U.S. officials are finally starting to get the real-time situational awareness cybersecurity data they need to make risk management decisions about their networks, a federal advisory panel was told Wednesday.
But much of the news isn’t good and they way decisions are handled can have a big impact on the effectiveness of government-wide efforts like the Department of Homeland Security’s Continuous Diagnostics and Monitoring program, officials said.
The report on agency risk — one of two required by President Donald Trump’s executive order on cybersecurity — has been submitted to the president, NIST’s Information Security and Privacy Advisory Board was told.
The report on IT modernization was being finalized for submission after an analysis on the report’s public comments, Joshua Moses, from the office of the federal CIO, said.
Moses said officials were keen to leverage the EO’s authorities the EO in order to improve measurability and accountability related to agencies’ risk management and cybersecurity posture in the long term.
“The ask from OMB … is how do we have an enduring process” to extend their authorities over governmentwide cybersecurity, he said.
“Our regular metrics collection process and oversight process [under the 2014 Federal Information Security Modernization Act or FISMA] has doubled down on the work of the EO,” he explained, incorporating the risk reporting into its regular data collection schedule.
But some officials cautioned that the risk report, if made public, might make it harder for officials running government-wide programs to get the cooperation they need.
“This report is a pretty difficult report, because you’re trying to characterize risk across departments and agencies of every shape and size,” the Department of Homeland Security’s Laura Delaney, an ISPAB board member said.
“There’s going to be a lot of soundbites,” from it, she predicted.
But just because a report cited numbers, didn’t mean it was accurate or exact, she cautioned.
“You have lots of numbers, here’s how many times this has happened, or this is how many times we saw ‘X’ and the reality is those numbers don’t mean a whole lot, especially when you’re talking about risk,” she said.
Moreover, a report which ended up picking winners and losers — like the old-style FISMA scorecards did — left the losers sore.
“There will be people on the bottom … It’s really difficult to walk into an agency the day after a report like that comes out and say ‘we want to help you,'” said Delaney, deputy director of the network security deployment office at DHS, which runs the department’s government-wide cyber programs.
There was a natural tension, she explained, between being an enabler or helper and being an assessor, especially one whose assessments are made public, or even just widely circulated inside the government.
“You really do change the dynamic of an engagement when you are reporting publicly on the risk posture of an agency,” she added.
Moses pointed out that the latest FISMA report had eschewed the scorecard approach for one which allowed agencies to present their own data and offered government-wide policy solutions for widespread problems.
Delaney added that there would be more of that kind of context driven presentation of data once the department’s CDM program was online.
Government cybersecurity assessments, she said, would “change from a point in time … good or bad … to more of a trending — how we have seen risk posture and risk acceptance change over time in an agency. Because we will have that [dynamic] data,” she said.
For instance, rather than a snapshot of an agency’s vulnerability or posture at one point in time, you would have “a day by day reflection of how quickly we’re able to mitigate risk” by for example responding to a report of a new exploit.