Risk assessment and automated monitoring are keys to federal cybersecurity, report says


Agencies must establish a unique baseline threat assessment and automate monitoring to ensure good cybersecurity, says a SafeGov report (.pdf) released Tuesday.

SafeGov developed two programs to automate monitoring programs and establish a threat baseline.

The Organization Cyber Risk Management Framework, developed by SafeGov links the central features of a cybersecurity strategy, including agency threat assessments and recommendations from IG information security evaluations, to agency cybersecurity management.

The Organizational Cyber Risk Indicator developed by SafeGov assesses the cyber risk of a government organization by aggregating the results of auditor  Federal Information  Security Management Act  evaluations into a formula.

SafeGov recommended six steps to shore up cybersecurity using the framework and indicator:

  • Inspectors general should adopt the enhanced risk management framework and submit a FISMA evaluation plan to the Office of Management and Budget by no later than May 2013.
  • The National Institute of Standards and Technology should include the enhanced risk management framework, including the cyber risk indicator concept, to foster a more evidence-based and outcome oriented approach to evaluating information risk management
  • NIST, in coordination with the Homeland Security Department, should develop and incorporate a clear threat model as a part of the cybersecurity framework to build a foundation for risk management across agencies. This will allow agency leaders to better and more consistently discern what risks can or cannot be accepted
  • IGs should prioritize their findings in accordance with the agency or department's defined risk level and also distinguish between managerial and technical controls
  • Agency chief information officers should lead the effort to integrate the IG's findings into overall department or agency strategic mission priorities,  processes, and decisions; and,
  • The General Services Administration should expand the Federal Risk and Authorization Management Program program beyond cloud services.

Different agencies face different threat levels and need to tailor their cybersecurity to their own needs, according to the report.

"Only by defining organizational mission priorities, known threats and critical assets can agencies determine their desired risk profile and the appropriate controls required to address those threats," the report said.

An internal dashboard similar to that of the DHS CyberScope program that indicates each agency's current cyber risk should be created. CIOs could monitor this dashboard to assess risk on an ongoing basis across an agency's information systems, according to the report.

For more:
- read the SafeGov report (.pdf)

Related Articles:
Napolitano: Cybersecurity executive order only part of the solution
Smith says he'll fast track McCaul cybersecurity bill out of committee
Last attempt at Senate cybersecurity bill fails