Editor’s Note: The Center for Strategic and International Studies’ paper “Updating U.S. Federal Cybersecurity Policy and Guidance” by Franklin S. Reeder, Daniel Chenok, Karen S. Evans, James A. Lewis, and Alan Paller is attached here. The must-read analysis, subtitled “Spending Scarce Taxpayer Dollars On Security Programs That Work” calls for a long-overdue revision to OMB Circular A-130 which governs federal information security policy.
The document’s conclusion that “that the administration, and OMB in particular, have ample legal authority to adopt reforms that would materially reduce risk and enhance response for systems operated by or on behalf of the federal government” is consistent with CRE’s view that OMB may already have the authority to implement critical infrastructure protection regulations. The paper’s emphasis on spending cybersecurity dollars wisely is consistent with CRE’s emphatic point the cost-effectiveness is critical to making cybersecurity regulation work.
With respect to continuous monitoring,
Our most important recommendation involves continuous monitoring of network operations. We deem this to be critical to any policy update to ensure that federal cybersecurity programs address the highest risk areas and prevent wasteful duplication of effort. Government security experts have told us that the current regime of periodic reports and certifications requires them to spend tens of millions of dollars on reports and processes that do little to enhance security. Agencies can better implement continuous monitoring through work led by chief information officers (CIOs) and chief information security officers (CISOs). This report suggests ways that OMB Circular A-130, “Management of Federal Information Resources,” can be revised to enhance these activities through OMB and Department of Homeland Security (DHS) actions.
Read, Updating U.S. Federal Cybersecurity Policy and Guidance: Spending Scarce Taxpayer Dollars On Security Programs That Work
Leave a Reply