“Our (cyber) adversaries are well equipped and agile. Our defenses must be equal to the
threat, and they are not.”

So concludes a new report from a group of former Office of Management and Budget officials and cybersecurity experts who argue OMB and the administration “have ample legal authority to adopt reforms that would materially reduce risk and enhance response” in protecting federal systems. The report urges OMB to take steps that would result in spending scarce taxpayer dollars on security programs that work.

The report, “Updating U.S. Federal Cybersecurity Policy and Guidance,” released Tuesday by the Center for Strategic and International Studies, reinforces the widely-held belief that “as the threat to the cyber infrastructure on which the federal government and the nation relies grows, the urgency of investing wisely in protection against, detecting, mitigating, and recovering from cyber events takes on increasing urgency.”

Yet despite repeated efforts in Congress and by the Obama administration to develop more cogent and coordinated approaches to address cyber security threats, the federal government continues to fall short in using its existing authorities and levers to better protect the government’s and the nation’s critical assets.

“While one might argue that more resources need to be spent on cybersecurity in the current threat environment, the fiscal situation argues for first assuring that every dollar spent on cybersecurity be spent wisely and allow for more rapid adoption of cheaper and more efficient technologies,” the report said.

Clearly there is room for substantial improvement, conclude the report’s authors, Franklin S. Reeder, Daniel Chenok, Karen S. Evans, James Andrew Lewis and Alan Paller, all of whom have played important roles in framing cyber security recommendations for the federal government. Reeder, a former OMB official, is cofounder and director of the Center for Internet Security; Chenok, who once oversaw technology policy and budget for OMB is executive director for the IBM Center for the Business of Government; Evans served as OMB’s administrator for e-government during the Bush Administration and now serves as national director for the U.S.Cyber Challenge; Lewis is a senior fellow and director of CSIS Technology and Public Policy; and Paller is founder and director of research at the SANS Institute.

Chief among the report’s recommendations is the need for continuous monitoring of network operations.”The current regime of periodic reports and certifications requires (agencies) to spend tens of millions dollars on reports and process that do little to enhance security. Agencies can better implement continuous monitoring through work led by chief information officers and chief information security officers,” the report’s authors said.

The report also notes that OMB hasn’t revised a key information management guidance document, known as Circular A-130, since November 28,2000, well before the creation of the Department of Homeland Security, which has since emerged as a leading force in monitoring and coordinating cybersecurity matters across the government.

The report recommends that OMB should consider:

  • using existing authorities to institute changes that would make government cyber assets more secure without spending more money;
  • revising definitions in OMB Circular A-130, from a technology-based system to an information assurance regime;
  • developing agency enterprise architectures that support strategic, business and technical views to help transition from paper compliance to a continuous monitoring approach;
  • promulgating a cybersecurity capability maturity model, similar to models used for software development;
  • recognizing and reinforcing the role of the Department of Homeland Security as a more central element in the implementation of continuous monitoring.

The report reiterates previous CSIS findings that “the historic distinction between civilian agency systems and national security systems no longer serves the U.S. interest” and remains “an anachronism.”

“In order to truly strengthen the nation’s security posture, it is imperative that we shift from the compliance methodologies to true performance outcomes,” the authors concluded.