How agencies can comply with the cyber executive order
- By Thomas Jones
- Aug 23, 2017
For federal agencies, collecting and reporting cybersecurity metrics is nothing new. Under the Federal Information Security Modernization Act, agencies must collect and report technology-focused cybersecurity information every year. However, a notable change is here. Under President Donald Trump’s recently signed cybersecurity executive order, agencies now must collect and report metrics with an eye towards risk management.
In the past, agencies collected metrics about the bits and bytes of their cyber environment, but now they must report metrics on their compliance with past mandates and security practices. The order also requires agencies to assign an executive to submit the metrics to the Department of Homeland Security, which will then input them into a risk analysis system. In return, agencies will receive a cyber risk scorecard that includes gaps to mitigate.
The changes are a positive step. They align the FISMA reporting requirements with a risk management approach to cybersecurity and up the ante on accountability.
However, for many agencies, implementation may be a challenge. To collect the metrics, security teams must understand their most valuable applications, the systems on which they reside, the negative consequences of data in those applications being destroyed, stolen or made publicly available and other contextual information. They must understand the full scope of federal cybersecurity requirements as they relate to every IT asset in their environment.
Today, many agencies do not have this overall understanding of their assets, and they lack funding to purchase technologies and resources to help them gain that insight. Plus, in the past, there has been no real penalty for not reporting the right metrics, dulling the teeth of the requirement altogether.
To overcome these challenges, agencies must shift their cybersecurity strategy from a technology-based approach to one focused on risk. Instead of focusing primarily on how many firewalls are in place, the number of vulnerabilities patched or misconfigured security controls, agencies should first identify the applications that, if compromised, could most impact the mission, understand who interacts with those assets and mitigate vulnerabilities within those assets immediately. Not every vulnerability needs to be patched with the same urgency nor every threat mitigated as though the mission depended on it, but when the mission does depends on it, both the resources and the urgency need to be there to get the job done.
By dedicating their limited resources to those assets that matter most, agencies can easily align the fiscal year 2017 FISMA CIO metrics with risk, comply with the executive order and, most importantly, minimize their risk of falling victim to an attack or breach.
At the end of the day, agencies should be approaching cybersecurity from a risk-based point of view whether it's required or not. As we have learned from the continuous stream of government-specific breaches, at some point a bad actor will penetrate an agency's network, so security teams should focus on minimizing the damage. If an attacker inside in the environment can be contained or stopped from leaving with the crown jewels, the agency's loss will be reduced. And that’s precisely why an asset-centric, risk-based approach works best.