In 2021, DHS, like many agencies, was putting together a funding request to boost its cybersecurity work after the SolarWinds cyberattack. Hemant Baidwan was leading the effort and reviewing requests from various DHS components when he realized something was missing: the ability to connect funding to outcome.
Now the department’s Chief Information Security Officer, Baidwan puts it this way: “OK, we got $5. What have we done with that? What weakness is the $5 remediating or what exactly is it going to? You need to be able to quantitatively show that.” With that in mind, DHS developed the Unified Cybersecurity Maturity Model (UCMM), a framework that “allows us to tie the investment dollars to the cybersecurity of a [high-priority] program and its component systems,” Baidwan said.
In simple terms, the model guides the department through the process of identifying critical cybersecurity challenges, determining the resources needed to address them and showing how that investment qualitatively improves the program’s overall cyber maturity.
Baidwan said this automated risk prioritization allows system teams to optimize the time they spend remediating system deficiencies to provide the best achievable system maturity with the least time and staff expenditures.
UCMM has proven invaluable when talking about cyber investments not just with IT experts, but with chief financial officers, budget examiners and lawmakers, he added. The agency also uses the model to track and report on the outcomes of those investments.
DHS highlighted UCMM in its “Integrated Strategy for High-Risk Management,” a biannual update to the Government Accountability Office.
“The UCMM framework has been a key in aligning recovery actions from the SolarWinds Incident and guiding implementation of critical cybersecurity capabilities and above guidance requests,” the report states. “Going forward, the framework provides a means to guide cybersecurity maturity level measurement for the Department.”
Early Wins
Today, UCMM is part of modernization planning. DHS recently shifted from large-scale modernization efforts to what DHS CIO Eric Hysen refers to as “modernize in place,” which focuses on fixing specific weaknesses or delivering specific new capabilities.
As part of this move, DHS leaders use UCMM to guide evaluations of modernization risk, Hysen said while testifying before the Senate Committee on Homeland Security and Governmental Affairs in May 2023. “For modernization programs, assessments under UCMM are critical to determine future investments,” he explained.
Indeed, the department plans to give the model an increasingly larger role in IT and budget planning, according to DHS’s Information Technology Strategic Plan (FY 2024-2028). “To support risk-based decision-making, DHS is aligning future IT budget requests with the DHS UCMM framework,” the plan states. “We will issue annual IT resource planning guidance and approve funding for projects that are in line with our modernization objectives.” The framework also has helped the department do a better job of resolving cybersecurity concerns that its Office of Inspector General (OIG) has raised. As a standard practice across government, agencies create a Plan of Action and Milestones (POA&M) to identify and track tasks needed to address an audit concern.
As part of its annual cybersecurity audit, the DHS OIG had identified POA&M tracking as a key deficiency several times. But in fiscal 2022, the department’s Management Directorate used UCMM to prioritize overdue POA&Ms and successfully closed about 64% of them, according to the OIG. DHS then began implementing the same approach at other components.
Focus on Outcomes
UCMM’s value extends well beyond risk assessments and planning. When DHS makes an investment, Baidwan and other DHS leaders can use the framework to report on its outcomes, whether they are talking to the Office of Management and Budget or Congress. It comes back to that $5, Baidwan said. “I want to make sure that I’m able to internally track that. ‘OK, we got $5. What have we done with that?’”
DHS plans to share UCMM, which is patent pending, with other agencies, so they can use it, too, he said.
This article appeared in our guide, “Government Gears Up for a Better Cyber Future.” To learn more about how agencies are improving their cybersecurity skills, download it here.