risk management (oatawa/Shutterstock.com)

INDUSTRY INSIGHT

Real cyber hygiene depends on risk assessment, not compliance

Every Monday, the Department of Homeland Security’s US-CERT sends a Cyber Hygiene report card to 106 federal agencies, based on scans of their internet-facing systems. The report from  the National Cybersecurity Assessments and Technical Services color codes the sites based on  vulnerability -- from critical (red) to low (blue) -- and identifies vulnerabilities, such as unsupported systems or web services. In addition, NCATS offers a Risk and Vulnerability Assessment, a package of vulnerability scans, network mapping, phishing and penetration tests.

A tip of the white hat to US-CERT for a tackling cybersecurity for the tangled and aging IT infrastructure behind issues like the Tax Day 2018 Outage at the IRS, which was caused by the failure of an application with coding from the 1960s.

But it’s just a start. Handing an agency a list of color-coded vulnerabilities or compliance deficiencies still leaves it with a job to be done: real risk analysis so decision-makers know how to deploy their scarce budget dollars.

Looking through our FAIR cybersecurity risk analysis lens, the government’s cyber guardians should identify the assets at risk, the likely frequency of attacks on an annual basis and the monetary impact of ongoing attacks  to get actionable insight into their current risks and to game out the relative effectiveness of potential controls. Currently, agencies get good visibility into cybersecurity risks, but bad prioritization.

There are signs the feds are moving in the right direction. Edward Brindley, the Defense Department’s principal director for cybersecurity, recently described DOD’s plans to upgrade its cyber hygiene program: “Scorecard version 2.0 will seek to shift our paradigm. Instead of maximizing our cybersecurity compliance, we will shift the focus to managing our cybersecurity risk.” This planned automated scorecard “will integrate new data based on cyber threats, impacts, likelihood and the current data about our vulnerabilities.”

Sounds FAIR-like. And if money talks, federal CIOs will be listening to the $100 million that the Technology Modernization Fund Board has to hand out right now. The board, established by the Modernizing Government Technology Act at the end of last year, will award funding to agencies based on how well they make a “strong business case” for their projects and propose “risk-based, and cost-effective information technology capabilities that address evolving threats to information security.” As an extra incentive to get their risk/controls analysis right, agencies have to repay the funds in five years.

About the Author

Nick Sanna is the CEO of RiskLens.

inside gcn

  • Global Precipitation Measurement of Florence

    USDA geotargets the press

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group