Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Influencer II

US Cybersecurity Risk report

Every incoming US president seems to set up a committee to look into, and make recommendations for, computer/information/cyber- security.

In due course these committees issue their reports.  A standard feature has been the recommendation that there be more exchange of information.  Business usually welcomes this until they realize that "exchange of information" means business tells the government everything, and government tells the rest of the world nothing.

Since the report this time comes from the Office of Management and Budget, it only addresses government agencies, and, I am delighted to say, doesn't mention "exchange of information."

This report is a mere 22 pages long, which must be some kind of record for brevity.  Of course, being only 22 pages long, it can only mention four points.  They are:

1) (US Federal) Agencies don't understand security, and don't have the capability to address it.  The action OMB suggests to fix this, is to get everyone to use the Cyber Threat Framework, which is NIST publication 800-37, the Risk Management Framework to Federal Information Systems.  Like all NIST publications it is a comprehensive piece of work, and completely unsurprising to anyone who has ever applied a development lifecycle to security.

2) Agencies haven't standardized security.  Agencies should standardize security.

3) Agencies don't know what it happening on their networks.  Agencies should a) consolidate to a Security Operations Center (SOC), or b) migrate to SOC-as-a-Service.

4) Security isn't standardized (see point 2).  So agencies should do risk assessments and report on a quarterly basis?  Are they ever going to do any other work?  And, given the concern with standardization elsewhere in the report, it is odd that there is no mention in this section of a standard for risk assessment, risk assessment reporting, or metrics to be reported.

If anyone has any illusions about the utility of government security reports, this will be disappointing.  As it is, it's merely useless.


Other posts:

This message may or may not be governed by the terms of or
1 Reply
Community Champion

+RMF tag to conversation.


I'm contracted to DoD for RMF.  The project I'm assessing had no security engineered into it during it's whole development process.  Now regulations dictate that the system has to be scrutinized for security under RMF.  It's not going well.

I understand the need for the RMF process.  It is definitely one critical component (domain!) in security. I wonder if systems formerly assessed under DIACAP should be rolled up into RMF as is and have RMF be part of any new system being proposed versus trying to apply a policy and process on a system that is on the backstretch of the race.

Not only was CISSP required but so was (ICS)2 CAP.  The CAP cert. should be a must if you are working RMF.