The President’s May 11 executive order Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure seems to have been met with broad support. While a few have been critical that it was not bold enough, most reviewers seem to be endorsing the main message, both for what it does (initiating broad self-assessments by agencies), and for what it does not do (consolidate all accountability in the DoD).
The broad strokes: This order endorses, mandates, and accelerates the adoption of existing frameworks as well as ongoing risk assessment and mitigation, but it does not set the game clock back by forcing the creation of new frameworks or imposing stifling centralization.
Full disclosure: I’m accountable for growing the cybersecurity business line at FICO. That said, in reading the text of the order, I was struck by the broad alignment of its goals and directives with the goals, use cases, and specific capabilities that we’ve enabled with the FICO Enterprise Security Score (ESS).
We’ve been in the market with the ESS product now since October of 2016, so we obviously did not design the product around the order’s directives. But the capabilities of the product and the use cases that it enables are entirely consistent with those directives. Not only is the order a step in the right direction for improved security, it makes the case for the utility that ESS can supply in support of it.
The order is relatively short, with three operational sections. Depending on how you read it, and when you weed out items that are either duplicative or definitional, you get down to 12-15 “action items” for agencies and departments. Of these, at least 10 align directly with what we are delivering with ESS. With that as backdrop, here’s my executive order “Top 10” list:
- The order calls on agencies to take actions commensurate with their cyber risk. This, of course, requires an assessment of risk. ESS provides an actionable, empirical, assessment of risk. ESS is currently the only fully empirical cyber risk assessment tool on the market based on supervised machine-learning models.
- The order calls on agencies to identify known and knowable vulnerabilities, and develop a plan for action and/or rationale for acceptance of risks associated with them. ESS enumerates many categories of known vulnerabilities, and associates them with corresponding risks through scores and reason codes.
- The order requires agencies to adopt the NIST framework, and report accepted risks as well as risk mitigation plans in the context of the NIST framework. ESS correlates all identified issues with the relevant NIST framework references, enabling users to understand how identified risks (both conditional and behavioral) correlate to the NIST guidelines.
- The order requires the OMB, in fulfilling its oversight function, to establish a framework for ongoing re-assessment of cyber risks. ESS is a tool for continuous risk monitoring, providing ongoing risk quantification as well as continuous correlation to NIST framework. As network condition changes, and as observed behaviors are recognized, the ESS score is updated, as are the relevant NIST framework references.
- The order calls on the Secretary for Homeland Security, in cooperation with other department heads, to identify risks in critical infrastructure, and produce annual reports against the same. ESS enables the ongoing identification of risk across and within enterprises of any type (which may include assets across enterprises, or specific subsets, divisions, or functions with an organization), whether government agency, private enterprise, or any other organization type with internet-facing assets.
- The order calls for the Secretary of Homeland Security, in coordination with the Department of Commerce, to assess the sufficiency of the market transparency around cyber security practices. A key goal of ESS is to provide market transparency in security risk, enabling trading partners to readily understand the comparative security of current and potential future trading partners, enabling market forces to promote stronger security in commercial relationships.
- The order calls for the Secretary of Defense to assess risks in the defense industrial base and its supply chain. A primary use case for ESS, and much of its functionality, is geared toward assessing supply chain (vendor) risk, and enabling ongoing monitoring of risk in supply chain relationships.
- The order calls for joint action by the Secretary of Commerce and the Secretary of Homeland Security to assess and address the risks posed by botnets and other automated, distributed threats to internet security. ESS identifies assets involved in the distribution of botnets, as well as assets vulnerable to being leveraged for botnet distribution.
- The order calls on the Secretaries of State, Treasury, Commerce, Defense, and Homeland Security, along with the Attorney General, to opine on internet security priorities, including those related to investigation and attribution of internet threats. ESS has its roots in DHS-funded research for identifying, attributing and quantifying global internet threats, and the data it generates is geared to do exactly that.
- The order recognizes the gaps in our nation’s workforce and the shortage of skills required to address the scope of the challenge ahead. ESS and its continuous monitoring framework, coupled with its ability to empirically correlate conditions and behaviors with risk outcomes, provides a means for organizations to automate monitoring tasks and streamline remediation tasks, so they can get more from their workforce and ensure that the most highly skilled cybersecurity talent can stay focused on the most egregious risks.
That’s my take on the executive order “top 10” list. While I don’t expect any offers to become a writer for late night talk shows, I am excited about our ability to contribute to this long-overdue focus on risk assessment and risk management across federal agencies. We’re looking forward to making a difference.