Cybersecurity a hidden aspect of FITARA reform

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.federaltimes.com/story/government/cybersecurity/2015/06/30/cybersecurity-fitara/29515769/

Cybersecurity is at the fore of discussions across the federal government
today and CIOs looking at changes coming with the implementation of the
Federal IT Acquisition Reform Act (FITARA) are no different.

Agencies have until mid-August to submit action plans to the Office of
Management and Budget explaining how they will comply with FITARA — the
most significant IT legislation since the Clinger-Cohen Act of 1996 — and
should include how the CIO plans to deal with cybersecurity issues,
according to Federal CIO Tony Scott.

"While there's nothing specific in FITARA about cybersecurity, this is
going to be one of the great benefits of FITARA: a greatly improved
cybersecurity posture," Scott said while speaking at a June 30 event held
by the Association for Enterprise Information (AFEI). "The very first thing
in cybersecurity is understanding what's of value and being very clear
about that … Once you understand what's of value and you figure out a
management strategy of how to protect it, that's the beginning step in
having an effective cyber strategy."

Provisions in FITARA require department CIOs be aware of all the projects
being implemented at component agencies and bureaus, as well as giving them
authority governing those projects. Along with that authority comes a
responsibility to ensure those systems are protected, according to Scott.

FITARA "clearly says the CIO is responsible for the totality of the IT
environment and should be held accountable," Scott said after his keynote.
"You can't ignore that part of the job."

Along with implementing cybersecurity tools, Scott pointed to issues like
shadow IT, in which employees use their own devices or apps without
clearing them through the proper channels.

"With FITARA we have to expose that," he said. "If you're responsible,
you're totally responsible. [CIOs] don't get to be a part-time owner."

But Scott warned against being overly reactive, noting some of the
difficulties in implementing cybersecurity measures on aging IT systems. He
compared it to installing airbags in a 1965 Mustang.

"The '65 Mustang was a great car but it wasn't designed for airbags," he
said. "If you try to retroactively put them in, it's going to be ugly and
nobody's going to be happy with the result. We have exactly that situation
— not just at OPM but in a whole bunch of other places, as well."

Scott said that while CIOs have a responsibility to ensure a strong
security posture on their systems, firing people when breaches are
discovered sends the wrong message.

"Part of this reform that we're going through is cleaning up decades of
neglect, omission, not seeing the issues, not funding things that need to
be repaired," he said. "We have to be very careful of being overly critical
of those that are here to help and here to fix because those very people
are going to uncover a ton of issues."

The message hasn't been lost on agency IT leaders, according to Commerce
Department CIO Steve Cooper.

"I think every federal CIO absolutely would agree that we are individually
— and in our departments — accountable for ensuring we are doing everything
we can possibly do at our respective agencies to address the cybersecurity
risk, threats and vulnerabilities," he said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!