How to Increase the Maturity Level of Federal Department and Agency Cybersecurity and Privacy Programs

Criterion | Cybersecurity CoE

How to Increase the Maturity Level of Federal Department and Agency Cybersecurity and Privacy Programs


By Dan Chandler, Cybersecurity Solutions Architect and Bob Heckman, CIO/CISO, Criterion Systems, Inc.

The challenges that Federal departments and agencies (D&As) face due to continuously evolving cybersecurity threats has been receiving growing attention throughout the recent years. However, there are three other challenges that are equally as important to address as Federal D&As seek to improve their cybersecurity and privacy (CS&P) programs. These are:

  • Increasing Federal CS&P related regulatory requirements, oversight, and guidance such as the new OMB Circular A-130
  • The accelerating move to a risk management versus a compliance approach
  • Growing resource and budget constraints

To be effective in this operational environment, Federal D&As must employ CS&P programs that focus on operating in cyberspace instead of just reacting to it. To do this successfully, they need innovative CS&P approaches, methodology, and best practices that address interoperability, usability, resilience, and privacy adapted to their unique mission and business environments.

Increasingly Regulatory Requirements and Oversight

There are several standards, methodologies, procedures, and processes which need to be combined and resolved in order to truly understand the as-is state of a Federal D&A CS&P program. These criteria include:

  • OMB
  • NIST (i.e. Special Publications, NISTIR, Cybersecurity Framework (CSF)
  • DHS
  • OIG

The challenge is that together, these criteria represent more than a thousand data points which are not necessarily easily compared with each other, therefore making it difficult to assess, analyze, understand, and model the current state of a Federal D&A CS&P program, not to mention planning a roadmap for maturing it. Federal D&As are also required to use these frameworks to manage, document, and report on the status of its CS&P program and organizational cybersecurity risk. Managing all these different requirements, standards, and guidance lends itself to an approach that is reactive and compliance-focused.

Risk Management vs. Compliance Approach

Federal D&As need a forward-thinking and flexible approach to optimizing their CS&P services so they are properly aligned to the organization’s stated, and/or approved risk appetite. However, it is difficult for a Federal D&As today to establish, monitor, and maintain its current CS&P posture, as they don’t have a common overarching taxonomy or mechanism to describe it (given it is determined through the intersection of multiple frameworks, standards, and criteria as described above). Then, they need to describe their target (to-be) state facing the same problem! Furthermore, mission/business drivers unique to each Federal D&A need to guide CS&P activities and be considered when identifying, verifying, and validating organizational CS&P risks.

It is difficult to identify and prioritize opportunities for maturing and improvement in this environment, if there are no continuous and repeatable processes. Nor is it possible to accurately assess progress towards the target state or use performance metrics linked to the organization’s mission/business success to guide operational behaviors.

Growing Resource Constraints

Maturing and improving a CS&P program demands a roadmap for improvements, including a combination of recommended hardware/software upgrades, operating environment upgrades; improvements in governance, policies, people, processes/procedures, and tools; and improvements in CS&P operational constructs. As Federal D&As are faced with growing constraints in budget and resources, these investments need to be carefully planned, budgeted, and justified. Without a methodological review of their current CS&P program state and flexible, continuous, and repeatable processes for monitoring, maturing, and improving the organization, these justifications are hard to come by and sustain.

The Solution: A CS&P Maturity Model that Reconciles Federal Standards and Industry Best Practices

The solution to these challenges is a comprehensive CS&P maturity model that is based on the NIST CSF and incorporates FISMA, OMB, DHS, and OIG criteria and annual reporting requirements, providing a common language to address and manage CS&P risks. With the problem of taxonomy solved, the CS&P maturity model would then provide a structured method to survey, analyze, document, manage, and enhance an organization’s CS&P program, operations, and /or systems. Potential steps of such a process would include:

  • Review and identify the current CS&P posture
  • Describe their target state
  • Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
  • Assess progress towards the target state
  • Communicate among internal and external stakeholders about security risk

The use of a CS&P maturity model would also enable organizations to reduce and better manage CS&P risks while maturing their overall CS&P program. In the end, they will have an effective program designed for their specific mission and business environment that is flexible enough to respond as requirements, threats, vulnerabilities, technologies, and operational environments change. While this type of CS&P maturity model and toolset is not currently available, progress is being made, and Federal D&As can already start evaluating their current CS&P posture using current standards.

Learn more about Criterion’s CyberScale™ Compliance and Risk Management Solution here: