2012 DHS/ACT-IAC Cybersecurity Awards The “Fed Cyber Cup” Concept Overview Cheryl Soderstrom, Programs Chair, Cybersecurity SIG

Impetus for Potential Awards Desire to highlight achievements in promoting secure cyberspace within the government Matt Coose, DHS FNS, establishing the 1 st “Federal Cyber Cup” to recognize 2010 performance; interested in expanding awards program and collaboration with ACT-IAC ACT-IAC interest in promoting cybersecurity through new awards program

Establishing a Federal Cybersecurity Awards Program FNS collects and analyzes government performance against FISMA metrics through Cyberscope in accordance with M The addition of CyberStat sessions provide context around agency or department performance, and allow trends, particular challenges and innovative solutions to emerge. Together, these provide an opportunity to recognize performance against FISMA criteria at the department level. DHS will have announced federal cybersecurity awards at their October 2011 conference. – Working with federal CISOs Advisory Council to nominate or help select winners, and to offer ideas for future awards (Public Outreach POC: Antione Manson) – Overall Federal Cybersecurity Award winner; perhaps other awards to be announced against 2010 FISMA data. Integration of Fed Cyber Cup with ACT-IAC targeted post 1 st award program announcements – (Future) Potentially integrated DHS/ACT-IAC awards program associated with Excellence.gov event (spring 2012), focused on FY11 results. – Idea is that the winning Agency’s name will be engraved on the actual Federal Cybersecurity Cup, which gets passed around to the new winner each year.

Possible DHS Awards Categories Best Posture This “best of breed” in cybersecurity award will recognize the agency with the best overall security posture as indicated by the FISMA results. Most Improved This award will recognize the agency that has shown the greatest improvement in its information security program from one year to the next. Innovation This award will recognize agencies for innovation in managing and improving their information security programs. Agencies will be rewarded for utilizing creative, non-traditional, and effective ways for managing their security programs. Most Accomplished with Least Resources This award will recognize agencies that have excelled in managing their cybersecurity programs despite having a small budget or staff dedicated to security. Interagency Collaboration This award will recognize agencies that have taken the lead in promoting standards, innovation, or other best practices across all federal agencies or have been active in assisting other agencies in their cybersecurity programs. Award to Stakeholders This award will recognize the various stakeholders involved in the FISMA reporting process and will acknowledge other areas of excellence not addressed by the other award categories. Federal Initiatives This award will recognize the most outstanding agencies in achieving federal initiatives. Agencies that have shown considerable progress in meeting or exceeding the goals of various federal cybersecurity initiatives will be rewarded for their efforts.

Possible DHS Awards Selection Process Best Posture award determined by four metric criteria: CyberScope Reports – 40% Strength of security program based on analysis of responses in CyberScope. IG Concurrence – 40% Metric based on IG ratings of establishing and maintaining 10 different programs consistent with FISMA requirements. Maturity – 10% Number of years in the top 50 percentile on the FISMA scorecard. Direct Data Feeds – 10% Security management tools providing direct data feeds for metrics including inventory, configuration, and vulnerability management. The process for additional awards is: Data-Driven Awards are based on measurable criteria including CyberScope scores, documented metrics, and other objective data points. Results Oriented Recognition given to encourage actual improvement in cybersecurity results by rewarding reductions in incidents and vulnerabilities. Federal Enterprise Focused Collaborative efforts and support of standards are recognized.

ACT-IAC Involvement in Fed Cyber Cup Awards Option 1: DHS presents DHS awards; ACT-IAC provides Excellence.gov venue Option 2: DHS & ACT-IAC work together to expand awards (may include nominations, criteria development, judging alongside cross-government participants) Option 3: ACT-IAC establishes a cybersecurity award program with Fed CIO Council (and DHS if interested) Option 4: ACT-IAC establishes our own federal cybersecurity awards Option 5: Disengage on idea ACT-IAC prefers Option 2 or Option 3 Need to establish parameters within which we add value to government efforts – Resources for data analysis – Scoring schemas & judging – Adding “subjective” industry awards to process – Joint government/industry “stamp of approval” – Other?

PROPOSED NEXT STEPS Planning and role delineation with DHS (10/11 and 10/27 sessions with Matt Coose) – Questions remain: Are the awards for compliance…or better security posture? How do you judge? Is industry allowed to see FISMA data? If not, how do we help? What roles are appropriate for DHS vs. ACT-IAC in the process? What would our timing and commitments be? How do we help Matt clear DHS Ethics Office concerns, if any? Engagement & analysis of submitted data (Nov 2011 to Jan 2012) Finalization of winners and event logistics management (Feb— Spring 2012) Excellence.gov presentation (Spring 2012)

What We Need from You Identification and removal of obstacles to DHS participation Guidance and development of ‘FISMA Cup” concept Collaborative development of roles & responsibilities between DHS & ACT-IAC Leadership and engagement in program, once approved by all parties Interaction with GAP members and other government colleagues regarding awards Public identification as FISMA Cup Awards Government Chair Can you participate as currently described?