Federal agencies are now required to report on agency-wide risk mitigation and management using the NIST Cybersecurity Framework—within 90 days. Here’s how to make that happen.
On May 11, President Trump issued an Executive Order (EO) that targets “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” The EO mandates that each executive agency evaluate the status of its cybersecurity policies and practices using the NIST Cybersecurity Framework (CSF) and report it to the Office of Management and Budget (OMB) within 90 days!
Learning how you stack up against the NIST CSF usually requires hiring large consulting firms who fan out a small army of people equipped with spreadsheets full of questions. Each consultancy has their own proprietary materials, the full process takes several months, and the result may be 200-300 pages of detailed information about the organization’s cybersecurity practices, with scores of recommendations. Finding, hiring, and scheduling the firm, then completing the assessment and deciding on an improvement plan is a slow process.
Using this typical method of risk management, having a governance plan in place within 90 days is a daunting task.
What if the requirements of the EO could be met rapidly, using an automated, online system that assigns inquiries to the most knowledgeable person? What if the initial assessment could be completed in 30 days, instead of 90, leaving time to build out plans for improvement?
The Cybernance Platform automates the NIST CSF through a unified SaaS solution that eliminates the need for synchronizing and combining multiple spreadsheets full of data. Customers are given a 30-day success plan, and are capable of completing the initial assessment in even less time.
How does the Cybernance Platform match up against the EO’s requirements? The table below compares key requirements with Cybernance’s capabilities:
|1||Provide a risk management report||1 (c) (ii)||Reporting in three modes:
|2||Within 90 days of the date of this order||1 (c) (ii)||Initial assessment can be accomplished within 30 days or less|
|3||Describe the agency’s implementation of the Framework||1 (c) (ii)||Reporting of alignment with 385 controls supporting the Framework in three modes:
|4||Document mitigation and acceptance choices and explicitly document any accepted risk from unmitigated vulnerabilities||1 (c) (ii)||Unaddressed controls are added to a prioritized list of pending actions representing potential risk mitigation. Each item in the list can be documented in detail with planned mitigation or acceptance decisions.|
|5||Director of OMB shall assess each agency’s risk management report||1 (c) (iii)||Agency reports are presented in a common and easily comprehensible format. The common format enables comparisons across agencies by NIST dimensions and functional domains so that instances of common remediation needs can be combined into cross-agency projects when determined as appropriate.|
|6||Director of OMB shall establish a regular reassessment and determination process||1 (c) (iv) (B)||The SaaS system used for assessment also serves as an ongoing monitoring system that can be viewed regularly by OMB and the executive branch staff. Reporting functionality in the SaaS system allows for flexible reporting and comparisons of progress across three NIST dimensions and 10 functional domains. Determination of remediation projects are made based on this input.|
|7||Agency Heads shall show preference in their procurement for shared IT services to the extent permitted by law, including email, cloud, and cybersecurity services||1 (c) (v) (A)||This solution is a cloud-based cybersecurity assessment and monitoring service that uses email extensively for communication and notification. It is housed entirely in the cloud and requires no connection inside each agency’s network, so implementation is very straightforward and efficient.|
Comprehensive information based on almost 400 controls is aggregated during the assessment. Based on this comprehensive data, automated reporting delivers three high-level views of the agency’s cyber maturity to the OMB:
- Overall Score – A summary score reflects the general conformity of the agency with the NIST CSF controls. As improvements are put in place, it can be used to gauge the agency’s movement toward greater resilience.
- Three Dimensions – The NIST CSF views cyber risk through the lens of three key dimensions: Risk Management comprises the policies, processes, and policies normally associated with good cyber hygiene; Risk Culture represents how responsibility is distributed across multiple functions of the organization beyond IT and Security (e.g., HR, Procurement); and Risk Influence reflects the proficiency with which the agency manages risk that can be introduced through third parties (e.g. vendors). The agency’s status report is broken out by these dimensions.
- Ten Domains – A key consideration of an assessment is how best to allocate responsibilities to enable efficient reporting and management. The Cybernance Platform assigns each question and action to one of ten domains, each owned by the person most knowledgeable about resources associated with that domain: Risk Management, Asset Change & Configuration Management, Identity & Access Management, Threat & Vulnerability Management, Situational Awareness, Information Sharing & Communication, Event & Incident Response/Continuity of Operations, External Dependency Management, Workforce Management, Cybersecurity Program Management. The owner of each domain can reassign responsibility for each inquiry to the individual best suited to handle it. This enables the agency’s status to be reported within each of these 10 key domains, along with the overall score and reporting by the three dimensions.
With the OMB’s new oversight responsibility, the organization will now be challenged to find a way to show overall health trends of all federal government agencies’ cyber risk. For all agencies that choose to use the Cybernance Platform, OMB can incorporate them into a single “portfolio view” across the executive branch. The OMB will be able to roll multiple reports into a portfolio view in order to identify areas of strength and weakness across the branch, compare the combined status of the executive branch across the three dimensions, and review other compare-and-contrast analyses.
A standard manual assessment usually produces a static report that includes recommended next steps, but its utility ends there. In contrast, the Cybernance Platform is a dynamic internal control system used to manage cyber risk. After the initial assessment is complete, the system begins guiding the agency toward greater cyber resilience by continually suggesting recommended actions. These actions are prioritized according to the NIST CSF. The three methods of scoring are updated in real time so the agency can monitor its progress clearly and report periodically to OMB in a standardized format.
Many agencies likely find it hard to see admiration in the purpose of the EO through the stress it’s caused. However, its efforts to create a cultural shift towards stronger cybersecurity in federal government is important, and it’s what we need both as a government and as a society to protect our organizations from increasingly sophisticated cyber crime. With Cybernance, it’s easy to meet this culture shift head on, and be compliant well before the deadline.