Provide for the escalation of risk-based decisions through senior leadership if critical security recommendations are rejected by owners of business lines or applications, ensuring critical security decisions are not made in isolation. For example, decisions to keep critical systems available while overriding security recommendations should no longer be routinely deferred exclusively to network, system, or application managers. Significant residual risks should be elevated to ensure residual risks are recognized and accepted at the highest levels within the Department/Agency and Gov’t overall where they might impact overall gov’t or others.
Establish a RACI-type (responsible, accountable, consulted, informed) chart for the overall federal government and each department and agency that clearly identifies roles, responsibilities, and accountabilities for cybersecurity; publish and communicate with all shareholders (see people recommendation above) across the organizations; and maintain and enforce the RACI assignments (title and name where possible encourages ownership).
Hold all personnel at all levels accountable for complying with security policies and fulfilling assigned cybersecurity roles and responsibilities; ensure this accountability is in job descriptions, personnel evaluations, vendor contracts, performance objectives, etc., with appropriate incentives and dis-incentives
Make information security a core part of organizational culture, ensuring greater awareness and better computing practices. For example, information security training should be mandatory for all government employees and contractors and information security performance should be an item in performance reviews.