Cybersecurity Maturity, FISMA, and the FITARA Scorecard

Criterion | Cybersecurity CoE

Cybersecurity Maturity, FISMA, and the FITARA Scorecard


By Dan Chandler, CISO

The Federal Information Technology Acquisition Reform Act (FITARA) was passed and signed into law in December 2014. It requires that the heads of Federal departments and agencies ensure their respective CIO has a significant role in all information technology decisions including cybersecurity, which was added in FY 2017.

The US House Oversight and Reform Committee recently released its latest Federal Information Technology Acquisition Reform Act (FITARA) scorecard, which measures the progress of the 24 largest Federal agencies on managing their IT portfolios more effectively and efficiently. The Scorecard 8.0, as it is known, includes, for the first time, a cybersecurity score reflecting FISMA (Federal Information Security Modernization Act of 2014) and Presidential Cross Agency Priority (CAP) goal compliance. The results are clear: most agencies are not doing well in this category (Highest grade was B only obtained by three Federal agencies).

Congress enacted FISMA to improve federal cybersecurity and clarify government-wide responsibilities. The act promotes security tools with the ability to continuously monitor and diagnose the security of federal agencies and provide improved oversight of security programs. The act also clarifies and assigns additional duties to entities such as OMB, DHS, and the Federal departments and agencies. In addition, CAP goals are a tool used by leadership to accelerate progress on a limited number of Presidential priority areas including cybersecurity where implementation requires active collaboration among multiple agencies. Long-term in nature, CAP Goals drive cross-government collaboration to tackle government-wide management challenges affecting most agencies. CAP Goals are updated or revised every four years with each Presidential Administration’s term.

  • Why it’s important: The increasingly sophisticated threats and frequent cyber incidents underscore the urgent need for effective cybersecurity.
  • Calculation: This area combines the assessments of agencies’ Inspectors General (IG) and cross-agency priority (CAP) cybersecurity goals, which are each half of the grade. For example, NRC’s average IG assessment was 3.8 out of 5 (76% – a C) and the agency met 9 of the 10 CAP goal metrics (90% – an A). Those average into a B for this area.
  • Data source: OMB’s annual compilation of IGs’ FISMA reports and OMB’s quarterly cybersecurity CAP goals. Additionally, four agencies provided details of their IG’s assessments (DOC, Ed., HHS, and State).
  • Highest-rated agencies: Three agencies received a B.
  • Lowest-rated agencies: Four agencies received F grades.
  • GAO reports: GAO first identified federal cybersecurity as a government-wide high-risk area in 1997 (GAO-HR-97-9). Subsequently, GAO has updated and expanded the area (e.g. GAO-HR-97-1, GAO-03-119, and GAO-15-290) and continued to identify it as a high-risk area in its February 2017 update (GAO-17-317).

The FITARA score is based upon FISMA/IG reporting (which is a maturity rating) and a CAP score, which are both very compliance based. You would expect that a higher compliance/FITARA score would indicate a higher maturity level, which should indicate a lower organizational cybersecurity risk. The problem is that the level of organizational cybersecurity risk is greatly affected by additional factors of organizational mission/business criticality, organizational culture, and the organization’s cyber threat environment. The bottom line? Compliance-based measures, while better than nothing, do not give a true picture of an organization’s cybersecurity maturity. With current scores so low, this means the situation could be worse than pictured.

Cybersecurity Maturity Must Take Into Account the Dynamic Nature of Organizational Mission/Business Criticality and Its Cyber Threat Environment

It is not possible to rely on compliance-based measurement approaches to give an organization a clear picture of its maturity level. The nature of the environment is too dynamic, and such approaches don’t take into account overall business strategy and mission.

To help organizations meet the challenge of improving cybersecurity maturity, Criterion offers its U.S. patent-pending CyberScale™ Compliance and Risk Management Solution. CyberScale™ provides a structured approach to enhance the efficiency and effectiveness of the organization cybersecurity and privacy (CS&P) program, operations, and/or systems. It includes a holistic view of cybersecurity maturity and risk impact throughout the enterprise. These organizations can then establish a baseline to manage and track cyber risk activities, establish targets, and conduct “what if” planning to reach those targets. In the end, organizations will be able to build/adapt/implement a flexible roadmap to continuously improve cybersecurity maturity and resilience. And as a great side effect, their FITARA scorecard results will also improve.