Agency Security Audits: A Better Way?

Getting Parties to Agree on Controls to Be Scrutinized
Agency Security Audits: A Better Way?

Inspectors general and federal agencies are not on the same page in regards to annual information security audits, says Karen Evans, formerly the federal government's top IT executive.

Evans recently co-authored a paper for the not-for-profit SafeGov.org, which includes a recommendation that the White House Office of Management and Budget and Department of Homeland Security devise metrics that inspectors general can employ to assess the effectiveness of agencies' cybersecurity efforts.

At issue is the reliance of inspectors general on Special Publication 800-53, the catalog of 861 security and privacy controls published by the National Institute of Standards and Technology, when auditing government agencies. As a result, IGs often evaluate agencies on security controls that don't match up with controls used by agencies, Evans says.

A solution is identifying which controls should be applied, allowing IGs and agency information security officers to have an agreed upon baseline to measure progress in securing digital assets.

"To get them all to agree that it's the same metric, the same control and the same way you're going to measure it ... will allow you to have that picture across the board about what the federal government's risk posture is," Evans says in an interview with Information Security Media Group (transcript below).

Evans also addresses the three other recommendations made by SafeGov in its report, Staying Safe in Cyberspace: Cloud Security on the Horizon, which would have the:

  • Federal CIO Council's information security and identity management committee adopt and issue an integrated network architecture to address administration priorities;
  • FedRAMP's Joint Authorization Board require that all cloud service providers seeking government business under the Federal Risk and Authorization Management Program employ penetration testing capabilities;
  • White House Office of Management and Budget and Department of Homeland Security devise metrics that inspectors general can employ to assess the effectiveness of agencies' cybersecurity efforts

Evans is national director of the U.S. Cyber Challenge, a program focused on building the nation's cybersecurity workforce. During the administration of President George W. Bush, Evans served as administrator for e-government and information technology at OMB, a position now known as the federal chief information officer. Earlier in her career, she served as the Energy Department's CIO.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.