It’s been a long-time coming, but the inspector general community is poised in the next year to measure agency progress in securing their systems and data in a new way.
The Council on IG Integrity and Efficiency Subcommittee on IT has been working with the Office of Management and Budget, the Homeland Security Department, the National Institute of Standards and Technology and the Government Accountability Office over the past few years on a new cyber maturity model to close the gap between auditors and chief information officers in how they determine their agency’s cyber posture.
Tammy Whitcomb, the Postal Service’s acting IG and chairperson of the IT subcommittee, said 2018 will be the first year for IGs and agencies to use the cyber maturity model to its fullest.
“Prior to 2017, we had part of the NIST cybersecurity framework covered by the model. But in 2017, we were able to cover all the domains in the NIST cybersecurity framework in the FISMA maturity model,” Whitcomb said on Ask the CIO. “When we first rolled out the maturity model in 2015, we just included the information security continuous monitoring piece. In 2016, we added incident response. And in 2017, we added areas such as risk management, identity and access management, configuration management, training and contingency planning. It was a pretty heavy lift to add domains and as a result we are well aligned with the NIST framework.”
But it’s more than just putting out standards, it’s making them practical and valuable to both auditors and agency cyber executives.
“We are having discussions with DHS and agency CIOs together to get their input on what it means for them,” she said. “One of things we will be looking to do moving forward is to develop a more comprehensive evaluation guide to allow CIOs to have more clarity in the tests or indicators that are used to indicate effective application of controls. The testing guide will help us be more consistent. We are developing it with OMB, DHS, agency CIOs to make sure we are all on the same page in how we understand these controls.”
The IG community has been working on this maturity model for since 2014 in part because a gap between auditors and agencies developed over the last decade or more around measuring the effectiveness of federal cybersecurity controls under the Federal Information Security Management Act (FISMA).
One goal of the maturity model is to help agencies and auditors is to address one long-held criticism of FISMA that it has been a compliance or checklist exercise, and the audits of agency compliance are too much pass or fail instead of taking into account agency risk-based decisions.
Whitcomb said the maturity model will help address consistency issues that have plagued how auditors measure agency progress in meeting FISMA requirements. She said the model also will help agencies understand current cyber posture and the gaps that exist that agencies need to fill to get to the next level of maturity.
“I think being able to focus on all those big, high-risk security areas, the IG community across the board can identify strengths and weaknesses in various agency efforts to address the areas,” she said. “The maturity model has scores so you can identify when you look across the board in the various NIST cybersecurity framework capabilities where the agency scores are higher or lower. Then, agency CIOs and CISOs can decide where they want to apply their resources. If it’s an area that’s a ‘3’ score even though it may show up as non-effective, that’s OK this year because they want to focus in a different area.”
Whitcomb said the evaluation guide will make this recognition of current state and gaps easier and more granular. She said a draft guide will be out this spring and the final version will be available for the fiscal 2018 FISMA analysis later this year.
The Homeland Security Department has been testing out a similar approach for the past few years. DHS created a cybersecurity maturity model that combines the defense-in-depth approach with a risk management process.
DHS established a scale of one-to-five to help explain to lawmakers, auditors or non-IT leadership about the agency’s current cyber posture and where it’s going in the future.
The Defense Department is heading down a similar direction with its cyber scorecard. DoD is planning to move to version 2 of the scorecard this year that is more of a risk-driven approach for the highest priority systems.
Therese Firmin, the acting deputy CIO for cyber at DoD, said Thursday at the CISO Summit sponsored by the Advanced Technology Research Academic Center that version 1 focused on identifying data standards, tagging IT assets and understanding what DoD and has where it lives.
“Now we can apply data analytics to determine what our risk posture is,” she said. “That will help us focus on our risk decisions and move away from a manual, error-prone approach.”
Whitcomb said CIGIE will ensure auditors from across the government are trained on this new maturity model and evaluation guide.
Whitcomb said training beyond the cyber maturity model and evaluation guide is another major priority for the IT subcommittee.
“We want to organize IT training opportunities for IGs in a way that would be more valuable for us a community,” she said. “What training opportunities are available and ensuring our baseline skill levels move up. We don’t have a problem there, but we all could get stronger. It’s always difficult to retain good strong IT personnel, whether auditors or generally, so keeping a well-trained workforce is an important aspect of that.”