Agency Scorecards Important in Cybersecurity Budgeting, Feds Say

Michael Johnson, CIO of the Department of Energy, addresses the 2016 Cyber Security Brainstorm on Sept. 13. (Photo: MeriTalk)

Michael Johnson, CIO of the Department of Energy, addresses the 2016 Cyber Security Brainstorm on Sept. 13. (Photo: MeriTalk)

Strategic plans and scorecards are essential to effectively budgeting their cybersecurity needs, agency officials said.

Michael Johnson, CIO of the Department of Energy, said the agency uses the DOE Cyber Strategy for information sharing and safeguarding, using multifactor authentication, and focusing on research and development.

Jack Wilmer-2
Jack Wilmer, Infrastructure Development Executive at the Defense Information Systems Agency, speaks at the 2016 Cyber Security Brainstorm in Washington, D.C., on Sept. 13. (Photo: MeriTalk)

“If we get one more dollar, we already know where we need to invest that,” Johnson said Tuesday at MeriTalk’s Cyber Security Brainstorm in Washington, D.C.

The DOE also uses its own cybersecurity scorecard to determine where investments need to be made. In the event of a breach, the DOE has a cybersecurity system that will ensure the best responses are deployed in the right places.

The DOE also has a unified training regimen across the department for all cyber-operators and uses Cyber FIRE exercises, which are games used to train employees on cybersecurity. The DOE also explains the importance of cybersecurity to the mission owners in the agency to increase understanding between those officials and the information technology professionals.

Jeff Eisensmith, CISO of the Department of Homeland Security, said the agency uses the Cybersecurity Maturity Model to evaluate the maturity of the department alongside the defense and depth chart.

Eisensmith also uses his own scorecard to evaluate DHS.

“I say here’s the bar for the department this year and every year the bar goes up,” Eisensmith said.

Officials within the DHS aren’t obligated to use Eisensmith’s scorecard, but he recommends that they do to gauge their performance.

“If you’re not doing well on my scorecard, there’s a guaranteed trip before Congress to explain why you’re not doing well,” Eisensmith said.

Eisensmith said that employees are the most vulnerable to allowing malware to infect their systems.

“It’s no longer a good bet to assume that our users will not be fooled by a really well-crafted spear phishing attack,” Eisensmith said.

Because of this, Eisensmith said that agencies should continue to mandate updated training.

Jack Wilmer, infrastructure development executive at the Defense Information Systems Agency, said that rapidly deploying new technology through an efficient procurement process is on his wish list for Federal government IT.

“The bulk of the innovation we’re doing is leveraging what industry is doing,” Wilmer said.

When DISA finds a gap in its cybersecurity capabilities, it reaches out to a startup to acquire the capability and bring it to full production deployment, which is hindered by the government’s slow procurement process.

DISA trains its employees on cybersecurity by posing a cybersecurity question every morning as they log into their computers. If the employees answer too many questions incorrectly by the end of the week, they’ll be sent to mandatory cybersecurity training.

DISA also uses the Defense Department’s scorecard to look at the metrics of its cybersecurity capabilities. DISA uses its budget to fill the most important gaps, according to Wilmer.

“The threats are evolving but the capabilities in the space are as well,” Wilmer said.

Also from the Brainstorm:

Cybersecurity Initiatives Will Continue to Next Administration

Fix FedRAMP or Congress Will, Connolly Tells GSA

Commerce CISO Says Playing Defense is Essential

DISA is Moving to Commercial Cloud


One Comment
  1. Anonymous | - Reply
    Nice knowledgeable article. Thanks all.

Leave a Reply