The federal government’s top IT security official praised agencies Sept. 19 for their improving their cybersecurity postures in recent years but said it’s time the federal government provided new options for federal modernization.
Federal chief information security officer Grant Schneider, speaking at the Cybersecurity and Infrastructure Security Agency (CISA) summit, said that he’s excited to see agency improvement on the modernization and cybersecurity front.
“We’ve come a long way with agencies, four or five years ago, where we were just starting to get leadership’s attention on this thing called ‘cyber,’” Schneider said. “We’ve got leadership’s attention and now we’re all able, between CISA and [the Office of Management and Budget] and [the National Institute of Standards and Technology] ... to focus on the implementation and adoption of the policies and directives we’ve put out there.”
The federal government has tracked agency modernization through the Federal Information Technology Acquisition Reform Act, or FITARA, which scores 24 agencies’ progress on several modernization categories.
“We’re able to hold agencies accountable, or at least highlight where they’re at on metrics, and really get a lot of the basic stuff done and done well,” Schneider said.
The report also scores agencies cybersecurity through the Federal Information Security Management Act. On the last scorecard, 12 of 23 civilian agencies received a "C" grade or below on the FISMA score. However, some agency leaders take issue with how the FISMA category is calculated, saying it doesn’t account for the full visibility they have into their network.
Schneider said that moving forward on FITARA and FISMA scores, agencies still need to transition away from their legacy systems. But he also said that presents challenges of its own and provides an opportunity to get out from under work they don’t necessarily have to do themselves.
“We don’t want to build the next decade’s legacy system tomorrow,” Schneider said. “We instead want to move to shared services and try to get agencies out of the business of doing some things that they need not be in the business of [doing]."