What is at the core of the federal government struggles with cybersecurity? Across all industries, the awareness and attention provided to cybersecurity has increased since the implementation of the Federal Information Security Management Act of 2002 (FISMA). At the time of inception, the commercial industry was forced to take notice on a topic government knew existed and was only going to increase in necessity. The theory behind FISMA has good intentions. However in recent years a major difference has arisen between government and commercial entities.
The government implementation of FISMA has taken a role in providing reports to the Office of Management and Budget (OMB). As a result, the government implementation has been viewed as a paper exercise or a simple check box. Concurrently, commercial interests have developed into a highly regulated and penalized entity as a result of FISMA. The end result is that you now have a commercial industry which outpaces the government when it comes to cybersecurity.
There are intelligent and skilled professionals in the government sector. I have had the privilege of working with what I believe are some of the best. However, without the right tools and without the authoritative backing, those professionals are not provided what they need to properly manage the risks against government systems. When a responsible party fails to exercise due care, the ramifications are nearly non-existent, which further hampers their capabilities.
The largest threat to the federal workforce then becomes the lack of availability of information systems, since no accountability exists. In the meantime, the security professionals within the government organization are tied up working through the steps of an incident investigation. This further limits those staff from addressing the increasingly important risk management side of security.
The commercial industry faces a critical reality if this same due care is not exhibited. For example, if a senior executive is informed of a leak of customer banking records and chooses not to act; the organization as a whole will likely be penalized, and the senior executive removed from the organization. This provides the commercial industry life altering incentives to ensure they exhibit the same due care government is allowed to let slip.
If the commercial industry fails at cybersecurity, they will suffer from financial impacts, layoffs, and a loss of customers. If government industry fails, they have traditionally gained funding to fix their situation. Simply stated, the commercial industry makes decision makers and staff accountable. The federal sector does not, and indirectly rewards poor performance with additional funding.
The end result is a reality where commercial security capabilities are outpacing federal security capabilities. In time, federal organizations will realize they must rely on commercial partners to be successful. These organizations are accountable and cost effective. The seeds have been planted in programs such as FedRAMP. However in future years, expect to see the prevalence of this program, and others leaning on the commercial industry, to increase.