With government regulation on everyone's mind these days, the US Federal Government is turning its attention to two areas of interest to GRC practitioners: Cybersecurity and Financial Controls.

The government has for years mandated very specific cybersecurity regulations as part of FISMA. One of the core documents of FISMA is the NIST special publication 800-30, The Risk Management Guide for Information Technology Systems. This document defines the entire process of managing risk to Information technology systems according to an overall risk management process that includes

• Risk Assessment (a standard 7 step process)




• Risk Mitigation




• Evaluation and Assessment

Each of these phases is highly scripted, including the risk-based selection, deployment, and testing of controls. This overall process of planning assessments, assessing risk, responding to risk, and monitoring risk seems to be common across most risk assessment frameworks, including ISO, among others. Many state governments, as well as insurance companies that process Medicare claims, and the Federal Reserve System are all subject to these specific rules.

In general, more mature organizations find that adopting a standard risk management process, as the government has done with the NIST SP 800-30, can lead to significant improvements in an organization's risk posture. Organizations that can identify and manage risk will have benefit from lower exposure to risk, likelier achievement of organizational objectives, and improved competitive advantage. It will be interesting to see these regulations evolve with the expansion in governmental involvement in cybersecurity.

The newly announced cybersecurity czar for the Obama administration will have broad responsibility to both ensure existing cybersecurity laws and regulations are followed, and to direct efforts to implement the new cybersecurity regulations and laws such as the Cybersecurity Act of 2009. This new law will greatly enhance the role the government plays in managing private industry cybersecurity. Whoever fills this position will have a critical role in ensuring the continued protection of government systems, managing the expansion of governmental authority over the nation's critical infrastructure, and coordinating with other interested parties (e.g. The Department of Defense). Government cybersecurity affects all of us, including the protection of our tax records and social security records, medical records, and a host of additional information.

In addition to cybersecurity (and cyber-warfare-a topic for another day), there is also a huge government focus in the financial controls arena with the ongoing financial crisis. There is an ongoing effort to design appropriate controls into the Troubled Asset Relief Program (TARP), and other financial stimulus packages. Additionally, on June 17, 2009 the administration released Financial Regulatory Reform: a New Foundation, which contains a number of proposed federal regulations to oversee the financial industry.

The proposed regulations include shifts in authority, including a new consumer protection agency, the first Federal standard for insurance companies, enhanced federal oversight of the financial industry, consumer and investor protections, and added government enforcement tools.

This new foundation to financial regulatory reform intends to transform the financial industry with new and improved government oversight, with a renewed focus on transparency and compliance with federal regulations. Of course, every financial crisis and stock market crash results in new regulations and regulatory bodies. Time will tell how this new version will succeed, but it is clear that the tracking and enforcement of regulatory compliance and risk management are critical to the success or failure of all such efforts.