A New Approach to Cybersecurity Across Agencies – the Administration’s Progress Report
Last week, the Obama Administration released its latest set of reports on government performance toward achieving many high-priority goals, within and across agencies. As the Center has written previously, public presentation on this topic focuses on outcomes for high-priority goals can incentivize agencies to reach results in key areas that matter for citizens, businesses, and governments.
Among over 100 goals are 14 that cut across agency boundaries. These “Cross-Agency Priority” (CAP) goals include significant areas of government activity that do not fall into a single agency’s jurisdiction. One such area is Cybersecurity; the “goal leader” for this activity is Michael Daniel, who serves as the Special Assistant to the President and Cybersecurity Coordinator in the White House.
The three key areas on which the goal focuses are not new, but are brought together in a way that provides a renewed emphasis on their importance and linkage as part of an overall cybersecurity strategy. As stated on the Performance.Gov description, the cyber security goal:
“helps Federal departments and agencies improve cybersecurity performance by focusing efforts on what data and information is entering and exiting their networks, what components are on their information networks and when their security status changes, and who is on their systems. [emphasis in the original]” Specifically, the goal addresses:
- Trusted Internet Connections (TIC) - Consolidating external Internet traffic and ensuring a set of common security capabilities for situational awareness.
- Continuous Monitoring of Federal Information Systems - Transforming static security into an integral part of a dynamic enterprise-wide risk management process … to maintain an ongoing near-real-time awareness and assessment of information security risk and rapidly respond
- Strong Authentication – Ensuring only authorized employees have access to Federal information systems by requiring a higher level of assurance through using multi-factor authentication, such as Personal Identity Verification (PIV) cards.”
It is important to recognize that linking cybersecurity to a set of goals that focus on mission outcomes is itself novel. For many years, including throughout my tenure in government, cybersecurity was not considered by most to be core to mission effectiveness. But as government and the private sector move more programs and activities to the Internet, and as the Administration calls for agencies to leverage Open Data and Open Government as core to their strategy for delivering services and information, protecting the systems and data flows that drive those programs and activities becomes paramount to their success. What’s good for programs is good for cyber, and vice-versa – the goal measurement process reinforces this.
Another new component of this approach is the focus on collaboration for cybersecurity by the agency’s Chief Information Officer (CIO) and Performance Improvement Officer (PIO). As the Goal summary further states:
“the PIO and CIO work together to support the COO to improve agency cybersecurity performance … The Role of the PIO is to assist the CIO with coordinating efforts across the agency while making sure the performance framework is in place to drive success.”
This section closes by calling on the PIO and CIO to ensure that cybersecurity priorities are part of agency strategic and performance plans, as well as budget submissions.
By bringing together a governance framework that includes both the senior officials responsible for overseeing program performance (the PIO) and those responsible for cybersecurity (the CIO), the CAP goal drives agencies to implement and oversee cyber activities not as a separate set of considerations after a program or mission is implemented, but rather as integral to the design and operation of programs. Cybersecurity leaders have long advocated to build cyber into information technology projects, and agency actions under the Federal Information Security Management Act (FISMA) have seen significant progress on this over the last 10 years. The Cybsecurity CAP goal framework takes another step forward, by setting a framework in place for building cyber considerations into the operation and success of mission-focused activities via the PIO-CIO linkage, reporting to the COO.
As the CAP summary notes, agencies still have a ways to go to reach the success metrics identified for this goal. But this new emphasis on bringing cybersecurity into the mainstream of agency operations – similar to how private sector leaders have brought cyber into the Boardroom – lays a foundation for success in the future.