FEMA

FEMA's secret weapon for risk management

When agencies tackle IT modernization projects, ensuring security and managing risk are central concerns. There are multiple federal standards to meet and an ever-growing array of technologies that might better defend and monitor a new system.

For Federal Emergency Management Agency CIO Adrian Gardner, however, one of the most important tools is remarkably analog: He convenes a signing party.

"As a CIO you accept a lot of risk," Gardner said at the Feb. 8 Government of the Future event produced by FedScoop. But by bringing together key stakeholders, he said, it's possible to both share and better manage that risk.

Before authorizing a new system, Gardner explained, "I need the … information systems security officer present.  I need the information system owner present. And then I also created another role called the designated authorizing official," borrowing the idea from the Department of Defense.

That DAO is "the actual program lead," he said, and "has 49 percent of the risk acceptance.  I retain 51 percent, because I’m the CIO."  

The exact allocation of responsibility, Gardner argued, is less important than the discussion about what the risks truly are and how much is acceptable for that project. "The thing is to have that dialogue about risk in real time when you’re authorizing that system," he said.  "A lot of times [the Federal Information Security Management Act-mandated Authority to Operate] was a paperwork drill, where we didn’t have a real conversation about the risks. 

Department of Agriculture CIO Jonathan Alboum, who spoke on the panel with Gardner, agreed that it's easy to fall into the trap of treating the ATO as a box to be checked.  CIOs and other IT leaders must use that process to "pull it up to more comprehensive conversations."

"We all understand the ATO process pretty well at this point," he said. "It’s a good place to start the conversation  …  and then it's our responsibility to push that risk management team further."

And since risk can never be eliminated entirely, Gardner said, "you have to have a conversation with your most senior leadership and get a good sense of what is their risk appetite.  Because when you lose lock on that, that’s when bad things happen. "

About the Author

Troy K. Schneider is editor-in-chief of FCW and GCN.

Prior to joining 1105 Media in 2012, Schneider was the New America Foundation’s Director of Media & Technology, and before that was Managing Director for Electronic Publishing at the Atlantic Media Company. The founding editor of NationalJournal.com, Schneider also helped launch the political site PoliticsNow.com in the mid-1990s, and worked on the earliest online efforts of the Los Angeles Times and Newsday. He began his career in print journalism, and has written for a wide range of publications, including The New York Times, WashingtonPost.com, Slate, Politico, National Journal, Governing, and many of the other titles listed above.

Schneider is a graduate of Indiana University, where his emphases were journalism, business and religious studies.

Click here for previous articles by Schneider, or connect with him on Twitter: @troyschneider.


inside gcn

  • When cybersecurity capabilities are paid for, but untapped

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group