Governance and Accountability:
Establish an outcome-focused Governance Framework that covers all aspects of the enterprise, resulting in effective direction-setting, decision-making, oversight, transparency, and accountability. For example, fully execute and enforce the Federal Information Security Management Act (FISMA) as contemplated in the authorizing legislation and seek legislative reform where necessary.
Escalate security from merely an IT concern to a business risk concern, providing independence and enabling security decision-making and implementation. For example, make permanent a central Administration role, with appropriate authorities and budgetary controls, to direct and oversee cyber activities across the government, including leadership of a cybersecurity “council” for interagency coordination; separate agency Chief Information Security Officer (CISO) functions from Chief Information Officer (CIO) functions; establish a mechanism to escalate agency CISO security concerns directly to the department or agency head or central cyber function for adjudication as appropriate.
Provide for the escalation of risk-based decisions through senior leadership if critical security recommendations are rejected by owners of business lines or applications, ensuring critical security decisions are not made in isolation. For example, decisions to keep critical systems available while overriding security recommendations should no longer be routinely deferred exclusively to network, system, or application managers.
Adopt approaches that emphasize cross-organizational collaboration, transparency, accountability, and integration; reducing costs, minimizing operational risks, and driving continuous improvement. For example, institute or adopt the security development lifecycle, NIST guidance and directives, international standards, and the DevOps method across agency operations, security, and development teams.
Align investments of networks and security entities that often buy overlapping technology in isolation from each other, resulting in coordinated and consistent approaches across an organization. For example, implement the recently passed Federal IT Acquisition Reform Act (FITARA) and FISMA reform legislation to support the empowerment of CIOs and CISOs within agencies, and align risk management among disparate groups that purchase cybersecurity tools within agencies.