Implementing the Executive Order

Meeting the Challenge

The recent Executive Order (EO) requires Federal agencies  to report on agency-wide risk mitigation and management using the NIST Cybersecurity Framework (CSF) —within 90 days!

What if the requirements of the EO could be met rapidly using an automated, online system that assigns inquiries to the most knowledgeable person?

What if the initial assessment could be completed in 30 days, instead of 90, leaving time to build out plans for improvement?

A Rapid, Comprehensive Assessment

Learning how your agency stacks up against the NIST CSF usually requires hiring large consulting firms that fan out a small army of people equipped with spreadsheets full of questions. Each consultancy has their own proprietary materials, the full process takes several months, and the result may be 200-300 pages of detailed information about the organization’s cybersecurity practices, with scores of recommendations. Finding, hiring, and scheduling the firm, then completing the assessment and deciding on an improvement plan is a slow process.

To successfully negotiate the EO, OMB needs each agency to provide an answer that they can trust before the August deadline. Once OMB has a way to monitor and report improvements, then agency leadership can engage consultants, managed services providers, and vendors to begin growing cyber resilience and mitigating cyber risk. The Cybernance Platform gauges the agency’s cybersecurity status against almost 400 controls based on CSF.

Meet OMB’s Requirements Smoothly and Rapidly

The Office of Management and Budget (OMB) wants to track all agencies in a uniform way so they can guide and encourage each one to take the unique steps required to improve its cyber maturity. The Cybernance Platform delivered by PointStream automates the NIST CSF through a unified SaaS solution that eliminates the need for synchronizing and combining multiple spreadsheets full of data. Customers are given a 30-day success plan, and most complete the initial assessment in even less time. The following requirements can be met within the required timeframe of the EO:

 

No. Requirement Section Capability
1 Provide a risk management report 1 (c) (ii) Reporting in three modes:

  1. Overall score that can be compared with other Agencies
  2. Status of implementation of the Framework within 3 NIST dimensions
  3. Status of implementation of the Framework across 10 management domains
2 Within 90 days of the date of this order 1 (c) (ii) Initial assessment can be accomplished within 30 days or less
3 Describe the agency’s implementation of the Framework 1 (c) (ii) Reporting of alignment with 385 controls supporting the Framework in three modes:

  1. Overall score that can be compared with other Agencies
  2. Status of implementation of the Framework within 3 dimensions – Risk Management, Risk Culture, Risk Influence
  3. Status of implementation of the Framework across 10 management domains – Risk Management, Asset Change & Configuration Management, Identity & Access Management, Threat & Vulnerability Management, Situational Awareness, Information Sharing & Communication, Event & Incident Response/Continuity of Operations, External Dependency Management, Workforce Management, Cybersecurity Program Management
4 Document mitigation and acceptance choices and explicitly document any accepted risk from unmitigated vulnerabilities 1 (c) (ii) Unaddressed controls are added to a prioritized list of pending actions representing potential risk mitigation. Each item in the list can be documented in detail with planned mitigation or acceptance decisions.
5 Director of OMB shall assess each agency’s risk management report 1 (c) (iii) Agency reports are presented in a common and easily comprehensible format. The common format enables comparisons across agencies by NIST dimensions and functional domains so that instances of common remediation needs can be combined into cross-agency projects when determined as appropriate.
6 Director of OMB shall establish a regular reassessment and determination process 1 (c) (iv) (B) The SaaS system used for assessment also serves as an ongoing monitoring system that can be viewed regularly by OMB and the executive branch staff. Reporting functionality in the SaaS system allows for flexible reporting and comparisons of progress across three NIST dimensions and 10 functional domains. Determination of remediation projects are made based on this input.
7 Agency Heads shall show preference in their procurement for shared IT services to the extent permitted by law, including email, cloud, and cybersecurity services 1 (c) (v) (A) This solution is a cloud-based cybersecurity assessment and monitoring service that uses email extensively for communication and notification. It is housed entirely in the cloud and requires no connection inside each agency’s network, so implementation is very straightforward and efficient.

Cross-Agency Portfolio View

OMB’s new oversight responsibility means it is being challenged to find a way to report on the overall cyber health trends at all federal government agencies. OMB can incorporate all agencies opting to use the Cybernance Platform into a single “portfolio view.” This view enables OMB to identify areas of strength and weakness across the whole executive branch, evaluate the combined status of the executive branch with respect to Risk Management, Risk Culture, and Risk Influence, and review other compare-and-contrast analyses.

Dynamic Control System for Managing Cyber Risk

A standard manual assessment usually produces a static report that includes recommended next steps, but its utility ends there. In contrast, the Cybernance Platform is a dynamic internal control system used to manage cyber risk. After the initial assessment is complete, the system begins guiding the agency toward greater cyber resilience by continually suggesting recommended actions. These actions are prioritized according to the NIST CSF. Three methods of scoring are updated in real time so the agency can monitor its progress clearly and report periodically to OMB in a standardized format.

DHS-Vetted Through the SAFETY Act

The SAFETY Act is a federal law enacted to encourage the development and deployment of anti-terrorism products and services, including cybersecurity solutions. Cybernance is one of the only cyber risk governance platforms that has received the SAFETY Act Designation from DHS.

Get Started Now

To find out more and get a jump start on the deadline, contact Cybernance directly at [email protected].
Optionally, order a trial of the Platform from the GSA Schedule entry for Cybernance.