The goal of the Federal Information Technology Acquisition Reform Act (FITARA) is to eliminate duplication and waste in IT acquisition for the federal government. However, many agencies continue to rely on aging legacy systems for some of their most critical operations. In fiscal 2019, the government spent $29 billion on maintaining legacy systems.
Recently, Senator Maggie Hassan distributed letters to 10 major federal agencies urging them to modernize their IT systems in order to improve cybersecurity and “reduce wasteful spending associated with the maintenance of legacy IT systems.” This is even more important in the new remote work environment where agencies are supporting mass telework.
Agencies who have taken steps to modernize their systems before the pandemic have reported a variety of benefits. For instance, because the Environmental Protection Agency has been ramping up telework readiness over the past decade, operations were not significantly disrupted during the shift to remote work and employees were able to remain productive.
The Federal Information Security Modernization Act (FISMA) cyber category makes up a portion of the FITARA score – and while FISMA considers data points such as number of incidents, it does not provide insight into how these actions unify to reduce risk. Further, there is discussion amongst industry experts that reporting (including FISMA) may not be complete due to COVID-19, resulting in reduced visibility into problems and increased agency vulnerabilities.
Knowing cyber vulnerability means missions are at risk, what steps do agencies need to take to do better in the distributed workforce and beyond?
The FITARA Cyber Component score is simply the agency’s FISMA score normalized on an “A” through “F” scale. And FISMA scores are based on two components – the score the agency inspector general gives its agency’s posture on cyber maturity model criteria and Cross-Agency Priority (CAP) goals to modernize IT for better productivity and security – covering asset security, personnel access, network and data protection, and cloud email adoption.
Over the last six years, the cyber maturity model has evolved to address inconsistencies between how inspectors general evaluate agency security, and agency evaluations under FISMA. As a result, the maturity model and FISMA evaluation criteria now align with the National Institute of Standards and Technology (NIST) framework.
This is positive because the NIST framework is based on five key pillars: identify, protect, detect, respond, and recover. Agencies need to know where they stand on maturity levels for each and establish a timeframe and a plan to get to the next maturity level.
The United States Agency for International Development (USAID) is a great example. Several years ago, the agency went from an overall “D-” to an “A” in just six months. They were the first agency to receive an overall “A”, and say they achieved the gains by first reaching out to GAO to understand each metric, and then were able to assess specifically what they needed to improve. As reported in Federal News Network, a USAID official shared that the major change made to improve their scores centered around acknowledging the importance of transparency and accountability, and achieving efficiency gains.
Are We Measuring What Matters?
There is a significant gap in the metrics that go into the FITARA Cyber Component, as the scores are based on FISMA – measuring compliance, not actual security or risk. Many security compliance requirements are rooted in basic cyber hygiene, and while adhering to those requirements as well as other best practice frameworks can help reduce risk, compliance isn’t enough. Federal agencies must delegate resources and funding to ensure they’re compliant, but they must also engage in advanced, modern cyber defense tactics to thwart malicious adversaries.
Effective cyber actions require reliable, real-time data for a comprehensive view of the entire environment so that agency cyber defenders can identify, assess, prioritize, and remediate risks accordingly. There are frameworks and models such as the Agency-Wide Adaptive Risk Enumeration (AWARE) algorithm – a risk assessment and management tool recently deployed by the Continuous Diagnostics and Mitigation program that contextualizes risk based on endpoint impact, Federal Vulnerability Risk Score, and the age of the threat. AWARE and other risk models can help agencies prioritize resources and actions against vulnerabilities according to the risks they pose to the Agency, but risk scoring is only helpful if the data is timely and accurate.
First, focus on the NIST pillars as these are used for the maturity model, the basis for FISMA compliance, and ultimately, the FITARA Cyber Component score.
Ensure your agency has the tools in place to understand the environment – what’s in place, what’s missing, and where you need to focus attention. Agencies need options that will reduce the visibility and accountability gaps created by disconnected point-solutions.
Second, share plans. Today, as agencies work to improve their cyber maturity levels in conjunction with FISMA, they are not required to share their plans or progress. While it does not make sense to make this information public, CIOs could submit a plan and share for review within the CIO Council, enabling agencies to learn from one another.
Most CFO-Act agencies have a working capital fund (WCF), but as of now, only six agencies have an IT WCF as sanctioned by the Modernizing Government Technology (MGT) Act. This powerful tool allows CIOs to remove/replace inefficient applications and retire legacy systems and deposit those savings (as well as cost avoidances) into his/her IT WCF. As an added benefit, agencies with an IT WCF earn an instant “A” for their FITARA MGT score. These retained savings, which won’t expire for three years, can be invested in modernization efforts, including critical cyber programs, at the discretion of the agency CIO.
Finally, as one considers new security applications, evaluate data center efficiency. Reducing servers required means reducing hardware and software costs (providing savings that can be re-prioritized). Not only will this reduce cost, it can also dramatically reduce an agency’s attack surface. The agency will also naturally improve FITARA data center scores.
Agencies can strengthen their cyber posture and improve FITARA Cyber Component scores with a tight focus on achieving comprehensive visibility into all systems across the enterprise (end-user, cloud and data center), upgrading or replacing inefficient legacy tools, and ensuring the tools deployed are optimized for newer cloud and hybrid environments equipped for a distributed workforce.
FITARA matters because it helps focus attention and resources where they are needed most, as agencies drive modernization efforts forward and deliver new, secure services to support federal missions in every work environment.
Kim Mackey is vice president of business development for federal civilian at Tanium.