OMB officially expands DHS’s cyber role

By Jason Miller
Executive Editor
Federal News Radio

The Office of Management and Budget put the Homeland Security Department officially in charge of all civilian agency computer networks.

OMB Director Peter Orszag and White House cybersecurity coordinator Howard Schmidt signed a memo July 6 detailing the roles of responsibilities around federal cybersecurity for DHS, OMB and Schmidt’s office.

“Everybody interprets things differently which is why we are looking to make sure there is clarity out there on stuff the people need to be doing,” says Schmidt after his speech at the AFCEA Cybersecurity Symposium in Washington Thursday.


He says the memo is not related to the multiple bills Congress is considering that would redefine Schmidt’s office as well as how agencies comply with the Federal Information Security Management Act (FISMA). And one bill, sponsored by Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine) and Tom Carper (D-Del.), would give DHS more authority over civilian networks.

“It is strictly related to the work we are looking to do with the agencies out there, just for clarification,” Schmidt says.

OMB first hinted at these major changes in its 2010 FISMA guidance issued in April. In it, OMB says it will start collecting data from agencies on the health of their networks in real time through the Cyberscope tool, and begin interviewing agencies about how they ensure their computers are safe. DHS will play a major role in both of these actions.

Now in the new memo, OMB says DHS will:

  • Oversee the governmentwide and agency-specific implementation of and reporting on cybersecurity policies and guidance;
  • Oversee and assist governmentwide and agency-specific efforts to provide adequate, risk-based and cost-effective cybersecurity;
  • Oversee the agencies’ compliance with FISMA and developing analyses for OMB to assist in the development of the FISMA annual report;
  • Oversee the agencies’ cybersecurity operations and incident response and providing appropriate assistance; and
  • Review agencies’ cybersecurity programs annually.

“To clarify and avoid confusion, effective immediately, OMB will be responsible for the submission of the annual FISMA report to Congress, for the development and approval of the cybersecurity portions of the President’s Budget, for the traditional OMB budgetary and fiscal oversight of the agencies’ use of funds and for coordination with the Cybersecurity Coordinator on all policy issues related to the prior three responsibilities,” the memo states. “The Cybersecurity Coordinator will have visibility into DHS efforts to ensure federal agency compliance with FISMA and will serve as the principal White House official to coordinate interagency cooperation with DHS cybersecurity efforts.”

Previously, OMB’s Office of E-Government and Information Technology assumed responsibility for many of the efforts DHS now will oversee.

While Schmidt didn’t address the memo in his speech at the AFCEA conference, he did recognize that DHS, OMB and the White House cannot secure federal networks alone.

He says public-private partnerships are crucial to the effort, but it has to be more than just words. The private sector owns as much as 90 percent of the critical infrastructure the government uses to meet its mission.

“We still need to smooth that out and redefine it,” Schmidt says. “We have to wind up in a position where we have the ability to share information at all kinds of levels that really make a change for people.”

Schmidt says the government must look at the information it’s getting about cyber threats or vulnerabilities and not just classify it.

“There’s got to be a balance that we have to do given that the owners and operators of our critical infrastructure are so key to our success on the government side,” he says.

The need for better partnerships or relationships was a theme throughout the conference. Several speakers pointed to the need to improve information sharing.

Guy Copeland, chairman of the Cross-Sector Cybersecurity Working Group and CSC’s vice president of information infrastructure, says many times the classified information the government gives industry isn’t all that helpful for the network administrator.

“It’s not something you can take and apply to the network,” he says. “It’s far more oriented toward who is doing what, what they intend to do with it, what’s their agenda and what are they after. For a network administrator, that’s almost useless.”

He says the goal is to get down to the bits and bytes the operators can use and get the information in real time.

A group of companies are trying to do just that. About 30 technology, financial services, Defense industrial base and communications firms are taking part in a pilot to share cyber threats in real time.

Ed Mueller, the chairman of the President’s National Security Telecommunications Advisory Committee and chairman and CEO of Qwest, says the test started April 19 and will last six months.

Mueller says once the pilot is completed, it could be expanded to other sectors and serve as the model for a public-private information sharing initiative.

The National Security Agency, DoD, DHS and the intelligence community also are working closely with the Defense Industrial Base (DIB) and the telecommunications companies on an Enduring Security Framework.

Anne Neuberger, special assistant to the director of NSA for Enduring Security Framework Forum, says the group works on cyber issues related to the DIB.

“Military networks are not only those that end in .mil, there’s a key reliance on private sector networks,” she says. “We quote that something close to 85 percent of the military’s logistics are transported by private sector companies and that information is often housed in classified and unclassified private sector networks.”

The group sets up panels to address these issues at an operational level. The panels pass the information up to the executive committee made up of CEOs and senior federal officials.

“The value in public-private partnership…is sharing classified information to give the broader perspective of the threat,” Neuberger says. “Gaining that knowledge from classified threat briefings, from focused threats and targeted threats, places the private sector with more of a knowledge to invest increased security and understand the value of sharing the information about vulnerabilities that occur and to expect more from the government…to provide focused, targeted intelligence to better protect the critical infrastructure sector.”

(Copyright 2010 by All Rights Reserved.)