The chief information officer of the Small Business Administration would like to see changes to the cybersecurity grading scale used to rate agency’s IT management.
At an American Council for Technology and Industry Advisory Council event held July 31 at the Department of Agriculture, Maria Roat, the CIO of the Small Business Administration, said that she would like to see changes made to how agencies are graded on the cybersecurity scorecards of the Federal Information Technology Acquisition Reform Act, better known as FITARA.
Currently, agencies’ cybersecurity grades are evaluated by averaging an agency’s compliance with the Federal Information Security Management Act (FISMA) and the Office of Management and Budget’s cross-agency priority (CAP) goals.
“That is not representative of the cyber score,” Roat said.
Roat argued that she had great visibility into her cyber posture and that the current score did not reflect the security levels achieved by SBA. She said SBA has met six CAP goals and is on the “cusp of hitting seven.”
“I can see everything using cloud-based tools,” Roat said. “All of our cloud environment, all the way down to our mobile devices and desktops. I can see all of that and I have visibility. I know when someone is on foreign travel and they have not been approved and someone logs in somewhere from outside the U.S. ... and I can cut them off.”
Roat said SBA’s use of AI, data collection and overall visibility isn’t accurately captured based on how it’s currently measured.
“The FISMA score is just the FISMA score,” Roat said.
On the last FITARA scorecard, the Small Business Administration received a “D” grade on the cybersecurity section. But, recently, SBA has been gained recognition for its digital transformation.
Gary Washington, the CIO of the USDA, agreed he expects that cybersecurity reporting will be a big part of “conversation” around FITARA changes over the next few years.
Despite frustrations on the current cyber scoring, the CIOs did praise the legislation for how it has changed governance within the departments.
“We’re on the same page on IT,” Washington said, talking about his relationship with his CFO, budget director and other C-suite officials.
When it became law, FITARA put agency CIOs in charge of agency’s IT investments. Roat said that it’s given her more say in the budget process.
“FITARA’s given the CIOs a seat at the table,” she said.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.