(Regular print are supported ITAPS recommendations in response to questions, flagged are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force)
How can we sustain executive-level attention to this critical issue, and institutionalize cyber as an on-going component of agency risk management practices, not just a side-bar activity?
The U.S. government must make dramatic and significant changes to secure government networks and the critical information and functions they support. The federal government must declare the protection of those systems and the information residing on or traversing them a national priority and then act boldly, favoring speed and agility over adherence to legacy policies.
Escalate security from merely an IT concern to a business risk concern, providing independence and enabling security decision-making and implementation. For example, make permanent a central Administration role, with appropriate authorities and budgetary controls, to direct and oversee cyber activities across the government, including leadership of a cybersecurity “council” for interagency coordination; separate agency Chief Information Security Officer (CISO) functions from Chief Information Officer (CIO) functions; establish a mechanism to escalate agency CISO security concerns directly to the department or agency head or central cyber function for adjudication as appropriate.
Determine criticality and vulnerability of systems and data and prioritize accordingly to achieve an effective, risk-based approach to protecting systems. For example, using current NIST directives and controls, immediately conduct an independent operational risk assessment of all U.S. government infrastructure, applications, and data to determine highest risk across the government and subsequently prioritize and appropriately resource remediation with specific completion dates, and track to expedite closure.
Establish an outcome-focused Governance Framework that covers all aspects of the enterprise, resulting in effective direction-setting, decision-making, oversight, transparency, and accountability. For example, fully execute and enforce the Federal Information Security Management Act (FISMA) as contemplated in the authorizing legislation and seek legislative reform where necessary.
Establish a Cyber Governance Framework for the federal government as a whole, with compliant department and agency-level frameworks to follow, ensuring objective assessments of current cyber risks, set direction across the government, prioritize remediation efforts and resource allocation, enhance information sharing, assign management responsibilities for execution, and establish tracking and oversight.
The governance review process should ensure: 1) that the Cyber Governance Framework is established and maintained; 2) benefits and value are delivered; 3) risks are minimized; 4) resources (e.g., people, funds, tools, processes) are optimized; and, 5) stakeholder and management transparency.