The scores from the latest Federal Information Technology Acquisition Reform Act (FITARA) are out. Good news: it showed overall improvements for all agencies. Surprising news: not one agency’s cyber score changed from the previous scorecard.
The cyber category consists of criteria from the Federal Information Security Modernization Act (FISMA), measuring compliance and considering data points such as the number of incidents. It does not provide insight into how these actions work together to reduce risk.
While adhering to security compliance requirements — many of which are based on cyber hygiene — and other best practice frameworks that can help reduce risk, compliance isn’t enough. IT teams also need reliable, real-time data for a well-rounded view of their environment so they can identify, assess, focus on and remediate risks.
Improving your FITARA cyber scores
In a recent MeriTalk article, I discuss how federal agencies can manage potential cyber risks and increase overall posture to improve future FITARA cyber scores.
The FITARA cyber scores consist of two parts — the score the agency inspector general gives its agency’s posture on cyber maturity model criteria and Cross-Agency Priority (CAP) goals to modernize IT for better productivity and security.
Federal IT teams can advance their cyber posture and improve FITARA cyber scores by characterizing risks by the severity of a vulnerability, age, and the value of the data or system exposed to the threat.
Additionally, they should also focus on achieving comprehensive visibility into their systems across the enterprise — end user, cloud and datacenter.
To get the real-time data necessary for risk managers to act upon these threats, IT teams need to evaluate their current toolset. This might require upgrading or replacing inefficient legacy tools. But by modernizing the toolset, leaders will have a comprehensive view of their environment to help reduce the visibility and accountability gaps created by disconnected point-solutions.