Improving the Framework for Managing Cybersecurity Policy
Below are ideas that I shared on this topic yesterday as part of a panel discussion with the White House’s Commission on Enhancing National Cybersecurity.
The policy framework that governs Federal IT with respect to cybersecurity has many pieces. Major laws include:
- the Paperwork Reduction Act, which in 1980 authorized OMB to oversee a broad range of IT activities, including privacy and security;
- the Computer Security Act, which in 1987 gave the OMB Director authority over civilian agencies -- FISMA updated the Computer Security Act in 2002 and again in 2014 to drive agencies more toward operational security;
- the E-Government Act, which in 2002 vested OMB’s Office of E-Government and Information Technology with leadership of IT and E-gov issues, including security; and
- last year’s Federal Information Technology Reform Act , which added to the Clinger Cohen Act of 1996 to give CIOs new authorities and tools to manage IT.
In addition to these general statutes, DHS’ cyber leadership was authorized in the Homeland Security Act of 2002.
These statutes are implemented through an array of policies that impact IT security, including:
- OMB Circulars that integrate Federal information and IT policy, and govern cybersecurity and Enterprise Risk Management;
- FISMA Guidance, which requires agencies to report on security activities, and drives agency priorities and Inspector General reviews; and
- NIST Guidance, which addresses security, privacy, and identity management in multiple ways that agencies leverage to make risk-based security decisions.
Additional policy frameworks address privacy and identity management.
And these laws and policies are led by a diverse group of organizations, among them the White House Cyber Coordinator; OMB, led by the Federal CIO and new Federal Chief Information Security Officer in the E-Gov Office; DHS, led by NPPD; and NIST -- just to name a few.
Perspectives on Enhancing Policy for Improved Federal Cybersecurity
In a world where threats emerge faster than policies and acquisitions can react to them, agility is essential. Policies can promote approaches and technologies through which government can predict and prevent cyber threats. This Administration has taken important steps forward in developing and coordinating IT and cybersecurity policies, leveraging progress made in previous Administrations. Following are some ideas to continue enhancing this policy objective.
- Rationalize governance around key priorities – Agencies must manage their cyber assets under the broad policy and oversight structure described above. Clearly identifying roles and responsibilities, and focusing collective effort on key priorities for improving cyber in and across agencies, can have great benefit – especially for a new Administration that may need to take rapid action in response to a cyber incident. Developing a short set of key goals and objectives consistent with this structure, and making explicit responsibility and accountability for how these goals would be achieved and measured, would ensure that stakeholders in and with government would have a guidepost to align security actions. This need not be a long and detailed strategic plan – multiple cyber strategies already exist across the government.
Rather, a new Administration could outline governmentwide priorities and lead organizations, a clear baseline architecture for technical protections across agencies, and pathways for deeper engagement with the private sector. Such a policy could build on the Comprehensive National Action Plan, and be issued by the President via Executive Order or Directive to build on current progress. This approach would garner agency head attention, strengthening focus on cybersecurity across the government’s C-Suite and stressing rapid action by mission leaders working with CIOs.
- Drive innovation – Given the multiple players, laws and policies that agencies must comply with, many cybersecurity resources necessarily go to compliance and reporting. There are relatively few incentives in the system to introduce innovation, making it difficult for government to tap into evolving commercial best practice. One path to address this concern could be through the procurement system. Most agency cybersecurity products and services are actually produced by industry through government contracts, under a set of complex rules that too often focus resources on inputs and tend to impede new ideas.
Policies that can accelerate technology procurements will allow agencies to keep pace with innovation. And effective procurement requirements can incentivize sound cybersecurity practices, allowing companies to bring innovative ideas forward – such as how agencies can best leverage leading-edge commercial items, or harness the enormous potential of Blockchain -- as an expected contract activity. This could enable government to leverage the $90 billion annual government IT investment to attract innovation, from companies that already carry out these investments through procurements.
- Integrate security and privacy – The recent reissuance of OMB Circular A-130 addressed privacy and security in a more coordinated fashion. Safeguarding personally identifiable information is a key element of cyber protection for government systems generally – yet teams across government that implement privacy are often organizationally separate from cybersecurity teams. More integration of policies, programs, and organizations can help align efforts around end goals for the protection of sensitive data that government holds in stewardship on behalf of its citizens. The collaboration of DHS’ Privacy Office with NPPD provides an effective model of coordination. This integration can be reinforced by policies that call for agencies to account security and privacy spending.
- Enhance Public-Private Collaboration – In addition to leveraging innovation, policy can promote enhanced engagement across sectors to leverage best practices. Some ideas include:
- Expand real-time threat information sharing at scale, building on the Cybersecurity Information Sharing Act of 2015;
- Mature agency risk management programs to enable informed cyber choices, working with industry to understand the risk landscape relative to mission achievement by agencies – the NIST Cybersecurity Framework promotes such an approach, and integration of government CIO and CFO responsibilities as part of an enterprise risk management would also benefit from adaptation of industry ERM models;
- Develop an approach to leverage commercial best practice for cybersecurity in government adoption of the Internet of Things; and
- Work with industry to speed the process for approving cloud-based cybersecurity under the FedRAMP program at GSA.
Read my statement along with other panelists' and speakers' statements from the meeting of the Commission on Enhancing National Cybersecurity. A follow-up post will share perspectives on the panel discussion.
**Image courtesy of Stuart Miles at FreeDigitalPhotos.net