A group of former federal information technology executives are calling on the administration to change the way it assesses the cybersecurity of federal networks.
Currently, federal auditors — typically inspectors general — measure federal cybersecurity by answering a checklist of questions that oftentimes do not reflect their agencies’ most critical security needs.
But three former federal IT officials issued a new report Tuesday calling on auditors to measure how well agencies reduce their security risks.
Among those urging changes are: Frank Reeder, a former chief of information policy at the Office of Management and Budget; Julie Anderson, a former acting assistant secretary at the Veterans Affairs Department; and Karen Evans, the former e-government and IT administrator at OMB.
Earl Devaney, a former Interior Department inspector general, also weighed in on the report.
“Every year our auditors would dutifully work their way through a lengthy checklist, and we thought we were really stepping way out of the box when we did some limited penetration testing” for security vulnerabilities, Devaney said Tuesday at a Washington event marking the release of the report. “Frankly, we were measuring what didn’t matter.”
The former officials are urging IGs and federal chief information officers to assess their agency’s cybersecurity based on common standards and methodologies. But many agree that won’t happen without explicit guidance from OMB.
The report calls on IGs to evaluate their agencies’ cybersecurity based on things such as whether agencies are continuously monitoring their information systems for security risks and prioritizing security requirements that must be met to improve security and protect critical data.
“We’re advocating that they do this sooner rather than later,” said Anderson, now a consultant at Civitas Group.
Anderson said the report’s release was meant to coincide with OMB’s current development of fiscal 2014 guidance for conducting security reviews, which is expected this spring.
Obama administration officials have reviewed the report but have not said to what extent it will influence cybersecurity reporting.
The report appears to have some support within the Obama administration.
Andy Ozment, a senior director for cybersecurity at the White House, generally agreed with the report’s findings.
Agencies want “fewer metrics but … better metrics,” Ozment said. “Rather than a world of metrics that we collect annually, or at best quarterly, let’s have fewer metrics that we can collect continuously that can notify us if we’ve got something going wrong.”
The administration has already been pressing agencies to invest in tools that would allow them to continuously monitor their cybersecurity, which is a centerpiece of the report’s recommendations.
The report recommends that the IGs’ cybersecurity assessments influence IT investment planning and budgeting.
“This really should be a series of meaningful measures and findings that the CIO wants to use almost as an independent check of where his or her vulnerabilities are,” Anderson said.
The report, called “Measuring What Matters: Reducing Risk By Rethinking How We Evaluate Cybersecurity,” calls on:
IGs to prioritize their security audit findings to align with the agency’s greatest security needs. By May, they should develop an evaluation plan outlining how they are measuring security.
CIOs to integrate IG findings into the agency’s strategic planning and decision-making.
The General Services Administration to expand its program to certify the security of commercial cloud computing services. The program is called the Federal Risk and Authorization Management Program (FedRAMP). The report proposes that the program’s independent security auditors evaluate the cybersecurity of federal IT systems and networks on behalf of the IGs.