The Census Bureau has shown it understands the best practices around cybersecurity risk management and has an automated reporting system but didn’t follow its own advice, leading to poor, uninformed management decisions, according to a new watchdog report.
As the amount of data and interconnected systems and devices grow exponentially, it is impractical to apply top-level cybersecurity to every aspect of an agency network. Instead, experts—including cybersecurity leaders from the Homeland Security Department and National Institute of Standards and Technology—recommend using a risk management framework to focus resources on the areas that need the most attention.
The bureau has an established risk management framework, yet it failed to monitor security controls, properly document risk and keep authorizing officials in the loop, according to an inspector general report released Tuesday.
In order to implement a risk management framework, officials created an automated application called the Risk Management Program System to regularly assess its IT systems and deliver reports “that quantify cybersecurity risk.” But the IT and cybersecurity worlds change rapidly and Census officials failed…
