From: FederalNewsRadio.com 1500AM
By Jared Serbu
In federal information technology circles, it’s become a truism that agencies spend way too much time and effort doing paperwork in pursuit of cybersecurity and not nearly enough on constantly keeping watch over systems and implementing best practices in real-time to make sure those systems are actually better secured than they were the day before. A new report offers a roadmap that purports to offer ways to implement measures that measure cybersecurity outcomes rather than just processes, while recognizing that no two agencies have the exact same risk profile.
The report, released Tuesday by the group Safegov.org in coordination with the National Academy of Public Administration, does not include a call for new legislation. Instead, it proposes that agencies revamp their approach to compliance with the existing Federal Information Security Management Act. Rather than periodically auditing whether an agency’s systems meet the standards enumerated in FISMA at a static moment in time, agencies and their inspectors general should keep running scorecards of “cyber risk indicators” based on continual IG assessments of a federal organization’s cyber vulnerabilities, the authors concluded.
“It would be one way to signal the cyber health of an organization, meaning the capabilities, the processes and the way they’re able to identify threats and vulnerabilities in a timely manner,” Julie Anderson, the chief operating officer of Civitas and a co-author of the report said in an interview. “It also looks at the state of their workforce, their skill sets, and any upscaling or human capital investment that’s needed. It’s intended to be a comprehensive way to understand the health of the cybersecurity within an organization.”
In federal information technology circles, it’s become a truism that agencies spend way too much time and effort doing paperwork in pursuit of cybersecurity and not nearly enough on constantly keeping watch over systems and implementing best practices in real-time to make sure those systems are actually better secured than they were the day before. A new report offers a roadmap that purports to offer ways to implement measures that measure cybersecurity outcomes rather than just processes, while recognizing that no two agencies have the exact same risk profile.
The report, released Tuesday by the group Safegov.org in coordination with the National Academy of Public Administration, does not include a call for new legislation. Instead, it proposes that agencies revamp their approach to compliance with the existing Federal Information Security Management Act. Rather than periodically auditing whether an agency’s systems meet the standards enumerated in FISMA at a static moment in time, agencies and their inspectors general should keep running scorecards of “cyber risk indicators” based on continual IG assessments of a federal organization’s cyber vulnerabilities, the authors concluded.
“It would be one way to signal the cyber health of an organization, meaning the capabilities, the processes and the way they’re able to identify threats and vulnerabilities in a timely manner,” Julie Anderson, the chief operating officer of Civitas and a co-author of the report said in an interview. “It also looks at the state of their workforce, their skill sets, and any upscaling or human capital investment that’s needed. It’s intended to be a comprehensive way to understand the health of the cybersecurity within an organization.”
Leave a Reply