Measuring What Matters: Reducing Risk by Rethinking (Regulation 1)

Editor’s Note:  A major report from authored by Julie M. Anderson, Karen S. Evans, Franklin S. Reeder and Meghan M. Wareham is attached here.  The paper’s Recommendations to OMB are reprinted below.  The paper also includes a message from the National Academy of Public Administration.


To better secure information and improve information security evaluations across government, the report team recommends OMB direct the following policy changes:

1.   IGs should adopt the enhanced risk management framework and submit a FISMA Evaluation Plan to OMB by no later than May 2013;

2.   NIST should include the enhanced risk management framework, including the cyber risk indicator concept, to foster a more evidence-based and outcome- oriented approach to evaluating information risk management;

3.   NIST, in coordination with DHS, should develop and incorporate a clear threat model as a part of the cybersecurity framework to build a foundation for risk management across agencies.  This will allow agency leaders to better and more consistently discern what risks can or cannot be accepted;

4.   IGs should prioritize their findings in accordance with the agency or department’s defined risk level and also distinguish between managerial and technical controls;

5.   Agency Chief Information Officers (CIOs) should lead the effort to integrate the IG’s findings into overall department or agency strategic mission priorities, processes, and decisions; and,

6.   GSA should expand the Federal Risk and Authorization Management Program (FedRAMP) program beyond cloud services.

Leave a Reply

Name not required for anonymous comments. Email is optional and will not be published.

Please Answer: *