Compliance vs. honesty: How agencies should approach the cyber EO

The first guidance related to the cybersecurity executive order signed by President Donald Trump in May is filled with four deadlines between now and August. Agencies have their marching orders for how to report cyber metrics to the governmentwide Cyberscope platform, for how to develop and submit their risk assessment and for how to create an action plan to implement the cybersecurity framework developed by the National Institute of Standards and Technology.

But if you read between the lines of the May 19 memo from Mick Mulvaney, the director of the Office of Management and Budget, there is a golden opportunity for federal chief information officers and chief information security officers (CISOs).

CIOs and CISOs can either make this a compliance effort, or take the bull by the horns, offer an honest assessment of their cyber posture and expect help from OMB. And OMB better not shrink.

“This memo and executive order is a gift for us to take a hard look at what we need,” said one agency CISO, who requested anonymity because they didn’t get permission to talk to the media. “CISOs need to take a hard look, paint as accurate of a picture as they can of the conditions and take advantage of this opportunity to get healthy.”

Advertisement

Cyber experts say it would be easy to meet the requirements under the memo. Most of the data already exists, particularly in large agencies.

But with the consistent and broad focus on cybersecurity from the White House and Capitol Hill, experts also say there has been no better time in the last decade to make real change.

“The guidance says all agencies, including all small agencies and that’s an important caveat because there has been a lot of focus on the CFO Act agencies, but not the small ones where cybersecurity vulnerabilities are just as bad,” said Greg Touhill, the former federal CISO. “It’s also a continuation of work we were doing before I left government. We had been pushing for this type of risk approach, and for the federal government to use the NIST framework. One of the challenges I threw down and we voted for it in the CISO council was to do risk assessment using framework by July 1. This is following up on that and a positive sign.”

Touhill said he’s unsure whether agencies will make the July 1 deadline, but the fact they are performing a risk assessment as required by the EO is an important step.

“My interpretation was to use the framework as a tool to manage risk. You have to consider all of these controls and make a value-based decision as to where you will accept risk,” he said. “If we use the tool in that way, then we will do great. But if we just use as a checklist, then we will continue to have folks who will shy away from it and not embrace it.”

The federal CISO expanded on that point, saying the culture of cybersecurity in agencies is one that doesn’t air its dirty laundry or even is honest with itself. So this is their chance to break that custom.

The checklist versus honest review approach harkens back to the spirit versus intent discussion the federal community has had over the last 20 years about the role of the CIO. Should CIOs and CISOs, and for that matter agency senior executives,  just comply with the EO or take it as a serious attempt by the Trump administration to improve the government’s cyber posture.

“We need to look further than the questions OMB is asking,” the CISO said. “If we all dig deep and be honest, more resources will become available because we will know where to direct our attention. There is a lot of good things going on and we need to share and make them easier to use.”

The CISO is referring to potential of shared services and cloud computing—both of which were explicitly called out in the order.

Touhill seconded that notion of honesty is the best policy.

“A lot of folks want to put lipstick on the bulldog and call it beautiful. If you are patting yourself on the back and saying ‘we are great because we’ve done XYZ,’ and while that may get you your performance incentive, you are not able to execute your mission as well as you need to, then you are not properly executing your job,” he said. “Many of folks I’ve worked with across different departments and agencies from where I was with the cyber sprint, folks didn’t have good visibility in to their true posture, which was why we were accelerating the continuous diagnostics and mitigation (CDM) program.”

Touhill said now that a large number of agencies have that visibility into their network and systems through CDM, being honest shouldn’t be that difficult.

The federal CISOs have met with or been on calls with OMB and the Homeland Security Department over the last few weeks to discuss the cyber EO’s implementation and go over the plans of actions.

Agencies faced their first deadline on May 26 to name a senior accountable official for the implementation of the risk management section of the EO. The next deadline is July 14 when agencies must submit third quarter cyber metrics to DHS and their implementation plans of the NIST cyber framework.

Many federal executives and industry experts have held back any real opinion on the EO, using the old adage, “the proof will be in the pudding,” well these four deadlines are those first ingredients of the proverbial pudding.

Return to the Reporter’s Notebook