In the past 10 years, federal agencies have worked to improve the security of information and information systems. Despite the guidance of experts and millions of taxpayer dollars, federal information systems remain critically vulnerable to breaches and cyber-attacks. As government agencies fail to implement needed improvements to information security management, they continue to spend scarce resources on measures that do little to address the most significant cyber threats.
A new report, “Measuring What Matters: Reducing Risk by Rethinking How We Evaluate Cybersecurity, ”from Safegov.org, in coordination with the National Academy of Public Administration, lays out a different approach for federal agencies to reduce risk: the Organization Cyber Risk Management Framework.
As part of its strategy for developing this framework, SafeGov engaged the National Academy of Public Administration to convene an expert panel of its Fellows to conduct an independent review. Based on its review, the Academy Panel believes that the cybersecurity evaluation framework developed by SafeGov.
The Organization Cyber Risk Management Framework draws from the ongoing work of several federal agencies, including the National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Office of Management and Budget (OMB), Department of Energy (DOE), and the General Services Administration (GSA), and proposes the creation of an Organizational Cyber Risk Indicator.
The Organizational Cyber Risk Indicator assesses the cyber risk posture of a government organization by aggregating the results of Inspectors General (IG) Federal Information Security Management Act (FISMA) evaluations into an established formula. By using this indicator, along with a more dynamic evaluation process, agencies will be better able to counteract existing vulnerabilities and improve overall risk management.
This approach will strengthen the security of government information systems and improve the overall management of government resources by focusing scarce resources on the areas that pose the highest risks to agencies’ missions.
Before implementing this approach, however, agencies must demonstrate the ability to operate and manage a cybersecurity and data protection baseline. This secure baseline includes:
• critical security controls
• automated continuous monitoring, diagnostics, and mitigation.
Cybersecurity can be thought of as analogous to basic health standards. Just as we understand the value of washing one’s hands, there are certain “hygiene” practices in cybersecurity that are critical to protecting against known vulnerabilities. In order to avoid radical and expensive measures (such as quarantining a vulnerable computer network), firms and agencies can protect themselves by adopting these baseline practices.
Recommendations outlined in the Executive Summary
To better secure information and improve information security evaluations across government, the report team recommends OMB direct the following policy changes:
- IGs should adopt the enhanced risk management framework and submit a FISMA Evaluation Plan to OMB by no later than May 2013.
- NIST should include the enhanced risk management framework, including the cyber risk indicator concept, to foster a more evidence-based and outcome-oriented approach to evaluating information risk management.
- NIST, in coordination with DHS, should develop and incorporate a clear threat model as a part of the cybersecurity framework to build a foundation for risk management across agencies. This will allow agency leaders to better and more consistently discern what risks can or cannot be accepted.
- IGs should prioritize their findings in accordance with the agency or department’s defined risk level and also distinguish between managerial and technical controls.
- Agency Chief Information Officers (CIOs) should lead the effort to integrate the IG’s findings into overall department or agency strategic mission priorities, processes, and decisions.
- GSA should expand the Federal Risk and Authorization Management Program (FedRAMP) program beyond cloud services.
FISMA was designed to address and mitigate the cybersecurity threats facing Federal departments and agencies. However, because of shortcomings in the way FISMA has been implemented, existing policy has not always promoted the achievement of desired results. Current FISMA evaluation policies and processes do not, in sum, enhance our government’s cybersecurity posture.
To fix the problems of today without losing sight of the future, government should implement a more consistent method of evaluation--one which is measurable, transparent, and outcome-oriented. As long as policy guidance falls short and evaluation methods fail to assess what security and data protection mechanisms significantly reduce risk, government will continue to spend scarce taxpayer resources doing the wrong things.
Read more details on the new model in the article, “Report Prescribes Pathway for Cyber Reform Without Legislation.”
