The Expert's View with Bruce Brody

OPM Hack: The Role FISMA Played

Former Gov't CISO Detects Flaws in Law Governing IT Security
OPM Hack: The Role FISMA Played

The Office of Personnel Management data breach is merely a symptom of a much larger problem across all federal government executive branch agencies, and it's not going away anytime soon.

See Also: The Cybersecurity Swiss Army Knife for Info Guardians: ISO/IEC 27001

Exclusive Webinar: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

That's because the Federal Information Security Management Act, in all of its various forms over the past 14 years, has created a veritable disarray of legislative mandates, ostentatious oversight, ambiguous policy frameworks, ineffective guidelines, disjointed funding and deficient accountability. Even more significant, FISMA botched cybersecurity leadership and governance across the entire executive branch.

Among its myriad flaws, and for whatever inexcusable reasons, FISMA has deemed it appropriate for the chief information security officers to report to the chief information officers. Such an organizational construct reduces cybersecurity to a mere IT security problem, ignoring the growing importance of cybersecurity's reach across all of the personnel, physical and cultural strata of an agency's makeup, not to mention its grander organizational privacy, risk management and compliance obligations.

Congress seems to believe that the often politically appointed CIO with myriad budget-cutting and help desk headaches is the appropriate senior official under whom to subordinate the critically important and growingly complex cybersecurity portfolio. One by one, the Fortune 1000 is jettisoning this organizational paradigm, as security and privacy are skyrocketing in importance in the boardroom, while IT management is losing footprint to mobility and the cloud.

Terminating the Unfortunate Scapegoat

That's not to exonerate the Fortune 1000, by any means. There are too many of them who don't even have a CISO. But at least when those companies experience their inevitable breach, and after the unfortunate scapegoats have been terminated, they then put resourced and empowered security programs in place to implement appropriate processes, capabilities and tools.

FISMA has also created a "cyber-industrial complex" that feeds at the trough of federal cybersecurity spending and has become so entrenched and powerful that it rules federal cybersecurity with a profitability rather than a best-practice metric. Compounding this problem are agencies that have failed to adapt archaic acquisition strategies and contracting practices to deal with the dynamic realities of cybersecurity trends and developments.

Many agencies are using "lowest price, technically acceptable" contractors to protect some of our nation's most important and sensitive data. For these agencies, disaster either has occurred or is imminent.

The stark reality is that no agency in the executive branch prioritizes cybersecurity as a core business enabler. Federal agencies treat cybersecurity as an IT annoyance, buried as it is under their CIO. Federal agencies practice crisis-to-crisis cybersecurity management, and not proactive infrastructure resilience. Congress abets this approach by enacting authorization language that instructs each agency to deliver specific entitlements or services to the taxpayer, and appropriation language that funds the associated authorization, neither of which elevates cybersecurity to anything near an agency priority.

Seeking Nonconformist Solution

If there's a solution to this mess, it must be nonconformist. Voluntary cross-agency programs that leverage all of the government's buying power have been few, and have not worked. Nor have voluntary Department of Homeland Security programs that agencies have balked at adopting for fear of exposing their deficiencies to another agency.

Perhaps a maverick agency head will emerge, thumb his or her nose at FISMA and Congress, elevate the CISO role to a direct-report to the agency head (and then find a good one), re-assign the business-as-usual security staff and discharge its contractor masters. He or she will then empower the CISO and provide resources to migrate agency IT operations to a properly architected and security-first infrastructure. This maverick agency head also will lead the adoption of a security-aware culture across the entire agency, hold accountable all system and business process owners who do not place cybersecurity at the top of their daily list of priorities and provide resources for the continuous management and maintenance of the IT infrastructure with relentless diligence.

Agency-wide risk management and proactive resilience is not a lowest price, technically acceptable solution. It's also not a subordinate IT problem. Cybersecurity is a leadership and governance issue, and as a result, the recent OPM data breach is not surprising. Breaches will happen again, many times in many agencies, with no end in sight.

Brody, a former CISO of the departments of Veterans Affairs and Energy, is CISO for Cubic Global Defense, a provider of mission-centered training systems and services for the U.S. and allied armed forces, and chief security strategist for its parent company, Cubic.

About the Author

Bruce Brody

Bruce Brody

CISO Advisor, Cisco

Bruce A. Brody is a highly experienced, executive-level Chief Information Security Officer and subject matter expert on cybersecurity and risk management. He has served as the Chief Information Security Officer (CISO) at the U.S. Department of Veterans Affairs, the U.S. Department of Energy, DRS Leonardo, and Cubic Corporation; a member of the Federal Senior Executive Service; a distinguished manager in the national security community; and a decorated officer in the U.S. Air Force. He was the Director of the Guidehouse (formerly PricewaterhouseCoopers Public Sector LLP) Cybersecurity Practice from 2015 to 2019, after which he became the Resident CISO for the Federal Practice at Proofpoint. He is now a CISO Advisor for Cisco. Mr. Brody served as the Chief Information Security Officer for the U.S. Department of Veterans Affairs from 2001 to 2004, a position in which he became the first Senior Executive Service CISO in the Federal Government. In this position, he was responsible for directing and overseeing all cyber and information security activities of the second-largest cabinet-level department in the U.S. Federal Government. He is widely credited with creating and defining the U.S. Federal CISO role. Mr. Brody was appointed Chief Information Security Officer for the U.S. Department of Energy in 2004. He has since served in a variety of executive positions in private industry, including Vice President for Information Assurance at CACI (NYSE: CACI), Chief Cyber Security Strategist at Paradigm Solutions, Vice President and Chief Information Security Officer at DRS Leonardo, and Chief Cybersecurity Strategist and CISO for Cubic Global Defense (NYSE: CUB). He became the Resident CISO for Proofpoint’s Federal practice in 2019, and is now a CISO Advisor with Cisco. Mr. Brody is also a member of the Armed Forces Communications and Electronics Association (AFCEA) Cybersecurity Committee, and he is a Distinguished Fellow of the Ponemon Institute. He has served as a STARS Mentor for the MACH37 Virginia Cybersecurity Accelerator, the founding Co-Chair of the Government Advisory Board of the International Information Systems Security Certification Consortium ((ISC)2), member of the statutory Federal Information Security and Privacy Advisory Board, and member of the Northern Virginia Technology Council. Mr. Brody holds a master’s degree with an emphasis on information security from Eastern Michigan University. He is also a Certified Information Systems Security Professional (CISSP), and a Certified Authorization Professional (CAP), both of which are granted by (ISC)2; and a Certified Information Security Manager (CISM), which is granted by the Information Systems Audit and Control Association (ISACA). He serves on the Advisory Board of the Certified FISMA Compliance Professional (CFCP), a credential that he also holds. Mr. Brody also earned a Level III Advanced Program Management certification from the Defense Systems Management College. His career also includes 10 years at the Defense Intelligence Agency, where he distinguished himself as the Chief of the Counterterrorism Section, and an additional seven years with the Defense Information Systems Agency, where he directed the global Defense-wide Multilevel Security Program. An Air Force veteran, Mr. Brody received the Air Force Commendation Medal and the Defense Meritorious Service Medal during his service.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.