Perhaps an alternative is providing prioritization for allocation of existing funds (This mandate is #1, then this exec order etc etc).
With the "public" availability of such a list, audit should become more effective,... more »
Practice response to cyber threats as part of overall emergency response capacity to build resiliency.
Create a self-audit checklist that agencies could use on a regular basis to assess themselves on fundamental security capabilities. It would be risk profile based for each agency. Addresses the problem of just having this done by auditors (GAO/IG) or consultants. Keeps attention and resource needed to close weaknesses and vulnerabilities.
Note: FCC is example.
With the continued and growing dependence of the government on commercially provided IT services, what changes are needed to government acquisition policies and practices... more »
All incidents, exercises, and general activities offer opportunities to learn and improve planning.... more »
How can agencies effectively address current time lags with detection of and response to vulnerabilities and threats that will significantly compress breach-to-detection-to-response... more »
How can agencies sharpen focus on vulnerabilities created by (or exposed by) uninformed business/program users and the array of technology solutions embedded in service delivery that does not account for cyber?
[Non-ITAPS]... more »
Establish an outcome-focused Governance Framework that covers all aspects of the enterprise, resulting in effective direction-setting, decision-making, oversight, transparency, and accountability. For example, fully execute and enforce the Federal Information Security Management Act (FISMA) as contemplated in the authorizing legislation and seek legislative reform where necessary.
Escalate... more »