Without going into the litany of programs that have tried to improve federal cybersecurity over the last decade, the evidence that agency networks and data are more secure is easy to see.
Josh Moses, the former Office of Management and Budget’s chief of the cyber and national security branch in the office of the federal chief information officer, said the proof is in the data and the culture.
Moses, who recently left OMB after three years to join PwC as its director of cybersecurity strategy and risk, said agencies are in better shape to defend against cyber attacks because of a combination of policy, people and programs.
“From the implementation of some of those critical capabilities, like the continuous diagnostics and mitigation (CDM) program is certainly further along with highly competent leadership driving progress there. PIV implementation where we are and where we stand is no longer a principal area of focus for us in the metrics space. It was something we had highlighted for 12 years. We are finally able to talk about how you mature your identity access and management program,” Moses said on Ask the CIO. “From an oversight perspective, the dialogue between OMB, DHS and the agencies is markedly better than it was three years ago. Just the ability for agencies to approach us and say ‘here is a concern we have for a program for that challenge we have.’ That dialogue frankly didn’t exist in the same way three years ago. A lot of that is due to the leadership at OMB and DHS.”
In fact, Moses said during his last month at OMB he received a call from a major agency CIO asking for such help. While he wouldn’t go into specifics about the agency, the CIO wanted Moses to come to a meeting and address a specific challenge.
It’s more than just interagency communications. Moses said the conversation with the inspector generals and Government Accountability Office communities is both better and deeper where they are able to address global cyber challenges such as supply chain risks.
And then there is the maturation of risk management. Moses said the recent release of the high value asset policy update or the new draft Trusted Internet Connection (TIC) policy are two examples of how agencies are addressing risk with more clarity.
But the one area where Moses said the biggest changes he’s seen around risk is with incident management.
“You can look at incidents as a number that is increasing year by year. But my counter-argument there is what are the impacts of those incidents?” he said. “It’s not like we are experiencing another VA or another OPM incident every year. It’s more that there is much more maturity in our ability to detect. There is much more maturity in our time to remediate, to notify OMB, DHS, Congress and share information among our colleagues that didn’t exist three years ago. The government is really moving in the direction of a much better community of practice both within the day-to-day CIO space, but really in the oversight space as well.”
He said the relationship with the IG community and GAO is better than ever, particularly around reaching consensus on cyber metrics.
The governmentwide risk report issued in May is the both the biggest accomplishment and sign of change Moses experienced over his three years at OMB.
The report pulled 8,000 data fields from 97 agencies to determine current state and gaps in understanding and addressing risk.
“We went end-to-end and talked to every CIO and CISO about what we were finding. Then we translated to that what actions we needed to talk to close out those gaps. We were able to provide a true guiding light to close out the real gaps we saw in government immediately on the heels of the report,” Moses said. “The things that we captured in it and how the report was used by members of Congress and by the media to really hammer home our core message which was we are doing better in cybersecurity and are doing better, but there are huge gaps and here’s what they are. And then how that directly translated to the President’s Management Agenda this past winter and spring. That is clear and last impact on the government.”
Moses added that the risk determination report tied directly to the National Cybersecurity Strategy and then tied into budget priorities for fiscal 2019, 2020 and beyond.
“When you see the increase in the budget from 2017 to 2019 over time and then hopeful in 2020, it is much more of a prioritized spend on areas where we weren’t doing so well but also has high impact in terms of mitigating risks for the federal enterprise,” he said.