Cybersecurity experts shared their thoughts on new questions and items outlined in fiscal year 2022 chief information officer metrics, including the document’s increased focus on multifactor authentication and encryption, Federal News Network reported Monday.
In December, the Office of Management and Budget and the Department of Homeland Security’s Cybersecurity and Infrastructure Agency released the FY 2022 CIO metrics to assess agencies’ efforts to improve their cybersecurity posture under the Federal Information Security Modernization Act of 2014.
Grant Schneider, senior director of cybersecurity services at Venable and former federal chief information security officer, acknowledged the document’s emphasis on MFA methods that are resistant to phishing.
“If I were to consult with an organization, and they could only do one thing, that would be the thing,” he said of phishing-resistant MFA. “Encryption is also really important, being able to be sure that your information is secure while it’s inside the environment.”
Chris DeRusha, federal chief information security officer and a previous Wash100 Award winner, said penetration testing, blue teaming, vulnerability disclosure programs and other new items in the FY 22 metrics are “getting to a greater focus on capabilities that are leading to observable security outcomes.”
“We need to make sure that we’re emphasizing the growth of these capabilities,” said DeRusha. “And that’s a lot of what the metrics are doing is first taking a temperature of where agencies actually at with those so we can understand what we may need to do as interventions to help them support the build out of this capabilities.
The metrics in the document have been updated to reflect some of the priorities and requirements outlined in the cybersecurity executive order released in May 2021. Meanwhile, House lawmakers recently introduced a bipartisan bill to update FISMA as part of efforts to improve the federal government’s defenses against cyberattacks.