SafeGov Proposes New Model for Evaluating Cybersecurity

Content

In the past 10 years, federal agencies have worked to improve the security of information and information systems. Despite the guidance of experts and millions of taxpayer dollars, federal information systems remain critically vulnerable to breaches and cyber-attacks. As government agencies fail to implement needed improvements to information security management, they continue to spend scarce resources on measures that do little to address the most significant cyber threats.

In the past 10 years, federal agencies have worked to improve the security of information and information systems. Despite the guidance of experts and millions of taxpayer dollars, federal information systems remain critically vulnerable to breaches and cyber-attacks. As government agencies fail to implement needed improvements to information security management, they continue to spend scarce resources on measures that do little to address the most significant cyber threats. 

Content

A new report, “Measuring What Matters: Reducing Risk by Rethinking How We Evaluate Cybersecurity, ”from Safegov.org , in coordination with the National Academy of Public Administration , lays out a different approach for federal agencies to reduce risk: the Organization Cyber Risk Management Framework.

A new report, “Measuring What Matters: Reducing Risk by Rethinking How We Evaluate Cybersecurity, ”from Safegov.org, in coordination with the National Academy of Public Administration, lays out a different approach for federal agencies to reduce risk: the Organization Cyber Risk Management Framework.  

Content

As part of its strategy for developing this framework, SafeGov engaged the National Academy of Public Administration to convene an expert panel of its Fellows to conduct an independent review. Based on its review, the Academy Panel believes that the cybersecurity evaluation framework developed by SafeGov.

As part of its strategy for developing this framework, SafeGov engaged the National Academy of Public Administration to convene an expert panel of its Fellows to conduct an independent review. Based on its review, the Academy Panel believes that the cybersecurity evaluation framework developed by SafeGov.  

Content

The Organization Cyber Risk Management Framework draws from the ongoing work of several federal agencies, including the National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Office of Management and Budget (OMB), Department of Energy (DOE), and the General Services Administration (GSA), and proposes the creation of an Organizational Cyber Risk Indicator.

The Organization Cyber Risk Management Framework draws from the ongoing work of several federal agencies, including the National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Office of Management and Budget (OMB), Department of Energy (DOE), and the General Services Administration (GSA), and proposes the creation of an Organizational Cyber Risk Indicator.  

Content

The Organizational Cyber Risk Indicator assesses the cyber risk posture of a government organization by aggregating the results of Inspectors General (IG) Federal Information Security Management Act (FISMA) evaluations into an established formula. By using this indicator, along with a more dynamic evaluation process, agencies will be better able to counteract existing vulnerabilities and improve overall risk management.

The Organizational Cyber Risk Indicator assesses the cyber risk posture of a government organization by aggregating the results of Inspectors General (IG) Federal Information Security Management Act (FISMA) evaluations into an established formula. By using this indicator, along with a more dynamic evaluation process, agencies will be better able to counteract existing vulnerabilities and improve overall risk management.  

Content

This approach will strengthen the security of government information systems and improve the overall management of government resources by focusing scarce resources on the areas that pose the highest risks to agencies’ missions.

This approach will strengthen the security of government information systems and improve the overall management of government resources by focusing scarce resources on the areas that pose the highest risks to agencies’ missions. 

Content

Before implementing this approach, however, agencies must demonstrate the ability to operate and manage a cybersecurity and data protection baseline. This secure baseline includes:

Before implementing this approach, however, agencies must demonstrate the ability to operate and manage a cybersecurity and data protection baseline. This secure baseline includes:  

Content

• critical security controls

• critical security controls

Content

• automated continuous monitoring, diagnostics, and mitigation.

• automated continuous monitoring, diagnostics, and mitigation.  

Content

Cybersecurity can be thought of as analogous to basic health standards. Just as we understand the value of washing one’s hands, there are certain “hygiene” practices in cybersecurity that are critical to protecting against known vulnerabilities. In order to avoid radical and expensive measures (such as quarantining a vulnerable computer network), firms and agencies can protect themselves by adopting these baseline practices.

Cybersecurity can be thought of as analogous to basic health standards. Just as we understand the value of washing one’s hands, there are certain “hygiene” practices in cybersecurity that are critical to protecting against known vulnerabilities. In order to avoid radical and expensive measures (such as quarantining a vulnerable computer network), firms and agencies can protect themselves by adopting these baseline practices.

Content

Recommendations outlined in the Executive Summary

Recommendations outlined in the Executive Summary 

Content

To better secure information and improve information security evaluations across government, the report team recommends OMB direct the following policy changes:

To better secure information and improve information security evaluations across government, the report team recommends OMB direct the following policy changes:  

• Content

  IGs should adopt the enhanced risk management framework and submit a FISMA Evaluation Plan to OMB by no later than May 2013.

  IGs should adopt the enhanced risk management framework and submit a FISMA Evaluation Plan to OMB by no later than May 2013.

• Content

  NIST should include the enhanced risk management framework, including the cyber risk indicator concept, to foster a more evidence-based and outcome-oriented approach to evaluating information risk management.

  NIST should include the enhanced risk management framework, including the cyber risk indicator concept, to foster a more evidence-based and outcome-oriented approach to evaluating information risk management.

• Content

  NIST, in coordination with DHS, should develop and incorporate a clear threat model as a part of the cybersecurity framework to build a foundation for risk management across agencies. This will allow agency leaders to better and more consistently discern what risks can or cannot be accepted.

  NIST, in coordination with DHS, should develop and incorporate a clear threat model as a part of the cybersecurity framework to build a foundation for risk management across agencies. This will allow agency leaders to better and more consistently discern what risks can or cannot be accepted.

• Content

  IGs should prioritize their findings in accordance with the agency or department’s defined risk level and also distinguish between managerial and technical controls.

  IGs should prioritize their findings in accordance with the agency or department’s defined risk level and also distinguish between managerial and technical controls.

• Content

  Agency Chief Information Officers (CIOs) should lead the effort to integrate the IG’s findings into overall department or agency strategic mission priorities, processes, and decisions.

  Agency Chief Information Officers (CIOs) should lead the effort to integrate the IG’s findings into overall department or agency strategic mission priorities, processes, and decisions.

• Content

  GSA should expand the Federal Risk and Authorization Management Program (FedRAMP) program beyond cloud services.

  GSA should expand the Federal Risk and Authorization Management Program (FedRAMP) program beyond cloud services.  

Content

FISMA was designed to address and mitigate the cybersecurity threats facing Federal departments and agencies. However, because of shortcomings in the way FISMA has been implemented, existing policy has not always promoted the achievement of desired results. Current FISMA evaluation policies and processes do not, in sum, enhance our government’s cybersecurity posture.

FISMA was designed to address and mitigate the cybersecurity threats facing Federal departments and agencies. However, because of shortcomings in the way FISMA has been implemented, existing policy has not always promoted the achievement of desired results. Current FISMA evaluation policies and processes do not, in sum, enhance our government’s cybersecurity posture.  

Content

To fix the problems of today without losing sight of the future, government should implement a more consistent method of evaluation--one which is measurable, transparent, and outcome-oriented. As long as policy guidance falls short and evaluation methods fail to assess what security and data protection mechanisms significantly reduce risk, government will continue to spend scarce taxpayer resources doing the wrong things.

To fix the problems of today without losing sight of the future, government should implement a more consistent method of evaluation--one which is measurable, transparent, and outcome-oriented. As long as policy guidance falls short and evaluation methods fail to assess what security and data protection mechanisms significantly reduce risk, government will continue to spend scarce taxpayer resources doing the wrong things. 

Content

Read more details on the new model in the article, “ Report Prescribes Pathway for Cyber Reform Without Legislation .”

Read more details on the new model in the article, “Report Prescribes Pathway for Cyber Reform Without Legislation.”