Using a Standardized Approach for Measuring Cybersecurity in Government

Last week at the annual Billington CyberSecurity Summit in Washington, DC, officials from government agencies gathered with industry leaders to discuss cyber threats, as well as geopolitics and issues of national security. One of the highlights was a fireside chat on Friday with Anne Neuberger, deputy national security adviser for cyber and emerging technology. Under Anne’s leadership, the White House has taken an active role in embracing technological change, but in her talk, Neuberger stressed the importance of not only keeping our critical infrastructure secure but harnessing an accurate and repeatable way of measuring it to ensure progress.

Keeping the digital front doors locked

In her comments during the session, Neuberger noted that the Administration has been focused on asking if the digital front doors of critical infrastructure are locked or open. After noting that this was a question that previously could not be answered, Neuberger highlighted the movement by federal agencies to use “A, B, C, or D” security ratings to assess the health of various critical infrastructure segments, like pipelines, aviation, rail, water, and more.

An evolving approach to measuring risk

Neuberger noted that moving to this standard measurement approach was a “game-changer” in measuring cybersecurity at the federal level.

The complexity of the supply chain in critical infrastructure is enormous and interconnected. Yet companies and government regulators too often have little information about the security of their critical vendors, partners, and agency assets. In fact, it’s estimated that 61 percent of public sector agencies have open cyber vulnerabilities, taking a median of 309 days to remediate them. To that end, we must foster close relationships and increased communication between public and private sectors to enable more effective compliance reporting, improved communication, and informed decision making.

Cybersecurity ratings, like the ones offered by SecurityScorecard, offer an outside-in view of an organization’s risk posture and threat landscape, and give organizations a means for objectively monitoring their security hygiene and that of their vendors. They also allow stakeholders at all levels to gauge where their security efforts are improving or deteriorating over time. We believe that the use of risk ratings to monitor external risk can create a whole new language of cyber that stakeholders at all levels can use to more easily understand dynamic risks and assess the results of programs and investments.

The cybersecurity regulatory landscape

With the Biden Administration’s recent release of its National Cybersecurity Strategy, multiple sectoral risk management agencies (SRMAs) have put forth new requirements to measure, report, and manage third-party risk. In Europe, DORA will mandate banks, financial entities, and select IT third-party providers within the EU to adopt robust cybersecurity measures. And in France, a new cyberscore law will require Internet-facing platform companies to disclose “report cards” on cyber resilience based on third-party audits of systems and processes. You can’t manage what you don’t measure.

As countries globally struggle to measure and communicate more effectively on cyber risk, the U.S. federal government’s use of cybersecurity ratings serves as a much-needed blueprint for how other sector risk management agencies and less mature regulators can partner with industry to measure and report on collective progress. We believe that the approach DNSA Neuberger highlighted last week can be replicated at every Sector Risk Management Agency at the federal level to institute a standardized language and system for assessing risk across all critical infrastructure.

The tools to increase cyber resilience

SecurityScorecard is committed to working with government, private sector owners, and operators of critical infrastructure to ensure that we measure what matters most, secure critical supply chains, and help drive progress.

Whether it’s assisting with our partners in the public sector to assess the health of their cybersecurity environments, helping private companies as they audit their third-party vendors, or responding to cyber incidents, SecurityScorecard is always seeking to improve communication, boost cyber resilience, and change the way the world measures trust.

For more information on how to better secure your organization, and our continued efforts to make the world a safer place, visit SecurityScorecard.