While the latest Federal Information Technology Acquisition Reform Act (FITARA) scorecard shows all agencies have passing total scores, not one agency’s Cyber score changed from the FITARA 10.0 scorecard issued earlier in 2020.
The Cyber category consists of criteria from the Federal Information Security Modernization Act (FISMA) – and while FISMA measures compliance and considers data points such as number of incidents, it does not provide insight into how these actions unify to reduce risk.
Basic cyber hygiene is the root of many security compliance requirements, and while adhering to those requirements as well as other best practice frameworks can help reduce risk, compliance isn’t enough. Agency cyber defenders also need reliable, real-time data for a comprehensive view of the entire environment so they can identify, assess, focus on, and remediate risks.
The best decisions are made with good, high-fidelity data. So, how can agencies work to manage potential cyber risks and increase posture?
Scoring the FITARA Cyber Category
There are two components within the Cyber scores – the score the agency inspector general gives its agency’s posture on cyber maturity model criteria and Cross-Agency Priority (CAP) goals to modernize IT for better productivity and security – covering asset security, personnel access, network and data protection, and cloud email adoption.
The cyber maturity model has evolved over the past several years to address inconsistencies between how inspectors generally evaluate agency security, and agency evaluations under FISMA – aligning more with the five key pillars of the NIST framework. Agencies need to know where they stand on maturity levels for each, and establish a timeframe and a plan to get to the next maturity level.
More updates to FISMA may happen soon. A recently proposed bill, titled the “Federal System Incident Response Act” would update FISMA criteria, “increasing transparency by clarifying how and when agencies must notify impacted individuals and Congress when data breaches occur.”
Strengthening Agency Cyber Posture
Agency IT teams can strengthen their cyber posture and improve FITARA cyber scores by characterizing risks by the severity of a vulnerability, its age, and the value of the data/system exposed to the threat. This approach is the essential methodology used by CISA’s Agency-Wide Adaptive Risk Enumeration (AWARE) risk scoring algorithm and illustrates the clear difference between measuring risk instead of compliance.
In addition, IT teams should focus on achieving comprehensive visibility into all systems across the enterprise (end-user, cloud, and data center).
To get the real time data necessary for risk managers to act upon these threats, IT teams need to assess the current toolset, and refresh with a platform that simplifies, while removing inefficient legacy tools that are costly and don’t do the job. For a distributed workforce, optimizing tools deployed will help them operate in newer cloud and hybrid environments. By doing so, agency leaders will understand the full environment, and reduce the accountability gaps created by disconnected point-solutions.
Agency CIOs should also consider sharing IT plans. While it’s not required to share plans or progress as they work to improve their cyber maturity levels in conjunction with FISMA, CIOs could submit a plan and share for review within the CIO Council, enabling agencies to learn from one another.
Agency IT teams should test data center efficiency while considering new security applications. Reducing the number of servers in use decreases hardware and software costs, saving dollars that can be re-prioritized. It also allows the opportunity for agencies to leverage a single, ubiquitous, endpoint management platform approach that helps gain end-to-end visibility across end users, servers, and cloud environments – as well as identify assets, protect systems, detect and respond to attacks, and recover at scale. This breaks down the data silos and creates the ability for IT teams to receive good, high-fidelity data in near real time to manage risks.
As agencies work to improve overall cyber posture, the focus must be on improving cyber hygiene and reducing risk. To achieve this, the whole of government must accurately evaluate risk, gain comprehensive visibility into systems, share knowledge across agencies, and improve data center efficiency. At the root, this requires agencies to have reliable, real-time data.