Every day, sophisticated adversaries challenge the digital defenses of federal IT systems and networks. To safeguard critical infrastructure and national security, federal agencies need to adopt a risk management framework for cybersecurity that efficiently identifies, prioritizes and mitigates cyber risks.
The pivot to a more risk management-based approach to cybersecurity will align the federal government with broader industry initiatives to focus on risk tolerance. To that end, the Office of Management and Budget, or OMB, continues a shift away from an emphasis on compliance in favor of risk management.
FISMA compliance
The OMB released FY 2024 guidance and requirements (memo M-24-04) for agencies that report Federal Information Security Modernization Act, or FISMA, information. The guidance tells agencies how to start zero-trust programs, make continuous diagnostics and mitigation tools easier to use and more visible, and how to allow automated reporting of more metrics even when full automation is not available. OMB is directing agencies to focus and prioritize their limited resources on collection efforts for data elements that provide critical insight into their security risk posture.
However, agencies have prioritized FISMA compliance and security checklists, often overlooking the integration of clear policies, procedures and controls essential for a robust cybersecurity program to manage cyber risks effectively. In addition, agencies often burden themselves with a time-consuming process by manually creating documents and lengthy reports that are usually not delivered in a machine-readable format. The assets that need to be secured change drastically as new threats evolve. Therefore, cybersecurity automation is also crucial.
To that end, FISMA has helped federal agencies strengthen their cybersecurity posture. The reforms and guidance outlined in the latest memo will help agencies prioritize cybersecurity efforts, modernize information technology and build collective defenses against cyber threats. At the same time, a cohesive cyber risk management strategy will enable agencies to comply with FISMA standards, implement zero trust principles and automate simpler, streamlined monitoring and cybersecurity tasks.
Zero trust
Federal agencies are adopting a zero-trust architecture, or ZTA, to safeguard their critical data and systems, under guidance from OMB and partnering agencies. The ZTA approach focuses on authenticating and authorizing every interaction between network resources and a user and/or device. ZTA transitions security teams from focusing merely on network-based security to a more modern way of protecting devices, networks and identities. For many agencies, the move to a zero-trust architecture requires drastic changes to their networks, legacy systems and applications. Agencies will have to invest in emerging technology and consulting resources.
A unified risk management strategy could make this transition easier by identifying risks and the systems that need to be security-hardened. Federal staff, including those in IT and security operations teams and various lines of business, can use the same vernacular to categorize risks and compliance. For example, an agency may claim to comply with 20% of their security policies today.
This begs the question: How does 20% security compliance affect any agency’s safety and risk level?
Or agencies may claim that they comply with 80% of their security controls.
Therefore, what is the target compliance rate for optimal security and performance?
A cyber risk management strategy can help agencies answer these pressing questions, identify risks within their existing systems and applications and then quantify those risks in financial terms, so the transition to zero trust will not be a heavy lift, or as expensive and time-consuming.
Implementing controls
OMB and other partnering agencies, such as the Cybersecurity Infrastructure and Security Agency and the National Institute of Standards and Technology, provided guidance to agencies on implementing the core security controls necessary to secure systems and applications. Statistical evidence proves that these core controls are crucial for reducing risk overall.
A recent study revealed direct links between key cybersecurity controls and reduced cyber risk. For instance, patching high-severity vulnerabilities within seven days of the patch release, implementing multifactor authentication across all systems within a networked environment, having strong configuration management controls and having the ability to respond rapidly to an incident.
Currently, the federal government uses the Common Vulnerability Scoring System to rate the severity of security vulnerabilities within software. Agencies must patch systems regardless of whether cybercriminals are actively exploiting the vulnerability or if it is exploitable. Now, agencies can prioritize actively exploited vulnerabilities and those exploited by attackers.
Reducing risks requires a universal strategic approach.
Cyber risk management is not just about using tools; it is also about adopting a strategic approach to prioritizing cyber threats. Agencies must work together to understand how cyber risks affect their business objectives and operations and how to address them effectively.
The escalating sophistication and frequency of cyber threats mean that federal agencies must urgently adopt a comprehensive cyber risk management strategy and the necessary tools to support it. By using unified, integrated strategies and tools that collect and analyze threat intelligence from various sources, agencies can gain a holistic view of their security posture.
This methodology will enable agencies to focus on the most critical vulnerabilities, reduce their attack surface and improve their resilience against cyber threats.
Jonathan Trull is chief information security officer at Qualys, a Foster City, California-based company specializing in cloud security, compliance and related services.