Commentary

How Congress can make cyber reforms real

In 2014, industry and government were rocked by major cyber breaches and attacks that highlighted continued vulnerabilities in security management. As a result, corporate and agency executives are beginning to pay attention to the business and customer impact rather than assuming security is the narrow and exclusive technical domain of chief information security officers and CIOs.

That change in attitude comes as IT is growing ever more pervasive via the interconnected systems, devices, monitors and sensors that make up the Internet of Things. New business solutions, emerging interactive technologies, innovative data aggregation and delivery options, and hyperscale infrastructure technology all require robust information assurance and privacy protections.

Congress, meanwhile, has passed several reform bills that are moving federal cybersecurity in a similar direction, and no less than eight committees and subcommittees in the House and Senate have announced intentions to hold cybersecurity-related oversight hearings this year.

Congressional oversight is critical to ensuring transparency and accountability for compliance with new legislation. So what can Congress do to more effectively oversee implementation of major cybersecurity reforms? Let me offer three suggestions based on my experience working for and reporting to congressional oversight committees:

1. Focus on fact-based discussions. Oversight is most effective when committees ask agencies for facts that demonstrate how cybersecurity dollars are producing tangible improvements. How have legal, regulatory, economic or mission impact risks been mitigated? Can the agency demonstrate that it is implementing security programs in a cost-effective manner? What is being done to simplify security insights to increase responsiveness and resiliency to changing threats? Is there a baseline against which progress in security capabilities can be objectively assessed?

Those questions demand attention and responses from agency leaders, not simply CISOs or CIOs.

2. Learn from leading best practices and avoid past mistakes. Security is not a one-size-fits-all affair. We must protect data at rest, in use and in transit rather than just protecting the system environments in which it resides. There are operational, technical and managerial controls that apply to any effective security management program, but risk management frameworks should result in risk profiles that vary across different agency missions.

Furthermore, with so much security now outsourced as managed services, clear contractor accountability for performance is essential. Congress should demand this focus from audit groups and the reports they issue to oversight committees. With governmentwide buy-in from the executive and legislative branches on a baseline set of controls (like the FedRAMP controls for cloud solutions), audits can become less of a guessing game.

3. Seek consensus on how to prioritize corrective security actions. At the Department of Veterans Affairs, the inspector general reported some 6,000 security risk findings and made 35 recommendations to the VA secretary as part of the agency's required reporting under the Federal Information Security Management Act.

But how can VA or any agency possibly address the thousands of findings and related recommendations? What is attributable to lack of management support and execution versus inadequate budget resources or poor budgeting practices? Are resources within existing budgets available to shore up weaknesses, and if so, how can they be prioritized? To my knowledge, neither the auditors nor the VA produced a cost estimate for full compliance with audit recommendations.

Given the vast array of policy, process, managerial, technical and operational demands that are in play, at least some degree of consensus on risk-based priorities is paramount. Agency leaders, inspectors general and the Office of Management and Budget all have important parts to play, but Congress can have a special role in ensuring that viable security solutions are put in place.

About the Author

Dave McClure is chief strategist at Veris Group.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.