White House mandated risk management reports show mapping of threat to capability to investment

After the breach suffered by the Office of Personnel Management in 2015, the mindset of agencies was to protect every bit of data going forward.

But as they started to peel back the layers of what data they had and where it lived, agencies now are taking a more measured approach to data protection.

Ross Nodurft, the vice president of risk management at One World Identity and the former Office of Management and Budget unit chief for the cyber and national security unit, said the change in administration provided a good opportunity for agencies to reflect on their approach to protecting data.

Ross Nodurft is the vice president of risk management at One World Identity and the former OMB unit chief for the cyber and national security unit.

“Between this administration and the last administration there was a delta. We have new leadership coming in and that creates a huge opportunity space to really think hard about what data we have and what data we need to do our mission in an effective way,” Nodurft said in an exit interview on Ask the CIO. “It’s actually been a very good thing to have that stop and start point with the new administration, because it’s allowed for those conversations to go further, faster.”

Nodurft said agencies have been focusing on the most critical data assets, commonly known as the high valued data assets in the post-OPM cyber world.

“We can’t protect everything all the time, so by doing a fulsome assessment of what data you have and what protections they need, whether it’s encryption or segmentation,  or even how comfortable you feel having things out there,” he said. “We need to continue to assess what data is important and what data isn’t important. What data can be released publicly and kept using certain controls at lower risk level as opposed to other controls. This is an important demarcation point to efficiently do cybersecurity.”

What Nodurft is really talking about is the continued and more rigorous application of risk management across the government.

Nodurft, who played a key role in developing the revamped Office of Management and Budget Circular A-130 to include risk management, said between the circular, President Donald Trump’s cyber executive order from May, updated publications from the National Institute of Standards and Technology and several other activities, agencies will only find success with cybersecurity through the use of risk management approaches.

Before Nodurft left OMB in December, agencies had submitted the initial assessments of their risk management efforts to OMB and the Homeland Security Department.

“This was a big step forward,” he said. “The risk management posturing that agencies had done before had been all over the map. This created a very concise way of mapping threat to capability to investment. It allowed agencies who had been using FISMA metrics to track and assess their own risks to then map that to the current threat environment that we are seeing on a day-to-day basis, because we have some of the information that we do from the national security space, we are able to take some of those threats and put them on top of specific capabilities that CIOs and CISOs should be investing in to lower their risk scores. It’s a maturity model that is being standardized across the civilian agencies and that will allow the government to start comparing apples-to-apples across the agencies for the first time.”

OMB also is working closing the inspector general community to ensure auditors, CIO, DHS and OMB are on the same page as they determine an agency’s cyber posture.

Nodurft said his initial review of the risk management assessments, generally speaking, showed nothing surprising as agencies and OMB have been reviewing risk metrics for the last few years.

“Agencies are improving their risk postures,” he said. “The interesting piece that was in the risk report for the first time was the mapping and overlay of the threat landscape. The threats, in and of themselves, were not surprising, but it was nice to see the alignments between some of the investments that CIOs and CISO have made with the specific threats. We never had the whole picture before and being able to see them being laid on top of each other made us actually feel better about our posture as a federal government than we had anticipated, frankly. We saw some of these investments that people have been making were in areas that were most targeted. A lot of that has to do with some of the work we had done to really shore up the basics.”

Doing those basics of cyber hygiene is partly why having a Federal Chief Information Security Officer remains a key role in government. The Trump administration hasn’t made clear if it plans to fill the role first created by the Obama administration.

“There is value to continuing to highlight the need for security professionals at the highest levels and to keep bringing that conversation to the masses,” he said. “I think the acting federal CISO [Grant Schneider] right now is doing an phenomenal job of raising that and bridging the gap between the what’s happening in the national security space and what’s happening at departments and agencies who are defending. What’s real important is that nexus between national security and defense at federal civilian agencies and I think a federal CISO can help.”

In addition to the federal CISO, the federal CISO Council continues to make an impact with monthly meetings.

Nodurft said the council gives CISOs a much-needed forum to discuss challenges, policy issues and other topical issues in a way they previously hadn’t been able to talk before.

Nodurft said his experience on Capitol Hill and then with OMB highlighted the need for agencies to continue improving their cyber posture by focusing on three areas:

  • Understanding the role of identity in ensuring security. The identity, credential and access management efforts and what digging into what identity does is extremely important.
  • Continue to shift the focus on risk mitigation and strong data management practices. The next step of having a good data governance policy in place will yield results and inform other efforts.
  • Continue efforts to modernize federal IT.  “We need to figure out where to spend the dollars we have, and by focusing on the first two … we will be able to invest strategically in the modernization that needs to happen,” he said.