The focus on Federal agency cybersecurity scores in the 14th edition of the FITARA Scorecard released last week – and the lack of enough data from the government to allow the House Oversight and Reform Committee to get a good fix on how agencies performed on cybersecurity during the first half of 2022 – caught the eyes of private sector technology executives who said the government needs to do more to help agencies boost security.
First, a brief catch-up on the FITARA Scorecard 14 results:
- The 24 largest Federal agencies trended toward lower grades, with eight agencies showing declining grades, one agency improving, and 15 hanging steady from the marks they received in December 2021;
- The downward trend in grades had less to do with specific agency performance for the first half of 2022 and more to do with scorecard category and methodology changes by the committee. Those changes include the removal of grading for compliance with the Data Center Optimization Initiative (DCOI) and the absence of data available to the committee to help figure out cybersecurity-related grades.
- The lack of required cybersecurity performance data emerged as a major pain point for leaders of the House Government Operations Subcommittee, who chastised the Office of Management and Budget (OMB) for failing to make sufficient data available. For its part, OMB said it was still in the process of deciding – along with the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Director (NCD) – what kinds of agency cyber data should be made public or kept confidential for security reasons.
Industry Experts Weigh In
“The overall downtick in the FITARA 14.0 Scorecard highlights the cybersecurity progress that still needs to be made at the federal level, and emphasizes the critical need for further cyber investments and funding,” said Gary Barlet, Federal Field CTO at Illumio.
Mike Wiseman, Vice President, Public Sector, at Pure Storage, agreed, saying that “the FITARA 14.0 scorecard continues to highlight the importance of cybersecurity protection and the implementation of modern systems.”
Barlet said funding for Federal agency security improvements remains a key ingredient for any further progress. “Last year’s Cybersecurity Executive Order, among other directives, led agencies in the right direction, pushing security teams to implement Zero Trust strategies like Zero Trust Segmentation, to stop attacks from spreading laterally throughout the network to dramatically limit their impact,” he said.
“But the main challenges to fulfilling these directives remains the lack of funding and prioritization,” Barlet said. “As we face increasingly sophisticated threats that pose dire risks to any agency, it’s critical that the federal government prioritizes and invests in building cyber resiliency from the inside out.”
“This shouldn’t be about getting a good grade on their scorecard, but because the impact of a federal agency being offline or compromised can be detrimental to the everyday lives of U.S. citizens,” he said.
Wiseman advised that Federal agencies look to add systems that feature broad flexibility as they move toward further security improvements.
“As agencies look to acquire, deploy, and sustain systems, IT leaders should drive toward systems that offer the broadest flexibility and efficiency to prevent next-gen threats and adapt as needs fluctuate,” he said. “One size does not fit all in IT, and many agencies find themselves struggling to acquire technology in ways that fit their operational models while remaining adjustable and secure for the future.”
“With the ever-growing threat of a ransomware attack or data breach, personalized solutions with rapid recovery ensure that agencies can protect sensitive data and avoid major organizational and service delivery disruptions,” Wiseman counseled. “By investing in agile and adaptable technology systems, leaders can take an active role in prioritizing the digital shift, now is the time to invest in solutions that maximize data security and advance agency missions.”