With the release of the fourth FITARA scorecard, we saw agencies stall on progress – more agency grades declined than improved, and 15 agencies’ grades remained neutral.
One shining star was the United States Agency for International Development (USAID) – the first agency to ever receive an overall A. How did they do it? According to a USAID official, they focused hard on transparency and risk management – where they received an “A”. This was not the case for most of their counterparts however, as 14 agencies received a “C” or lower in that category.
Risk management is one of the more difficult areas for agencies to see success, but every CIO should be using the National Institute of Standards and Technology (NIST) Framework in that area. NIST recently released an updated version of the Framework for public comment, in the hopes that it would be easier to utilize and implement.
These were the most notable changes to the updated version:
- Refined managing cyber supply chain risks – framework now has a common vocabulary so agencies working on cyber supply chain projects can clearly understand cybersecurity needs.
- Revised “Identity Management and Access Control” category – framework now has clarified and expanded definitions of the terms authentication and authorization; added and defined the concept of “identity proofing”.
- Introduced measurement methods for cybersecurity – framework now gives guidance on how to measure how well an agency is reducing risk and identifies overall agency benefits.
NIST has been gathering feedback on the Framework changes, and is expected to release the final version this fall. Hopefully, federal CIOs can use the updated Framework to effect positive change on their cybersecurity and risk management projects – and in turn, see an upward tick in grades when the next scorecard is released in December.
Learn more about Dell EMC’s portfolio of cybersecurity capabilities for government: https://www.rsa.com/en-us/research-and-thought-leadership/security-perspectives/government-solutions.