The Situation Report’s Rhode Island Avenue listening post has picked up strong signals that President Donald Trump’s executive order on cybersecurity may still be weeks, if not months, away from hitting the street in final form.
After leaking two draft versions in rapid succession (the first of which was not even close to being ready for prime time), the White House finds itself struggling to define the metrics it will use to hold agency leaders accountable. After 15 separate reports and 175 detailed recommendations, the metrics that will be used to determine agency adherence to the National Institute of Standards and Technology’s Cybersecurity Framework remain “something that we’ll know when we see them,” according to Thomas Bossert, the assistant to the President for Homeland Security and Counterterrorism.
The building blocks for those metrics will be increased reporting by agency heads on how they are applying the NIST Framework to manage their risk.
“We’re going to go through a thoughtful approach that requires Federal departments and agencies to adopt and implement the cybersecurity framework developed by NIST and any subsequent iteration of that document,” Bossert said, speaking at an event Wednesday sponsored by the Center for Strategic and International Studies in Washington, D.C. “Reporting your known and unmitigated risk will be a requirement moving forward.”
Agencies will be required to submit a report through the Department of Homeland Security and the Office of Management and Budget that will detail their progress leveraging the NIST framework. “The idea there is to collectively render determinations on the adequacy of those mitigation strategies as management tactics, but also then it’s going to have to be done in some way that it [provides] a scorecard,” Bossert said.
But unlike the reports agencies currently generate under the Federal Information Security Management Act (FISMA), the new NIST framework scorecards will “probably not” be made public, according to Bossert. “The idea is to defend our crown jewels from a national security perspective and that will inherently be something that we don’t want to reveal to the public or our enemies.”
Although the metrics do not yet exist, Bossert pointed to the Office of Personnel Management as an example of how Federal cybersecurity will not be handled. “We all now know that an antiquated hardware system and an antiquated database software system holding millions and millions of important records to our national security was a bad approach,” Bossert said. “That was known and unmitigated risk, contemplated through the lens of one agency who had responsibility for their enterprise. It now needs to be looked at through the lens of the security of our nation and it has to be examined in addition to each agency…it has to be examined at a White House level to make sure that we’ve got a collective.”
According to Bossert, DHS will play a central “managed service provider role” as it works with agencies to identify risks, enforce standards, and deploy security protections across the government. And that will mean a greater reliance on private sector contractors and services.
“They’re going to have to reach out and get those resources from private industry and be receptive to that revolving door to some degree,” Bossert said.
“We can’t have resident in 190 or more Federal agencies the same level of zeal, passion, capacity, and capability that we can have in centralized places that provide managed services. I don’t think we would have the right money, the right skill set, and I think it would probably be a mistake for a lot of reasons,” he said. “So with DHS and with OMB helping us assess risk, we will then task back out to the departments and agencies, and we will rely heavily on private industry. I think that’s the only way to get and retain talent.”