Researchers Push FITARA-Like Scorecard for Cybersecurity

Congress should adopt a scorecard to measure agencies’ progress implementing best cybersecurity practices as one way to improve the government’s overall posture, according to recent research. 

Authored by researchers at MITRE, the white paper lays out eight recommendations for the federal government to improve its cybersecurity hygiene and security infrastructure to prevent malware and ransomware attacks. They also note that the last major legislative update to cybersecurity practices within the federal government came with the passage of the Federal Information Security Modernization Act of 2014.  

“Updates are needed to the laws governing federal cybersecurity to align them with current cybersecurity best practices, to reduce spending on audits and reports, and to clarify roles and responsibilities of the many federal players involved,” the paper reads. 

One of the eight recommendations advises using the Federal Information Technology Acquisition Reform Act as a guideline for Congressional cybersecurity oversight and reporting. FITARA, passed in 2014, provides a framework for how government agencies purchase computing technologies. 

Researchers say that the FITARA evaluation metrics offer transparency into federal agencies’ efforts in IT modernization that should be emulated in Congressional oversight hearings aimed at evaluating cybersecurity practices.

“A FITARA-style cybersecurity scorecard can be the subject of Congressional oversight hearings where Executive Branch and agency leaders can testify on their progress and on areas where improvement and additional Congressional support is needed,” the paper reads. “This reporting model could also be used to streamline the extensive reporting agencies currently produce for Congress, GAO, and the IG community.”

The paper also called for the specific modernization of the Cybersecurity and Infrastructure Security Agency’s defense system. Researchers write that CISA’s current cyber defense systems were designed for a time when most agency systems were operated internally with limited unencrypted external traffic.

With the onset and implementation of more cloud-based computing, more zero-trust security software is required to protect sensitive data. One way the authors recommend supporting this initiative is with increased Congressional funding for CISA’s defense networks. 

“Congressional action can help ensure that the federal government is positioned to meet current and emerging threats and is managed according to current best practices,” the paper concludes. “The eight recommendations in this paper provide options for Congress that would support efforts at improving federal agency cybersecurity while making the oversight process more efficient and effective.”

The rest of the recommendations include giving federal cybersecurity leadership more oversight authority, modernizing legacy IT systems, creating new cyber risk frameworks, supporting zero trust infrastructure in federal agencies, updating and supply chain risk management, and requiring cybersecurity practices to be a cross-agency priority in the Biden administration. 

The paper was submitted to several Congressional committees last week, along with the federal Chief Information Security Officer Chris DeRusha.