Updating U.S. Federal Cybersecurity Policy and Guidance

October 23, 2012

As the threat to the cyber infrastructure on which the federal government and the nation relies grows, the urgency of investing wisely in protection against, detecting, mitigating, and recovering from cyber events takes on increasing urgency. Our adversaries are well equipped and agile. Our defenses must be equal to the threat, and they are not.

Since the 1980s, Congress and administrations of both parties have acted periodically to address that threat, through enacting laws and issuing policies and guidance. Though the underlying principles of managing and mitigating risk remain the same, the changing nature of technology and the capabilities of those who would do us harm call for a periodic review and updating of law and policy. Congress has recognized the need to update underlying statutes. Whether or not its efforts succeed, substantial improvement can be achieved by updating policies and guidance within the current statutory framework. Such changes would both improve our security posture and make more effective use of limited resources. While one might argue that more resources need to be spent on cybersecurity in the current threat environment, the fiscal situation argues for first assuring that every dollar spent on cybersecurity be spent wisely and allow for more rapid adoption of cheaper and more efficient technologies.

This report offers recommendations on areas where, in the view of the authors, the U.S. Office of Management and Budget (OMB) could use existing authorities and update its current guidance, last revised on November 28, 2000. These changes would make government cyber assets more secure without spending more money. Absent changes in policy, agency staff and oversight groups (e.g., inspectors general and the Government Accountability Office) will continue to waste scarce resources on strategies that do little to mitigate risk.