Upleveling from compliance focus to “continuous diagnostics” and “preemptively mitigating risks.”

by Jeff Copeland

Once the home of by-the-book compliance-driven cyber risk management, the federal government has up-leveled from “governance enablement to interactive cyber operations” taking advantage of “recent advances in continuous diagnostics and mitigation (CDM) capabilities.”

That’s the messaging in a new guidance document from CISA (Cybersecurity & Infrastructure Security Agency) for the Federal Civilian Executive Branch (FCEB) called FOCAL (FCEB Operational Cybersecurity Alignment). FOCAL aims to standardize risk management at 100 FCEB agencies but in the process has created a strategic and tactical framework that CISOs and others in private enterprise could successfully adapt. 

FOCAL covers five key risk management points of concern:

1. Asset Management

Goal: “Continuous visibility into agency assets and associated vulnerabilities,” including asset discovery scans every seven days. 

2. Vulnerability Management

Goal: “Embracing sustainable and forward-leaning approaches to preemptively mitigate risks rather than defaulting to a reactive posture reliant on a constant flow of alerts and advisories.” Includes “processes and procedures to identify and prioritize vulnerabilities for remediation.” 

3. Defensible Architecture

Goal: Zero trust, enterprise-wide identity access management, network segmentation, sharing cybersecurity telemetry with CISA.  

4.  Cyber Supply Chain Risk Management (C-SCRM)

Goal: Agencies must be “aware of the security posture of the numerous third parties with whom they do business [and]  establish an enterprise-level view and engage upper-level leadership on cyber supply chain risks.” Also, be prepared to rapidly remove risky software or hardware.

5. Incident Detection and Response

Goal: Focus on “High Value Assets and internet-facing systems that are most likely to be targeted”. Leverage “best-in-class security technologies, such as EDR, which are being ‘architected’ to accomplish ‘whole-of-government’ threat hunting and incident response.”


A Note on Cyber Supply Chain Risk Management 

The FOCAL plan recognizes the emergence of supply chain risk as a leading threat vector for both government and private enterprise. The federal government was badly burned in the SolarWinds cyber attack of 2019 in which Russian infiltrators hacked a software update to spread spyware through the government and government-contractor systems. 

After the incident the federal General Accounting Office recommended a list of best practices to mitigate third party supply chain risk. When the GAO followed up, it found that few agencies had made the fixes. 

Unfortunately, that’s paralleled in the business world. Organizations typically rely on outmoded third party risk management (TPRM) practices such as sending questionnaires to vendors or asking for self-attestation that the third party is following standards such as SOC2 or using ratings services that do limited scans of the third party’s controls. 

It’s time to rethink TPRM. Safe Security offers the most advanced TPRM solution that enables:

  • Prioritizing on the third parties that pose the highest risk from the likelihood perspective or probable loss exposure in dollar terms
  • Zero trust controls to limit impact of third party risks
  • Real-time feeds of threat intel from the first party attack surface and status of controls coverage at the third party 

Learn more about TPRM at Safe Security

Schedule a 1:1 demo of the SAFE One platform