GAO: Only 8 of 22 Federal Agencies Comply with Cyber Risk Management Requirements


During 2012, only eight of 22 major government agencies complied with cybersecurity risk management requirements mandated under the Federal Information Security Management Act (FISMA), down from 13 out of 24 in 2011, a top official from the General Accounting Office (GAO) told the Senate Homeland Security and Governmental Affairs Committee today during a hearing.  Citing a little-noticed report that the GAO issued last month, Gregory C. Wilshusen, Director of Information Security Issues at GAO, said that President Obama's cybersecurity executive order, also issued last month, is a good step but must be integrated into an "overarching strategy that includes a clearer process for oversight of agency risk management" based on the study's examination of weaknesses in the federal government's own cybersecurity practices.

The main attraction of the hearing, aimed at examining the executive order, was Department of Homeland Security (DHS) Secretary Janet Napolitano, who said that the just-imposed sequester cuts will no doubt disrupt DHS' cybersecurity efforts. "We do not have the luxury of making significant reductions to our capabilities without having significant impacts," she said.

Patrick Gallagher, Under Secretary for Standards and Technology at the Department of Commerce said that  Commerce's National Institute of Standards and Technology (NIST), which is charged with developing a comprehensive cybersecurity framework under the recent executive order, will likely not be as disrupted by the sequester cuts when it comes to getting that framework out the door.  "I am hopeful that there is a very minimal impact on our ability to deliver the framework," he said.

NIST plans to host  at least four workshops in order to develop the final draft of the framework within the one-year deadline established in the order, with the first workshop slated for April 3 at NIST facilities in Gaithersburg, MD.  But, how easily NIST will be able to get its arms around the thorny and intricate topic remains to be seen.

NIST plans to model its process on its earlier efforts to develop standards for the smart grid and cloud computing, although far more people will probably be involved in this cybersecurity effort, Gallagher said. "In the case of smart grid, we were up to over 1,600 people [involved in developing the standards] and this is broader than that."

Biggest Challenge for Cybersecurity Executive Order: Herding All the Cats


Department of Homeland Security Secretary Janet Napolitano is about to testify today before the Senate Committee on Homeland Security and Govermental Affairs regarding the President's February 12 cybersecurity executive order.  As I've mentioned in the past, the cybersecurity scene in Washington is a labyrinth and the recent EO only promises to make it much more so.

By my reckoning there are 15 government departments, agencies or offices responsible for implementing it, each to varying degrees.  They are:
  1. Administrator of General Services
  2. Attorney General
  3. Department of Agriculture (Named via Sector Specific Agency references)
  4. Department of Commerce's NIST
  5. Department of Defense
  6. Department of Energy (Named via Sector Specific Agency references)
  7. Department of Health and Human Services (Named via Sector Specific Agency references)
  8. Department of Homeland Security
  9. Department of the Treasury (Named via Sector Specific Agency references)
  10. Director of National Intelligence
  11. Environmental Protection Agency (Named via Sector Specific Agency references)
  12. Federal Acquisition Regulatory Council
  13. National Security Agency
  14. Office of Management and Budget
  15. Privacy and Civil Liberties Oversight Board
And the order covers 16 critical infrastructure industries.  They are:
  1. Chemical
  2. Commercial Facilities
  3. Communications
  4. Critical Manufacturing
  5. Dams
  6. Defense Industrial Base
  7. Emergency Services
  8. Energy
  9. Financial Services
  10. Food and Agriculture
  11. Government Facilities
  12. Healthcare and Public Health
  13. Information Technology
  14. Nuclear Reactors, Materials, and Waste
  15. Transportation Systems
  16. Water and Wastewater Systems
If I were on the Homeland Security Committee, I'd be asking a lot of questions about how DHS plans to herd all these cats through the labyrinth on such a complex subject.  Stay tuned for an update on the hearing itself.

Image Courtesy of PublicDomainPictures.net.

Twitter Delicious Facebook Digg Stumbleupon Favorites More