2012 DHS/ACT-IAC Cybersecurity AwardsThe “Fed Cyber Cup”

Concept OverviewCheryl Soderstrom, Programs Chair, Cybersecurity SIG

Impetus for Potential Awards

• Desire to highlight achievements in promoting secure cyberspace within the government

• Matt Coose, DHS FNS, establishing the 1st “Federal Cyber Cup” to recognize 2010 performance; interested in expanding awards program and collaboration with ACT-IAC

• ACT-IAC interest in promoting cybersecurity through new awards program

Establishing a Federal Cybersecurity Awards Program• FNS collects and analyzes government performance against FISMA metrics through

Cyberscope in accordance with M-10-28.

• The addition of CyberStat sessions provide context around agency or department performance, and allow trends, particular challenges and innovative solutions to emerge.

• Together, these provide an opportunity to recognize performance against FISMA criteria at the department level.

• DHS will have announced federal cybersecurity awards at their October 2011 conference.

– Working with federal CISOs Advisory Council to nominate or help select winners, and to offer ideas for future awards (Public Outreach POC: Antione Manson)

– Overall Federal Cybersecurity Award winner; perhaps other awards to be announced against 2010 FISMA data.

• Integration of Fed Cyber Cup with ACT-IAC targeted post 1st award program announcements

– (Future) Potentially integrated DHS/ACT-IAC awards program associated with Excellence.gov event (spring 2012), focused on FY11 results.

– Idea is that the winning Agency’s name will be engraved on the actual Federal Cybersecurity Cup, which gets passed around to the new winner each year.

Possible DHS Awards Categories • Best Posture

This “best of breed” in cybersecurity award will recognize the agency with the best overall security posture as indicated by the FISMA results.

• Most ImprovedThis award will recognize the agency that has shown the greatest improvement in its information security program from one year to

the next.

• InnovationThis award will recognize agencies for innovation in managing and improving their information security programs. Agencies will be

rewarded for utilizing creative, non-traditional, and effective ways for managing their security programs.

• Most Accomplished with Least ResourcesThis award will recognize agencies that have excelled in managing their cybersecurity programs despite having a small budget or staff

dedicated to security.

• Interagency CollaborationThis award will recognize agencies that have taken the lead in promoting standards, innovation, or other best practices across all

federal agencies or have been active in assisting other agencies in their cybersecurity programs.

• Award to StakeholdersThis award will recognize the various stakeholders involved in the FISMA reporting process and will acknowledge other areas of

excellence not addressed by the other award categories.

• Federal InitiativesThis award will recognize the most outstanding agencies in achieving federal initiatives. Agencies that have shown considerable

progress in meeting or exceeding the goals of various federal cybersecurity initiatives will be rewarded for their efforts.

Possible DHS Awards Selection Process

Best Posture award determined by four metric criteria:• CyberScope Reports – 40%

Strength of security program based on analysis of responses in CyberScope.

• IG Concurrence – 40%Metric based on IG ratings of establishing and maintaining 10 different programs consistent with FISMA requirements.

• Maturity – 10%Number of years in the top 50 percentile on the FISMA scorecard.

• Direct Data Feeds – 10%Security management tools providing direct data feeds for metrics including inventory, configuration, and vulnerability

management.

The process for additional awards is:• Data-Driven

Awards are based on measurable criteria including CyberScope scores, documented metrics, and other objective data points.

• Results OrientedRecognition given to encourage actual improvement in cybersecurity results by rewarding reductions in incidents and vulnerabilities.

• Federal Enterprise FocusedCollaborative efforts and support of standards are recognized.

ACT-IAC Involvement in Fed Cyber Cup Awards

• Option 1: DHS presents DHS awards; ACT-IAC provides Excellence.gov venue

• Option 2: DHS & ACT-IAC work together to expand awards (may include nominations, criteria development, judging alongside cross-government participants)

• Option 3: ACT-IAC establishes a cybersecurity award program with Fed CIO Council (and DHS if interested)

• Option 4: ACT-IAC establishes our own federal cybersecurity awards

• Option 5: Disengage on idea

• ACT-IAC prefers Option 2 or Option 3

• Need to establish parameters within which we add value to government efforts– Resources for data analysis– Scoring schemas & judging– Adding “subjective” industry

awards to process– Joint government/industry

“stamp of approval”– Other?

PROPOSED NEXT STEPS

• Planning and role delineation with DHS (10/11 and 10/27 sessions with Matt Coose)– Questions remain: Are the awards for compliance…or better

security posture? How do you judge? Is industry allowed to see FISMA data? If not, how do we help? What roles are appropriate for DHS vs. ACT-IAC in the process? What would our timing and commitments be? How do we help Matt clear DHS Ethics Office concerns, if any?

• Engagement & analysis of submitted data (Nov 2011 to Jan 2012)

• Finalization of winners and event logistics management (Feb— Spring 2012)

• Excellence.gov presentation (Spring 2012)

What We Need from You

• Identification and removal of obstacles to DHS participation

• Guidance and development of ‘FISMA Cup” concept

• Collaborative development of roles & responsibilities between DHS & ACT-IAC

• Leadership and engagement in program, once approved by all parties

• Interaction with GAP members and other government colleagues regarding awards

• Public identification as FISMA Cup Awards Government Chair

Can you participate as currently described?