:
Inspectors general should adopt the report’s approach to evaluating cybersecurity risks and come up with a new FISMA evaluation plan for their agency no later than May.
The National Institute of Standards and Technology and the Department of Homeland Security should work together to develop cyber “threat models” that agency CIOs can use in order to prioritize which cyber risks are critical to mitigate and which can be accepted.
IGs should prioritize their oversight plans and reporting in accordance with their agency’s risk level.
CIOs should make sure their inspector general’s findings on cybersecurity risk get translated into action at the top management level of the agency or department.
Anderson said the report was completed only after the authors consulted extensively with cybersecurity officials across government and aims to build on several efforts that are already underway.
Among them is the Department of Homeland Security’s continuous diagnostics and mitigation program, which DHS intends to roll out across the entire “dot-gov” domain later this year through a process in which vendors will offer agencies continuous monitoring as a managed service.
“That’s a very important process. It’s data that can be shared with an IG. It could also be an input to a cyber risk indicator when we think about the various types of measures that could be used to develop an index,” she said.
In another example, the steps federal agencies have already taken to improve and expedite cloud computing services through the FedRAMP program need to be leveraged into other information technology domains and used by inspectors general, Anderson said.
“This is the first program of its kind, in that it has certified outside providers that would conduct a very stringent set of tests on behalf of the government,” she said. “We think that’s a leading practice that could be built upon because of the specialized skill sets, the human capital and even the organizational capabilities that are in place now because of the investment that GSA has made and the training that’s been done there. IGs could have that resource and tap into those third-party providers to help them conduct the FISMA compliance evaluation. It’s much like the way the IGs already outsource their financial audits to a major accounting firm, but it would be a third-party provider that has already been blessed by GSA.”