A hearing last week focused on yearly cybersecurity reporting and compliance versus protecting systems. NextGov reported on challenges with FISMA, the Federal Information Security Management Act, which requires agencies to identify and inventory their IT systems and determine how sensitive the information is that is stored on those systems.
"It seems like OMB thinks that a snapshot of agency preparedness every three years will defend our critical networks," said Sen. Thomas Carper, D-Del., during a hearing of the Senate Federal Financial Management Subcommittee, which he chairs. "But instead, billions of dollars are spent every year on ineffective and useless reports. Meanwhile, we continue to get attacked."Efforts at more realtime, and effective, cybersecurity were cited at Department of State.
To supplement FISMA reporting requirements, State implemented a widely lauded risk-scoring program that scans every computer and server connected to the department's network no less than every 36 hours to identify security vulnerabilities and twice a month to check software configurations. The program assigns points on a scale of zero to 10, with 10 being the riskiest security threats. Points are deducted once issues are resolved. Since July, overall risk on the department's key unclassified network measured by the scoring program has been reduced by nearly 90 percent at overseas sites and 89 percent at domestic sites.On the hiring side, John Berry, Office of Personnel Management (OPM) boss, said that "cracks are showing" in the personnel system. According to Government Executive, he outlined a number of areas that might be ready for updating. Berry said that
"These methods have allowed one critical piece of the department's information security program to move from the snapshot in time previously available under FISMA to a program that scans for weaknesses continuously, identifies weak configurations [every] 15 days, recalculates the most important problems to fix in priority order daily, and issues letter grades monthly to senior managers tracking progress for their organization," Streufert said.--Read more in NextGov
Reformers must realign personnel systems to recognize, reward and promote merit within the federal workforce, while making the merit system principles a matter not simply of fairness but of job performance.While not making specific policy edicts, he offered a few focus areas like
- Expanding the eligibility for big bonuses--beyond the Senior Executive Service
- Helping agencies pilot and incorporate telework
- Working to better recognize and reward star performers
- Focusing on training managers and workers to help adopt change
- Reviewing the current 15 grade system for a more flexible and simplified promotion path
- Creating "results-only" work environments, removing time and place from performance. Read more on GovExec.
It takes a while to turn around a large, complex vehicle like government. These efforts are helping to turn in the right direction.