Herding the stray cats of federal IT ambitions

concept cybersecurity art

Most government agencies are embracing the benefits of cloud computing, a mobile workforce and cybersecurity measures to protect critical networks and assets. But in many cases it has been a struggle just to get to that point, and hurdles remain as different approaches present a fragmented federal IT security picture.

Some help in federating the ways government agencies implement security practices will emerge in the forthcoming final version of the National Institute of Standards and Technology’s cybersecurity framework, due next month. But some experts are advising additional measures to help the government get to a comprehensive management plan for IT security.

A new report advocates a more integrated approach that moves away from compliance-based security and toward a risk-management paradigm that coordinates cross-government efforts.

“There are a lot of initiatives that agencies are responsible for, which the paper tries to highlight – cloud first, data center consolidation, continuous diagnostics and mitigation, mobility management, a whole bunch of things agencies are responsible for,” said report co-author Karen Evans, national director for the U.S. Cyber Challenge. “One major theme in our recommendations is taking a look at that and building out the architecture in order to ensure [success]. If you’re looking at these initiatives separately and try to implement them separately without looking at the integrated picture, it’s going to defeat the purposes of them.”

The first recommendation in the report calls on the Information Security and Identity Management Committee (ISIMC), part of the Federal CIO Council, to take on a leadership role by adopting and issuing integrated network architecture. It also asks the ISIMC to establish FISMA-friendly implementation plans with milestones to help agencies transition to the proposed architecture.

“Right now there’s no overarching document saying, ‘this is how all these things can potentially work together,’” Evans said. “The pool of knowledge at the Federal CIO Council can help create the documents to lay out a specific roadmap that agencies can develop and be held accountable for.”

A second recommendation targets FedRAMP, calling on the Joint Authorization Board to require cloud service providers contracting with the government to “employ penetration testing capabilities in the implemented operational environment in order to surveil, analyze and respond to threats in real-time.”

This is especially important as FedRAMP deadlines approach, Evans noted.

“Right now everyone is scrambling, what does it mean?’ This architecture would help identify [security] gaps and how to get there – ‘here’s where I am and here’s where the gap is to get to my outcome, and here’s my plan to close that gap,’” she said.

Under the recommendations, the Joint Authorization Board’s current role in governing FedRAMP and certifying cloud providers for the General Services Administration would be reinforced and broadened, ensuring that providers and their services meet requirements and policies for other agencies as well.

“The nice thing about that is it’s a proven model,” said Julie Anderson, another co-author of the report and managing director of Civitas Group. “We’re not proposing something new; we’re proposing integration of processes and how FedRAMP can be integrated into requirements and expectations.”

The report additionally calls on the Office of Management and Budget and Homeland Security Department to jointly establish metrics that inspectors general can use to measure agencies’ cybersecurity risk and program effectiveness.

“There are so many initiatives, all with good intentions – we’re trying to weave that together into an integrated approach so agencies can look at all of the policies and directives and have an understanding of what they need to do next to meet requirements,” Anderson said.

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Thu, Jan 23, 2014 Owen Ambur Hilton Head Island, SC

SafeGov's recommendations are now available in StratML format at or, more specifically, Facilitating strategic alignment and performance accountability are among the purposes of the StratML standard.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group