I n the wake of the data explosion, govern-ment financial managers stand like wranglers, encircled by big data — as much as 80 percent of it unstructured1 — and

keenly aware of new technical capabilities to do something with it. Yet this data and the ability to analyze it will only gain value for government when it can be routinely roped and tamed into useful management information.

The increased quantity and value of data places an additional premium on protecting these assets, because government stands directly in the crosshairs of cyberattackers wishing to do harm.2 Snatched from 2018 headlines, a couple of reports illustrate the current problem:

“. . . federal agency data is under siege,” with 57 percent of federal agencies experiencing a data breach in the past year, over three times the number of agencies reporting breaches two years ago.3

By Tony Hubbard, CISA, CISSP; Jennifer A. Fabius, CRISC, CISSP; and Jeffrey C. Steinhoff, CGFM, CPA, CFE, CGMA

“. . . close to $600 billion, nearly one percent of global GDP, is lost to cybercrime each year, which is up from a 2014 study that put global losses at about $445 billion.”4

At the same time, government entities continue to cope with antiquated IT systems and “stove-piped” organizations that may be resistant to significant change. As a result, data assets are not fully leveraged.

How can government harness and protect data to drive modernization for the 21st century? In implementing the President’s Management Agenda (PMA), four key aspects of the plan impact this data challenge: IT system modernization; data management and analytics; strategic cybersecurity programs and the cyber work-force; and blockchain.

Harnessing and ProtectingData Assets

in a 21st Century Financial Enterprise

WINTER 2018–19 JOURNAL OF GOVERNMENT FINANCIAL MANAGEMENT 35Copyright 2019. Association of Government Accountants. Reprinted with permission. All rights reserved.

Setting the BarThe PMA provides long-term

vision focused on mission outcomes and effective stewardship of taxpayer dollars5 and identifies three overall transformation drivers.

1. Modern IT must function as the backbone of government service in the digital age. The PMA addresses:

enhanced mission effectiveness through increased use of cloud-based solutions;

reduced cybersecurity risks from leveraging current commercial capabilities and implementing cutting-edge cybersecurity tools;

a modern IT workforce.

All are topics further explored in the “Report to the President on Federal IT Modernization” (IT Modernization Report).6 In addi-tion, setting the administration’s bar for cybersecurity is Executive Order (EO) 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastruc-ture,”7 plus extensive cybersecurity provisions in the National Defense Authorization Act (NDAA) for

modernization and working capital funds to:

Improve, retire or replace existing IT systems to enhance cybersecurity and increase efficiency and effec-tiveness;

Transition legacy IT systems to commercial cloud computing and other innovative commercial plat-forms and technologies, including consolidating services across multiple agencies;

Assist and support efforts to provide adequate, risk-based, cost-effective IT capabilities that address evolving cybersecurity threats.

The legislation established the Treasury Technology Modernization Fund with $250 million for FY 2018 and FY 2019 to improve long-term efficiency and effectiveness of IT prod-ucts and services, while enhancing cybersecurity and privacy. It also called for greater use of commercial cloud computing and other innova-tive technologies to enable legacy system retirement.

In addition, the IT Modernization Report called for agencies to:

Prioritize modernization of high-risk, high-value legacy systems and focus on enhancing security and privacy controls for essential mission systems;

Identify solutions to break current barriers to cloud adoption, based on real-world cases;

Consolidate and standardize network and security service acquisition to take full advantage of innovation and economies of scale and minimize duplicative investments in existing security capabilities;

Shift to shared services to enable future IT architectures;

Enable use of commercial cloud services and accelerate adoption of cloud email and collaboration tools;

Replace or augment existing agency-specific technology with consolidated capabilities that improve visibility and security;

Fiscal Year (FY) 20188 and the John S. McCain NDAA for FY 2019.9

2. Data, accountability and transparency initiatives must deliver visibly better results to the public, while improving accountability for sound fiscal stewardship.

3. The 21st century workforce must enable senior leaders and front-line managers to align staff skills with evolving mission needs.

The PMA reinforces the imperative to work across functional disciplines and across agencies, rather than in silos, to tackle interconnected barriers to change.

Systems ModernizationIn FY 2017, the operations and

maintenance of legacy systems consumed a reported 80 percent of the $85 billion spent on federal IT systems.10 In 2016, the 10 oldest reported legacy systems, including one for processing tax returns, were 39-56 years old.11

The NDAA for FY 2018 codified the Modernizing Government Technology Act, which authorized CFO Act agencies12 to establish IT

1

2

3

36 JOURNAL OF GOVERNMENT FINANCIAL MANAGEMENT WINTER 2018–19Copyright 2019. Association of Government Accountants. Reprinted with permission. All rights reserved.

Realign IT resources through business-focused, data-driven analysis and technical evaluation.

Moving to the Cloud

A study of federal cybersecurity breaches concluded “agencies that invest more in new IT development and modernization experience fewer security breaches than ones that invest more in maintenance of legacy systems. Outsourcing legacy systems to the cloud also reduces the frequency of security breaches.”13

But heed a word of caution from the author of the 2018 Thales Data Threat Report:14

“The massive adoption of cloud computing does not correlate with implementations of data security tools suited to protect these new environments. Although 78 percent view data-in-motion and 77 percent view data-at-rest encryption as the most effective tools for protecting data, only 23 percent of U.S. respondents have implemented encryption in the cloud. Additionally, only 31 percent claimed cloud computing security was a top spending priority.”15

Shared services and cloud computing would allow agencies to draw upon leading practices in the IT Modernization Report. For example, IT investments should be premised on adherence to disciplined processes that include the rigor of leading system acquisition and development practices. They should embed sound cybersecurity to help achieve cost, schedule, performance and information security expecta-tions, such as privacy, a focus of the Office of Management and Budget16 and addressed in authoritative publi-cations of the National Institute of Science and Technology (NIST).17

The Treasury Technology Mod-ernization Board’s funding proposal evaluation criteria should naturally help drive agencies toward greater collaboration and standardization. In turn, some level of cultural trans-formation will be required to break down barriers that permitted con-tinuing investments into suboptimal, customized legacy systems.

ESSENTIAL ELEMENTS OF CHANGE INCLUDE:

✓ IT systems modernization and business transformation to break down silos, leverage the cloud, support movement to shared services, and adapt readily to emerging technology and cybersecurity environments;

✓ Strong tone at the top that instills commitment to, understanding of, and responsibility for sound data management and protection;

✓ Initiatives to identify and remediate cultural impediments hindering broad transformation;

✓ Basic organizational elements of leading data management and protection programs, such as sound governance, which includes value-added policies and procedures, training and awareness, and continual oversight and improvement;

✓ Cybersecurity hygiene in routine day-to-day management of critical information assets and infrastructure, including focus on insider threats;

✓ Alignment of data to existing and future business priorities and initiatives;

✓ A world-class IT and cyber workforce, supported by the private sector as needed, who thoroughly understands and values IT transformation, business process improvement, and cybersecurity leading practices.

WINTER 2018–19 JOURNAL OF GOVERNMENT FINANCIAL MANAGEMENT 37Copyright 2019. Association of Government Accountants. Reprinted with permission. All rights reserved.

Data Management and Analytics

Supported by increasingly powerful analytic tools, data management is vital to meeting the PMA’s transfor-mation goals. The NDAA for FY 2018 addresses the need for data governance and, when appropriate, application of the same source used to produce annual audited financial statements. This aligns with leading practices, whereby organizations routinely turn data into insight to drive high-quality decision-making and monitoring.

Capabilities range from straightfor-ward data mining18 and continuous monitoring for anomalies to predic-tive analytics, data algorithms, and cognitive systems that mimic human activities, the most advanced class of intelligent automation.19 (Think of IBM’s Watson.) Noticeable in govern-ment today is the shift to robotic process automation, especially well-suited to basic finance functions that are repetitive and labor intensive.

The data game plan changed entirely when current systems became able to fully leverage unstructured data through advanced analytics, find meaningful ways to consume it, and build the associated knowledge ontology. Decisions can

now be fact-based, analytic and antic-ipatory. Moreover, these enhanced capabilities lead to deeper insight into real-time cyberthreats and root causes of cyber vulnerabilities to better safeguard data assets.20

Ongoing cyberthreat intelligence is critical to proactive combat against cyber risks. Leading organizations gain a comprehensive understanding of existing cyberthreats, acquire effective data analytics tools, employ the appropriate workforce to analyze data output, and develop sound cybersecurity strategies and policies.

Strategic Cybersecurity Programs and the Cyber Workforce

EO 13800 requires agencies to use NIST’s Cybersecurity Framework21 to align risk management processes with strategic, operational and budgetary processes, thereby underscoring the integral role of cybersecurity in mission achievement. Leading organizations embed cybersecurity into normal, day-to-day business processes and operations. As it becomes routine and adds clear value, cybersecurity sheds its reputation as an operational burden.

Organizations benefit greatly from a comprehensive cyber maturity assessment (CMA), which provides a benchmark against leading practices. Instrumental in helping to identify gaps and solutions through its holistic approach, a CMA ultimately leads to an integrated, prioritized list of existing cybersecurity issues mapped to action items and achievable goals. By determining root causes of prob-lems and broadly implementing change, agencies can avoid piecemeal, stove-piped solutions.

Government must build a cyber-aware workforce. The 2017 Global Information Security Workforce Study found 69 percent of government workers believe too few information security workers are employed in the federal workforce.22 Government respondents attributed this shortage to difficulty in finding and retaining qualified personnel, plus insufficient understanding of qualifications required among information security employees. Nearly half of govern-ment respondents said the shortage contributes greatly to government cyber breaches. Even though compe-tition for cyber talent remains fierce, the study forecast a shortage of 1.8 million qualified cybersecurity staff workers by 2022,23 up 20 percent from the 2015 study.24

38 JOURNAL OF GOVERNMENT FINANCIAL MANAGEMENT WINTER 2018–19Copyright 2019. Association of Government Accountants. Reprinted with permission. All rights reserved.

Developing long-term strategies will be important to becoming a cyber employer of choice in the future. Leading practices include:

excepted service hiring authority to streamline employment;

a simplified and accelerated job classification process;

recalibrated applicant screening focused on demonstrated skills and results;

competitive compensation packages;

training for the existing workforce;

partnering with the private sector.

For example, the U.S. Department of Defense works to build and sustain its uniformed cyber workforce and then to retain this talent once the soldier leaves active duty through programs such as the Army Reserve’s Cyber Public Private Partnership.25 Supported by the U.S. Department of Homeland Security, the U.S. Cyber Challenge mission is to address

shortages in the cyber workforce by finding “10,000 of America’s best and brightest to fill the ranks of cyber-security professionals, where their skills can be of the greatest value to the nation.”26

But the cyber workforce is not just about people who specialize in cybersecurity. Certain baseline skills are essential among the financial management community, and they are becoming necessary even in other fields. An understanding of “cyber-security as everyone’s job” must be instilled in the culture of every federal organization, in each employee and contractor. In leading organizations, a strong management tone — from the top — stimulates transformation.

BlockchainTechnology has accompanied the

financial management community to places unimaginable a decade ago. Blockchain promises to revolutionize accountability and transparency

as we know it. The technology is designed to create permanent, unal-terable records of transactions within a network by distributing so-called digital ledgers among participants. Transactions conducted by network members are recorded in sequence in the digital ledger. Each individual transaction “block” is linked together in a chain. Since blockchain relies on references to other blocks that are cryptographically secure within the ledger, some proponents contend it is virtually impossible to manipulate the information.27

Still in its relative infancy in govern-ment, blockchain holds enormous potential for financial management. But implementation will require care, including data protection. Already, certain vulnerabilities have been noted. While touted as inherently cybersecure because its principles are founded on cryptography and immutability (i.e., information can be permanently stored on a tamper-free public ledger), this is not necessarily

www.kearneyco.com

• Audit• Consulting• Technology

We’ve kept our Federal Government clients moving in the right direction for more than two decades. We exclusively serve the Federal Government and know the lay of the land.Contact us today to find out how we can Contact us today to find out how we can help your agency with services in the areas of:

At Kearney, we follow one path.YOURS.

WINTER 2018–19 JOURNAL OF GOVERNMENT FINANCIAL MANAGEMENT 39

Developing long-term strategies will be important to becoming a cyber employer of choice in the future. Leading practices include:

excepted service hiring authority to streamline employment;

a simplified and accelerated job classification process;

recalibrated applicant screening focused on demonstrated skills and results;

competitive compensation packages;

training for the existing workforce;

partnering with the private sector.

For example, the U.S. Department of Defense works to build and sustain its uniformed cyber workforce and then to retain this talent once the soldier leaves active duty through programs such as the Army Reserve’s Cyber Public Private Partnership.25 Supported by the U.S. Department of Homeland Security, the U.S. Cyber Challenge mission is to address

shortages in the cyber workforce by finding “10,000 of America’s best and brightest to fill the ranks of cyber-security professionals, where their skills can be of the greatest value to the nation.”26

But the cyber workforce is not just about people who specialize in cybersecurity. Certain baseline skills are essential among the financial management community, and they are becoming necessary even in other fields. An understanding of “cyber-security as everyone’s job” must be instilled in the culture of every federal organization, in each employee and contractor. In leading organizations, a strong management tone — from the top — stimulates transformation.

BlockchainTechnology has accompanied the

financial management community to places unimaginable a decade ago. Blockchain promises to revolutionize accountability and transparency

as we know it. The technology is designed to create permanent, unal-terable records of transactions within a network by distributing so-called digital ledgers among participants. Transactions conducted by network members are recorded in sequence in the digital ledger. Each individual transaction “block” is linked together in a chain. Since blockchain relies on references to other blocks that are cryptographically secure within the ledger, some proponents contend it is virtually impossible to manipulate the information.27

Still in its relative infancy in govern-ment, blockchain holds enormous potential for financial management. But implementation will require care, including data protection. Already, certain vulnerabilities have been noted. While touted as inherently cybersecure because its principles are founded on cryptography and immutability (i.e., information can be permanently stored on a tamper-free public ledger), this is not necessarily

www.kearneyco.com

• Audit• Consulting• Technology

We’ve kept our Federal Government clients moving in the right direction for more than two decades. We exclusively serve the Federal Government and know the lay of the land.Contact us today to find out how we can Contact us today to find out how we can help your agency with services in the areas of:

At Kearney, we follow one path.YOURS.

WINTER 2018–19 JOURNAL OF GOVERNMENT FINANCIAL MANAGEMENT 39Copyright 2019. Association of Government Accountants. Reprinted with permission. All rights reserved.

the case. In two significant incidents of blockchain hacking, identified risks included: (1) poor implemen-tation; (2) unauthorized access, such as through cryptographic key theft; and (3) identity management weaknesses.28

Finance organizations, then, must understand all technical implications of blockchain security before using it. Blockchain underpinnings include:

Cryptography, key management and tokenization;

Chain permission management and privacy;

Data management and segregation;

Chain defense;

Interoperability and integration;

Scalability and performance;

Business continuity and disaster recovery;

Consensus mechanism and network management.29

Obviously, the CFO must partner with the Chief Information Officer for needed expertise in implementa-tion. Leading organizations address numerous issues in making the initial decision to move to blockchain and during subsequent implementation, including:

Interoperability: New authentication and communications protocols will demand organizations convert data models and business processes.

Control and collusion: The consensus algorithm and risks related to a take-over attack by a single participant or

group of participants could effectively block, delay or modify transactions.

Data management and governance: Large volumes of transactions and the presence of data outside the network present risks, like those in cloud computing.

User access and provisioning: Block-chain relies on unique addresses assigned to each member, which are used for sending and receiving data. Because they are authenticated by public key infrastructure, it is critical for the system to adequately restrict access, using the most appropriate access control model and proper segregation of duties.

Scalability: Blockchain platforms must be proven capable of handling high-volume transactions typical in government.

Trust and accreditation: Users will want assurance regarding security, privacy and integrity of their transac-tions and data.

Change management : Because of their impact on timelines and subsequent changes, the blockchain platform and implementation strategy must be agreed upon at the outset.

Access and user management: Since users may reside in many different organizations, including outside organizations, difficulties may arise in segregating and managing access and use by organization and by role.30

Final Thoughts

In the words of President John F. Kennedy, “There are risks and costs to a program of action — but they are far less than the long-range cost of

comfortable inaction.” For govern-ment, action is needed to harness and protect its data assets. Emerging technology delivers the necessary equipment for the job, and the PMA’s transformation drivers provide baseline expectations and long-term vision for change. It is time to ride into the 21st century, where turning data into information supports programs and operations that work better and cost less. The journey will heighten the accountability and transparency Americans deserve.

Endnotes1. The 80 percent estimate for unstruc-

tured data is commonly referenced. For example, see “Big Data, for better or worse: 90% of the world’s data generated over the last two years,” Science Daily, May 22, 2013; and the “Biggest data challenges that you may not know you have,” by Christie Schneider, IBM, May 25, 2016.

2. “Protecting Data Assets in a Perilous Cyber World,” by Tony Hubbard, Geoffrey L. Weber and Jeffrey C. Steinhoff, Association of Government Accountants Journal of Government Financial Management (AGA Journal), fall 2017 (http://www.kpmg-institutes.com/content/dam/kpmg/governmentinstitute/pdf/2017/protecting-data-assets-aga-reprint-web.pdf).

3. “2018 Thales Data Threat Report — Trends in Encryption and Data Security, U.S. Federal Edition, Executive Summary,” issued by Thales in conjunction with analyst firm 451 Research, Feb. 22, 2018 (https://dtr.thalesesecurity.com/pdf/2018-thales-dtr-federal-edition-executive-summary.pdf).

4. “Economic Impact of Cybercrime — No Slowing Down,” CSIS, in in partnership with McAfee, Feb. 21, 2018 (https://www.csis.org/analysis/economic-impact-cybercrime). The estimated economic impact is in US dollars.

5. “The President’s Management Agenda: Modernizing Government for the 21st Century,” March 20, 2018 (https://www.whitehouse.gov/omb/management/pma/).

6. The report was prepared in response to a requirement in EO 13800. From the report’s Executive Summary: “This report outlines a vision and recommendations for the Federal Government to build a more modern and secure architecture for Federal IT systems.” (https://itmodernization.cio.gov/assets/report/Report%20to%20the%20President%20on%20IT%20Modernization%20-%20Final.pdf).

7. EO 13800 initiates action on cybersecurity across three interrelated aspects to provide a national approach: (1) federal networks, or how the federal executive branch safeguards its own IT systems; (2) the federal government’s leadership role to identify and support cybersecurity of critical infrastructure at greatest risk across all levels of government and all sectors of business; and (3) national implications of cybersecurity that

“There are risks and costs to a program of action — but they are far less than the long-range cost of comfortable inaction.” – President John F. Kennedy

40 JOURNAL OF GOVERNMENT FINANCIAL MANAGEMENT WINTER 2018–19Copyright 2019. Association of Government Accountants. Reprinted with permission. All rights reserved.

Copyright 2019. Association of Government Accountants. Reprinted with permission. All rights reserved.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. This article represents the views of the authors only, and not necessarily the views or professional advice of KPMG LLP.

transcend federal networks and critical infrastructure so the Internet remains valuable to future generations. (https://www.whitehouse.gov/presidential-actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure/). Also, see “Presidential Executive Order 13800: Strengthening Cybersecurity of Federal Networks and Infrastructure — Perspectives on implementation challenges and leading practices,” KPMG Government Institute, Aug. 23, 2017 (http://www.kpmg-institutes.com/institutes/government-institute/articles/2017/08/presidential-executive-order-13800--strengthening-cybersecurity-.html) and “Seizing the opportunity — Protecting information from cyber attacks through OMB Circular A-130,” KPMG Government Institute, Nov. 15, 2016 (https://www.kpmg-institutes.com/institutes/government-institute/articles/2016/11/seizing-the-opportunity-to-protect-information-from-cyber-attack.html).

8. Public Law 115-91, Dec. 12, 2017 (https://www.congress.gov/bill/115th-congress/house-bill/2810/text).

9. Public Law 115-232, Aug. 13, 2018 (https://www.congress.gov/bill/115th-congress/house-bill/5515/text).

10. itdashboard.gov (https://myit-2018.itdashboard.gov/drupal/summary/007).

11. “Here Are 10 of the Oldest IT Systems in the Federal Government,” by Jack Moore, Nextgov.com, May 25, 2016. For more information on the challenges of legacy systems, including the two examples cited above, see “Federal Agencies Need to Address Aging Legacy Systems,” GAO-16-468, May 2016 (https://www.gao.gov/assets/680/677436.pdf).

12. Public Law 101-576, Nov. 15, 1990 (https://www.gpo.gov/fdsys/pkg/STATUTE-104/pdf/STATUTE-104-Pg2838.pdf).

13. Pang, Min-Seok and Tanriverdi, Hüseyin, “Security Breaches in the U.S. Federal Government,” March 7, 2017, Fox School of Business Research Paper No. 17-017 (Available at SSRN: https://ssrn.com/abstract=2933577 or http://dx.doi.org/10.2139/ssrn.2933577).

14. See Endnote 3.15. Garrett Bekker, 451 Research

Principal Analyst, Information Security.16. OMB Circular A-130, Managing

Information as a Strategic Resource, July 28, 2016 (https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf).

17. NIST Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 16, 2018 (https://www.nist.gov/news-events/news/2018/04/nist-releases-version-11-its-popular-cybersecurity-framework).

18. “Smart Use of Data Mining is Good Business and Good Government,” by Jeffrey C. Steinhoff and Terry L. Carnahan,

AGA Journal, spring 2012 (http://www.kpmg-institutes.com/content/dam/kpmg/governmentinstitute/pdf/2012/data-mining.pdf).

19. “The March of the Robots,” by Jeffrey C. Steinhoff, Andrew C. Lewis and Kirke E. Everson, AGA Journal, spring 2018 (http://www.kpmg-institutes.com/content/dam/kpmg/governmentinstitute/pdf/2018/march-robots-aga.pdf), and “Demystifying intelligent automation — The layman’s guide to the spectrum of robotics and automation in government,” by David B. Kirk, Ph.D., and adapted for the government environment by Kirke Everson and Jeffrey C. Steinhoff, KPMG Government Institute, May 2017 (http://www.kpmg-institutes.com/content/dam/kpmg/governmentinstitute/pdf/2017/demystify-intelligent-automation.pdf).

20. “Embracing Game Changers,” by Jeffrey C. Steinhoff, Kirke E. Everson, Viral Chawda and Joseph M. Ward, AGA Journal, spring 2017 (http://www.kpmg-institutes.com/content/dam/kpmg/governmentinstitute/pdf/2017/aga-game-changers.pdf).

21. See Endnotes 7 and 17. 22. “The 2017 Global Information

Security Workforce — Benchmarking Workforce Capacity and Response to Cyber Risk,” A Frost & Sullivan Executive Briefing for the Center for Cyber Safety and Education™ (formerly the (ISC)2 Foundation), Feb. 14, 2017 (https://www.iamcybersafe.org/wp-content/uploads/2017/06/Europe-GISWS-Report.pdf).

23. Ibid.24. “The 2015 (ISC)2 Global Information

Security Workforce Study,” A Frost & Sullivan White Paper, April 16, 2015 (https://iamcybersafe.org/wp-content/uploads/2017/01/FrostSullivan-ISC²-Global-Information-Security-Workforce-Study-2015.pdf).

25. “Competition for Cyber Talent Drives New Army and DHS Efforts,” by John Slye, April 22, 2015 (https://iq.govwin.com/neo/marketAnalysis/view/370?researchTypeId=1&researchMarket=).

26. See https://www.uscyberchallenge.org/27. “Are Intelligent Automation &

Blockchain Poised to Disrupt HHS?” Governing Institute and KPMG LLP, October 2017 (http://www.kpmg-institutes.com/institutes/government-institute/articles/2017/10/are-intelligent-automation-and-blockchain-poised-to-disrupt-hhs-.html).

28. “Securing the chain,” KPMG International, May 16, 2017 (https://assets.kpmg.com/content/dam/kpmg/xx/pdf/2017/05/securing-the-chain.pdf).

29. Ibid.30. “Missing link — Navigating the

disruption risks of block chain,” KPMG LLP, 2016 (https://advisory.kpmg.us/content/dam/kpmg-advisory/risk-consulting/pdfs/2016/block-chain-case-study-web.pdf).

Tony Hubbard, CISA, CISSP, a member of AGA’s Montgomery/PG Chapter, is a principal and leads KPMG’s Federal Cybersecurity practice. He has more than 25 years

of experience supporting agencies, including HHS, VA and Defense, in cybersecurity areas such as identity access management, governance, authorization and accreditation, and assessments under FISMA and NIST guidance. He is also a member of ISACA, ISSA, (ISC)2 and AFCEA.

Jennifer A. Fabius, CRISC, CISSP, a member of AGA’s Northern Virginia Chapter, is a director in KPMG’s federal advisory practice, specializing in cybersecurity at

DoD. She has over 15 years of cyber and IT risk management assessment experience and formerly supported NIST. She was a core contributor to the Joint Task Force Transformation Initiative, a partnership between NIST, DoD and the intelligence community to develop the federal government’s unified information security framework. She also coauthored key authoritative guidance, such as NIST 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations.” Jennifer is an executive fellow of the KPMG Government Institute.

Jeffrey C. Steinhoff, CGFM, CPA, CFE, CGMA, an AGA Past National President and member of AGA’s Northern Virginia and Washington DC chapters, is

managing director of the KPMG Government Institute. During a 40-year federal career, he was assistant comptroller general of the U.S. for Accounting and Information Management, led GAO’s largest audit unit, had responsibility for developing government auditing and internal control standards, and was a principal architect of the CFO Act. He founded AGA’s CGFM program and received the Robert W. King Memorial Award, AGA’s highest honor. He is an elected NAPA fellow.

WINTER 2018–19 JOURNAL OF GOVERNMENT FINANCIAL MANAGEMENT 41

About the KPMG Government InstituteThe KPMG Government Institute was established to serve as a strategic resource for government at all levels, and also for higher education and not-for-profit entities seeking to achieve high standards for accountability, transparency, and performance. The Institute is a forum for ideas, a place to share leading practices, and a source of thought leadership to help governments address difficult challenges such as performance management, regulatory compliance, and fully leveraging technology.

kpmg.com/us/governmentinstitute

For more information, contact:

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Copyright 2019. Association of Government Accountants. Reprinted with permission. All rights reserved.

Tony HubbardPrincipal, Risk Consulting, Federal AdvisoryT: 703-286-8320 E: thubbard@kpmg.com

Jennifer FabiusDirector, Risk Consulting, Federal AdvisoryT: 703-286-8000 E: jfabius@kpmg.com

Jeffrey SteinhoffManaging Director, Government InstituteT: 703-286-8710 E: jsteinhoff@kpmg.com