The ability of Federal agencies to improve their cybersecurity – if at all – took center stage in the 14th edition of the FITARA Scorecard issued by the House Oversight and Reform Committee on July 28. The House Government Operations Subcommittee, on the same day, explored reasons behind the apparent void of agency performance data in a sometimes-contentious hearing.
Pieced together from numerous sources, it’s apparent that a combination of executive branch and congressional efforts are in play – mostly behind the scenes – to rework how the government evaluates agency cybersecurity performance and improvements.
The outcome of that effort – along with further changes in grading categories – is likely to give the House Oversight and Reform Committee much better data to work with on future scorecard efforts as it grades agencies not only on security progress, but on a host of other important IT-related measures.
Finally, private-sector tech experts from Databricks, Software AG, and Quest Software offered up a list of scorecard category and structural policy improvements that they believe will help Federal agencies speed progress toward better cybersecurity and IT efficiency.
Scorecard Thumbnails
First, a brief look at how agencies did on the latest FITARA Scorecard – the grading exercise started by the committee in 2015 to rate the 24 largest Federal agencies on an evolving list of IT challenges.
- Agencies trended toward lower grades versus the previous marks issued in late 2021, with eight agencies showing declining grades, one agency improving, and 15 hanging steady;
- No agency got a failing grade, although two of them – the Defense Department (DoD) and the Transportation Department (DoT) – came close with “D+” overall grades. Only one agency – the U.S. Agency for International Development (USAID) – received an overall “A” grade, matching its grade from the December 2021 scorecard. The other 21 agencies received grades in the “B” and “C” range.
- A deeper look shows that the downward trend in grades had less to do with specific agency performance for the first half of 2022 and more to do with scorecard category and methodology changes by the committee. Those changes include the removal of grading for compliance with the Data Center Optimization Initiative (DCOI) and more importantly, the absence of data available to the committee to help figure out cybersecurity-related grades.
- The committee said that if it had used the same methodologies and categories that it employed with the December 2021 scorecard, then four agencies’ grades would have improved, and 20 agencies’ grades would have remained the same.
Congressional Consternation
House Government Oversight Subcommittee members were anything but happy with the declining trend in grades, and with one of the primary reasons behind it – the lack of enough agency cybersecurity data to assign firm grades.
Subcommittee members pinned the blame on the Office of Management and Budget (OMB) for failing to comply with its statutory obligation to deliver key agency-specific cybersecurity data derived from compliance with the Federal Information Security Management Act (FISMA). Because of that, the committee members said, they were forced to rely on a smaller amount of data to assign the cybersecurity-related grades on the latest scorecard.
Rep. Gerry Connolly, D-Va., chairman of the subcommittee, chided both OMB and the Biden administration, pointing to OMB’s failure to produce an annual report covering agency inspector general FISMA assessments, and the administration’s for not producing cybersecurity cross-agency priority (CAP) goals this year.
“What … must be dealt with is the lack of data transparency for agency cybersecurity performance,” Rep. Connolly said. “The administration has only itself to blame for the grades we see in this metric today,” he said, referring to ten of the 24 agencies receiving a failing grade in the FISMA-driven cybersecurity category.
Rep. Jody Hice, R-Ga., ranking member of the subcommittee, blasted the Biden administration for failing to deliver the needed agency-level cybersecurity data. “Obviously, the major issue that stands out is the cyber metric,” he said. “But more importantly to me, what stands out is the Biden administration ignoring the law.”
“Since a cyber grade was included on the FITARA Scorecard, it has included an assessment of agency progress against cyber-related goals set by the administration,” the congressman continued. “These were generally part of a larger set of cross-agency priority goals, which are required by law, but the grades for the scorecard here did not reflect any cyber goals from the Biden administration, because they haven’t issued any.”
“And while we’re at it, the Biden administration has not delivered the annual cybersecurity report required by FISMA. So when it comes to the most important topic that we’re dealing with here today – cyber – we don’t have much of an idea of what’s going on,” Rep. Hice said. “It’s very, very frustrating.”
Breaking the Cyber Data Logjam
Based on comments at the July 28 hearing and elsewhere, however, there are good reasons to believe that higher-quality agency cybersecurity data will be available by the time the House Oversight and Reform Committee issues the 15th version of the FITARA Scorecard, either late this year or early in 2023.
Sources at OMB told MeriTalk that the agency is still in the process of determining what data can be publicly disclosed to enable greater visibility into agency cybersecurity without putting agencies at risk of exposing vulnerabilities. OMB is working on that task along with the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Director.
Carol Harris, director of information technology and cybersecurity at the Government Accountability Office (GAO), said at the hearing that GAO is “working with [subcommittee] staff, with OMB, and the agencies to identify data – both public and sensitive – to support a more comprehensive grade” in the cybersecurity category.
“But in the meantime, we need to have clear and measurable CAP goals in place because it’s the law,” Harris insisted.
Near the conclusion of the hearing, Rep. Connolly struck a more hopeful tone, saying he was “heartened” by a discussion with OMB officials about the issue. “We will fix the cyber problem,” he predicted, adding that “the subcommittee looks forward to working with all stakeholders to populate the [cybersecurity] category with more robust data that captures Federal agencies’ cybersecurity posture.”
OMB spokeswoman Isabel Aldunate indicated the agency also is looking ahead to the next generation of agency cybersecurity data.
Speaking of the current way that agency cyber grades are determined, she said, “these grades for Federal agencies are based on an outdated, compliance-oriented approach and no longer reflect the progress agencies have made, which is why we’re working with Congress to recommend an approach that reflects the rapidly evolving nature of the threats that agencies face.”
“We’ve already made significant progress transforming the Federal Government’s approach to cybersecurity and addressing long-standing, entrenched challenges – and that critical work is moving full-speed ahead,” she said.
“Turning to the future of cyber, this subcommittee eagerly awaits the new and improved data behind the Biden administration’s priority goals detailed on Performance.gov,” Rep. Connolly said. “I, and many others, look forward to hearing from OMB about the administration’s new cyber strategy, which will help agencies remain resilient and adapt in the ever-changing cyber landscape.”
FISMA Reform Wildcard
Separate from the tussle between OMB and the subcommittee, another big wildcard in the debate over the provision of Federal agency cybersecurity scores remains possible congressional action to reform the current FISMA statute, which dates back to 2014.
Both the House and Senate approved separate FISMA reform bills earlier this year, and the Biden administration supports an update to the law, but neither bill has yet made it over the finish line.
Broadly, the FISMA reform legislation in both the House and Senate bills would put CISA more firmly in charge of Federal civilian agency security and wrap the National Cyber Director and OMB more tightly into cybersecurity policy-setting.
The bills also would codify into Federal law some aspects of President Biden’s cybersecurity executive order issued in May 2021 and put into motion penetration testing of Federal civilian networks.
Coming Scorecard Changes
No matter the outcome of efforts to get better data in place for cybersecurity grading, the FITARA Scorecard is continuing to evolve based on grading category changes by the House Oversight and Reform Committee.
Gone from the scorecard as of earlier this year were agency grades for compliance with the Data Center Optimization Initiative (DCOI) – after all 24 agencies had earned “A” grades.
Rep. Connolly indicated at the July 28 hearing that those may be replaced by a similar category that measures data center consolidation. The committee provided a “preview” version of how those grades might work out for current agencies. The congressman also mentioned a possible category to measure agencies’ use of cloud computing services but did not provide many other details.
GAO’s Harris also suggested at the hearing the value of a future category that would measure how agencies are replacing “legacy” IT systems.
Also departing from the scorecard will be the long-standing category of whether Federal agency CIOs report directly to agency secretaries or deputies; most of the agencies are now doing so.
Industry’s Ideas for Category Changes
We asked experts at leading government technology providers to help us better understand the latest FITARA Scorecard, and found that they are looking well beyond the latest tussle about cyber data, and toward a new generation of categories to measure.
Jeff Chancellor, Principal Systems Engineer at Software AG Government Solutions, said the lower grading trend on the latest scorecard was not a big surprise given the DCOI category’s retirement, but he said he thinks the committee should move toward a new “Workforce Skills and Capabilities” category.
That type of category, he said, “may be coming later as there have been significant changes in the way technology is deployed and enabled.”
“Teleworking has become the norm for many companies, and when technology solutions are enabled to support teleworking, then there has to be more training and investment in workforce skills and their abilities to ‘self-serve’ how they consume these changes in tech,” he said.
As for other new FITARA scoring categories that may be in the offing, Chancellor said that some of those “hint at better collaborations across agencies, but getting a meaningful measure on the degree and value of collaborating is difficult. I would like to see more measurements around common data/metadata management and the protection at the data asset level. Perhaps this will be coming with iteration 15 of the FITARA Scorecard, with others to measure workforce skills and effectiveness.”
Howard Levenson, VP at Databricks Federal, said the time is ripe for the FITARA Scorecard to measure how agencies are centralizing data assets in public cloud services – both for the sake of security and efficiency.
“Ultimately, for the government to make dramatic security improvements, in order to reduce costs, and make more effective use of data, FITARA must be expanded to drive the centralization of data assets in public clouds consistent with ‘Cloud Smart’ policy,” he said.
Tying in cloud migration with Federal data center consolidation goals, Levenson said, “while the net new data centers are declining, congressionally mandated ‘programs’ are creating new data assets in new data centers, often leveraging colocation centers. These new environments lead to the development of more, not fewer, ‘islands’ of data resulting in a broader attack surface area, and a more distributed data environment.”
Finally, Levenson said he was not surprised to see only limited improvements by some agencies on the latest FITARA Scorecard, given funding limitations at agencies. “While Congress intends to give the CIOs more authority, the ultimate authority comes from the funding, and there remains program funding, outside of the control of the CIO,” he said.
Cyber Scoring and Beyond
Commenting on debate over Federal agency cybersecurity progress, Levenson took a wider view of the underlying IT systems and the time it takes to get cloud systems certified for agency use.
“Vulnerabilities are discovered on almost a daily basis,” he said. “Legacy systems are not scrutinized as closely and are patched less frequently. Eliminating legacy systems has the benefit of driving more workloads to public clouds which are inherently more secure than legacy on-premise systems.”
“The government talks a lot about the ‘risk management framework,’ but in fact, there is no way for Federal agencies to easily migrate to modern applications when the authorization process is fundamentally broken,” he said. “According to Statista, there are roughly 25,000 SaaS applications in the industry, yet only roughly 200 have been FedRAMP certified, and less than 10 percent of those meet the DoD’s IL5 requirements.”
“The current authorization process for SaaS vendors is incredibly expensive, time-consuming, and fundamentally broken,” Levenson continued. “It’s virtually impossible for the government to move to modern, cloud-based, SaaS applications, resulting in a slow modernization process, trailing commercial industry and best security practices.”
“Changing the FITARA Scorecard is the dressing,” he said. “Changing the authorization process and accelerating access to modern COTS solutions is the change that is required.”
“There has been a significant shift in mindset by the adversary; today, every target is a value target,” commented Chris Roberts, federal technology director at Quest Software.
“That makes security broader than just an IT responsibility,” he said. “We now recognize the role that every user and corresponding endpoint plays within the complete information security model for operations. You can’t effectively secure something if you don’t know where or what it is.”
“In other words, a full inventory of assets and users is a critical first step,” Roberts said. “Without that, full security will remain elusive.”
On the cybersecurity grading front, Chancellor said that “changes in cybersecurity are a critical step to ensuring not only are the agencies taking steps to ensure operations, but also that their workforce has the necessary precautions to work-from-home/work-from-anywhere.”
“So many new attack schemes have surfaced that makes it difficult to keep secure data from slipping into the wrong hands while teleworking,” he said. “We now have to extend the boundaries beyond the offices out to where the employees live. And with mobile applications on smart devices, there has to be specific actions to remove them as an attack surface.”
The Software AG official also talked about the enduring value of older, legacy IT systems, and the need to replace them over time. “We have to remember that there are still mainframes running hundreds of millions of transactions reliably every year throughout the government,” Chancellor said. “Technology vendors are providing better and faster integrations to critical mainframe capabilities while strengthening the borders that protect such critical systems. However, legacy solutions that have outlived their business value and that require specialized skills to maintain are prime targets for retirement and subsequent removal from the operational landscape.”