Operational security drives mission results
What does cybersecurity operational “excellence” look like for federal agencies? Traditionally, cybersecurity has been a compliance-driven activity, with agencies focusing more on complying with regulations -- and showing they’ve done so -- than actually securing government from operational threats.
Today, the goal is to shift to operational security as the federal government works to modernize IT and improve efficiency. Modernization requires implementing cloud-based applications, but it adds complexity, making cybersecurity compliance even more onerous and confusing. Too often, agencies are left to make individual decisions based on their understanding of compliance as it relates to the cloud. For the mission areas, compliance is often viewed as an obstacle to go around, over or underneath.
The reality is that most agencies are good at compliance (because they’re forced to be), but they must begin to shift their focus to operational security. Against this backdrop, the Federal Risk and Authorization Management Program and the Continuous Diagnostics and Mitigation initiative give every agency the ability to significantly improve their security posture -- if they use them.
FedRAMP is reducing risk with a “certify once, use many” approach. Agencies take advantage of cloud applications and data in a known, certified, tested and accredited environment without having to take the certification steps themselves. By reducing risk and putting more consistent security controls in place across government, agencies can focus on securing the mission and achieving operational excellence -- the real goal for agencies implementing cloud technology.
The Department of Homeland Security's CDM program offers cyber capabilities “as a service” to agencies -- level-setting the tools agencies use and providing a holistic view of threats faced across government and reducing costs through volume acquisitions. And, most important, CDM provides clear steps to put operational security into action. The CDM program continues to evolve, and many believe agency performance will become part of a grading component for the House Oversight and Government Reform Committee’s Federal Information Technology Acquisition Reform Act scorecard.
Together, FedRAMP and CDM offer the opportunity to implement operational security and reduce cyberthreats. The challenge: adoption is too slow.
A December 2018 Government Accountability Office report that evaluated federal information security maturity found 17 of 23 inspectors general reported their agencies’ programs were not effectively implemented. Most of the 23 agencies had not fully implemented CDM Phase I and II tools and services. The report noted that until agencies “more effectively implement the government’s approach and strategy, federal systems will remain at risk.”
The point of compliance-focused legislation like the Federal Information Security Management Act was to focus agencies’ attention on developing and implementing a cyber program and proving that they did so. That goal has been achieved. Today, we need to shift our focus to operational security. This requires transformational change to both how we think about the network and cyber as we work to meet evolving federal missions -- leveraging the cloud to efficiently adding services. It’s more than any single agency can track alone, and it's why the FedRAMP and CDM programs are so important.
Once an agency achieves the basics of operational security, compliance naturally follows. We are moving in the right direction. If agencies use the programs in place, we can collectively reduce cyber risks across government and implement modern solutions to drive operational excellence.
Stan Lowe is global chief information security officer for Zscaler.