Daily Stuntz 11/18 — Cybersecurity Policy: Fun with FISMA
As a new Administration is coming in and there are lots of fun discussions about who is going to get what role in what agency, I wanted to sprinkle in everyone’s favorite topic, Federal agency cybersecurity. This is a nuanced subject I worked on in government and lots of good people are doing good work today, but I am going to have a little fun and if someone reads this and feels I am not characterizing your work/team right, you are probably correct but it is my blog :).
Imagine that you are being vetted to be Secretary of Education and you are a passionate mission focused person trying to improve education across the country. You end up getting the job and are excited but during orientation a weird moment happens when the lights get a little lower and someone in a dark voice starts yelling, you are now responsible for the cybersecurity posture of the Department of Education!!! Then that moment is over and you go back to focusing on your authorities and levers to pull to focus on your mission which is education.
That weird moment is brought to you by the Federal Information System Management Act of 2002, updated by the Federal Information System Modernization Act of 2014, which states that agency heads own their risk. This could make sense as the agency itself knows the type of data and services and interactions required to accomplish the mission of the agency so it should be responsible. But, I am going to argue that this concept should be updated to a new paradigm that is more focused on alignment with mission — DHS should own Civilian agency cybersecurity risk.
Today large and small agency IT and security teams work very hard to secure sensitive data of all types. Considering the type and amount of data in the Federal government, there are certainly examples like OPM, but in general these teams do a very good job especially under the circumstances. A possible scenario looks like:
- Supporting the mission of your agency with systems that you manage from various decades, some of which are contractor owned and operated
- Staff you cant pay competitively and hiring takes 9 months on a good day
- GAO auditing you until morale improves and throwing lists of issues at you with no funding or resources to actually do anything abut those issues
- IG doing their best to give you a longer list of unfunded requirements than GAO and then mocking you when you dont get them all done
- DHS/NSA/Cyber Command bulletins that immediately throw your priorities out the window because everyone is getting pwned
- The 473rd budget continuing resolution meaning you dont have the resources you need and you can only budget for one year out anyway so YOLO
- My old office in OMB (hi friends) does a CyberStat on you and points out many of the same issues as GAO and IG and threatens to bring in agency political leadership if progress is not made.
- Researchers and penetration testers are finding all sorts of fun issues that get added to the other lists of things you cant afford or figure out how to fix
So, with that rosy picture, should we just throw much more money at each agency? As I work for a vendor I should probably recommend this so people have more money to buy Virtru. Even without more money, everyone reading this should buy Virtru, protect yourself before you wreck yourself. But instead I would argue it is time to look at the role of DHS in the Federal space and elevate them. I think this is especially true considering the migration to cloud services, a focus more on applications and data versus networks, and other trends that make it easier for more centralized management.
DHS today in Federal cybersecurity has the position of advisor and partner to Civilian agencies and while they do highlight issues at agencies, they also provide many shared services and programs like CDM and NCATS that help agencies address these issues. Based on this experience and the agency mission, I believe it is time for DHS to move from advisor to risk owner. There are a lot of operational and policy challenges this move brings up but below are a few of the tradeoffs that I see:
Cons: Every agency is special and needs special things so a single Civilian owner wouldn’t work, DHS would have to treat agencies as customers and provide customer service, the needs of Department of Justice are so incredibly different than Marine Mammal Commission (shout out to the small agencies), legal authorities (my least favorite discussion and reason for anything), what about all the existing stuff?
Pros: Agencies focus on their mission while DHS is empowered to do theirs, Potential cost savings from reduction of tools/complexity/ management costs, easier hiring by not competing across agencies
For implementation of such a shift, this could start out as a small agency network, cloud service, toolset, infrastructure, staffing, and then scale up to larger agencies. There will likely be outliers (FBI as an example) and maybe one or two hybrid scenarios, but 99% of the time DHS should be the Civilian risk owner and the start of making this happen is to reopen FISMA.