In my previous two columns, I described the three primary root causes that have led to the massive data breaches and compromises of core mission IT systems in multiple federal agencies. and provided recommendations for addressing the first cause: lack of IT management best practices. The remaining two root causes — which are the focus of this column — are misguided IT security practices and a slow and cumbersome acquisition process.
Regarding misguided IT security practices, to the government’s credit, there has been a fairly aggressive shift in thinking from the traditional Federal Information Security Management Act reporting approach to continuous monitoring of IT systems and the overall IT environment. I was also pleased to see that Congress passed much-needed reform in the FISMA Modernization Act of 2014, and I hope Congress will work closely with the executive branch to ensure that implementation delivers enhanced security.