There are several IG reports in the last few months that show the state of defensive cyber security. Some of these reports, even after redactions, are showing how bad cyber security has become. It is depressing to see.
The most glaring aspect is the inability of some agencies to correct deficiencies that were identified. My own experience was that there are some government agencies that consistently do not correct problems in spite of changes in management or politics of the leadership in charge. We used to be able to predict where cyber would fail, long before it did. For the most part, these organizations have entrenched IT management that not only ignores the IG reports, but management of the agencies too. We have lived with things like Clinger- Cohen that perpetuate the separation of agencies and allow each one to have their own IT Department. Those Departments hire their own contractors who rely on their business to survive. That cycle cannot be broken with cyber security policy.
The failures continue unabated because IT is not an agency function. The current Administration has the right idea but needs to move faster on removing organizational IT departments and making them conform to Federal direction.
No comments:
Post a Comment