Commentary

How Congress can make cyber reforms real

In 2014, industry and government were rocked by major cyber breaches and attacks that highlighted continued vulnerabilities in security management. As a result, corporate and agency executives are beginning to pay attention to the business and customer impact rather than assuming security is the narrow and exclusive technical domain of chief information security officers and CIOs.

That change in attitude comes as IT is growing ever more pervasive via the interconnected systems, devices, monitors and sensors that make up the Internet of Things. New business solutions, emerging interactive technologies, innovative data aggregation and delivery options, and hyperscale infrastructure technology all require robust information assurance and privacy protections.

Congress, meanwhile, has passed several reform bills that are moving federal cybersecurity in a similar direction, and no less than eight committees and subcommittees in the House and Senate have announced intentions to hold cybersecurity-related oversight hearings this year.

Congressional oversight is critical to ensuring transparency and accountability for compliance with new legislation. So what can Congress do to more effectively oversee implementation of major cybersecurity reforms? Let me offer three suggestions based on my experience working for and reporting to congressional oversight committees:

1. Focus on fact-based discussions. Oversight is most effective when committees ask agencies for facts that demonstrate how cybersecurity dollars are producing tangible improvements. How have legal, regulatory, economic or mission impact risks been mitigated? Can the agency demonstrate that it is implementing security programs in a cost-effective manner? What is being done to simplify security insights to increase responsiveness and resiliency to changing threats? Is there a baseline against which progress in security capabilities can be objectively assessed?

Those questions demand attention and responses from agency leaders, not simply CISOs or CIOs.

2. Learn from leading best practices and avoid past mistakes. Security is not a one-size-fits-all affair. We must protect data at rest, in use and in transit rather than just protecting the system environments in which it resides. There are operational, technical and managerial controls that apply to any effective security management program, but risk management frameworks should result in risk profiles that vary across different agency missions.

Furthermore, with so much security now outsourced as managed services, clear contractor accountability for performance is essential. Congress should demand this focus from audit groups and the reports they issue to oversight committees. With governmentwide buy-in from the executive and legislative branches on a baseline set of controls (like the FedRAMP controls for cloud solutions), audits can become less of a guessing game.

3. Seek consensus on how to prioritize corrective security actions. At the Department of Veterans Affairs, the inspector general reported some 6,000 security risk findings and made 35 recommendations to the VA secretary as part of the agency's required reporting under the Federal Information Security Management Act.

But how can VA or any agency possibly address the thousands of findings and related recommendations? What is attributable to lack of management support and execution versus inadequate budget resources or poor budgeting practices? Are resources within existing budgets available to shore up weaknesses, and if so, how can they be prioritized? To my knowledge, neither the auditors nor the VA produced a cost estimate for full compliance with audit recommendations.

Given the vast array of policy, process, managerial, technical and operational demands that are in play, at least some degree of consensus on risk-based priorities is paramount. Agency leaders, inspectors general and the Office of Management and Budget all have important parts to play, but Congress can have a special role in ensuring that viable security solutions are put in place.

About the Author

Dave McClure is chief strategist at Veris Group.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.