Infiltrating agency ops

Including security as a basic feature of every system and program isn't as easy as it sounds.

"Our philosophy has been — and our key objective for the cybersecurity program — is to improve executive management of the program by integrating [information technology] security controls into all the major business processes of the department," said Lisa Schlosser, assistant chief information officer for IT security at the Transportation Department.

This approach is outlined in a diagram that shows how all the components of the agency's security strategy build on one another — including the security management programs, technical framework and governance structure. Without any one piece, the entire structure could collapse, Schlosser said.

Building on the President's Management Agenda score cards — which grade an agency's status on e-government, financial management and other priorities — DOT and other agencies are putting security at the forefront for every manager.

"I'm a very strong believer in performance metrics and accountability through performance metrics. So, we integrated security metrics into the e-government component of the president's management score card, and that got briefed at the senior team management meetings within the department on a quarterly basis," Schlosser said. "That got a lot of visibility."

Identifying the right performance metrics is not an easy task. But agencies already are required to use the minimum metrics outlined in the Office of Management and Budget's guidance for the Government Information Security Reform Act of 2000.

Those metrics are not just for the performance of systems and programs, but also for the performance of the people overseeing them, said Mark Forman, OMB's associate director for IT and e-government, testifying late last month at a House committee hearing.

Metrics provide the best way to demonstrate that security is not just a black hole where money goes in and a solution never comes out, Schlosser said.

You've succeeded "when you can demonstrate through a strong performance measurement system that you are decreasing your risk through tracking of metrics," she said.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.