The Office of Management and Budget is finalizing new cybersecurity guidance, the first major policy in more than three years.
Industry and government sources confirm OMB Director Sylvia Burwell is reviewing the new policy that would tell agencies how to implement federal information system continuous monitoring (FISCM).
Notice the change here — it’s no longer just continuous monitoring, but OMB is clarifying what agencies will continuously monitor. In this case, it’s only federal systems or the dot-gov network.
Several sources confirmed that OMB had the document ready to go a few weeks ago, but senior officials expressed concern over the term “continuous monitoring” without a modifier. Call it fallout from the Edward Snowden situation.
Sources say OMB pulled the memo back from being published and re-reviewed it to specifically address any concerns over what types of systems and information agencies will monitor.
Industry and government sources applauded OMB’s foresight into this situation. Those in the general media and public who are under-educated about what continuous monitoring means and how it works could have caused a huge uproar over something that is fairly benign.
Sources say OMB adopted the information system continuous monitoring designation from the National Institute of Standards and Technology’s Special Publication 800- 137, which helps agencies develop and implement a continuous monitoring program.
Of course, a change like that flows down several layers and into other policies and standards, which is a major reason for the delay in releasing the new policy.
Sources say the policy is fairly long, more than 10 pages, and addresses all aspects of implementing FISCM.
OMB will release the policy just as the Homeland Security is getting its blanket purchase agreement for continuous diagnostic and monitoring services up and running.
DHS awarded the contract to 17 vendors in early August. The vendors will provide tools, hardware and software to implement continuous-monitoring-as-a-service (CMaaS).
Suzanne Spaulding, the nominee to be DHS’s under secretary of the National Protection and Programs Directorate (NPPD), testified last week during her nomination hearing that the CDM program faces budget and legislative hurdles. A DHS official said after the hearing that all 23 civilian CFO Act agencies have signed agreements to implement continuous monitoring.
And speaking of cybersecurity, there has been a lot of focus — and vendor pitches — about what would happen to agency system security during the shutdown.
Federal Chief Information Officer and acting Deputy Director for Management at OMB Steve VanRoekel even gave The Wall Street Journal an interview on the potential cyber problems created by the government shutdown.
But is there really any increased risk to federal systems?
Several cyber experts with years of experience in the federal market say, it’s all a bunch of hooey — a technical term I’m told.
One small agency chief information officer said they asked staff before the shutdown what systems were absolutely essential and the skeleton staff is monitoring only those applications actively.
But the CIO, who requested anonymity so they could speak to the press, also said the chief information security officer and other key security federal employees at their agency are essential employees, and all contractors running their network operations center (NOC) are at work during the shutdown. The CIO said their agency ensured there was enough funding under the contract to keep the NOC running at least through the end of October.
As for those systems that were not deemed vital, the NOC still is paying close attention and will fix any cyber vulnerabilities. But the CIO said if a server fails or if the application needs updating that is unrelated to cybersecurity, that may have to wait until after the shutdown.
Another industry cyber expert said agencies keep the most talented and important cybersecurity employees on during the shutdown.
“You actually get a glorious understanding of who matters and what you can do without during the shutdown,” said the industry expert, who requested anonymity in order to speak more candidly. “The guys running the systems do know who is good and who isn’t, but it doesn’t do them any good to tell people during a non- shutdown time.”
The industry source said the administration’s reasons for bringing up cybersecurity during the shutdown is all part of the game of controlling perception and pressure so Congress acts to end the shutdown. The source said it’s similar to closing national monuments and parks, it’s a pain point businesses and citizens understand easily and will call Congress to complain about.
What it comes down to is, according to these experts, systems are not at any more risk than usual. The federal cyber machine is as strong as ever, with the only exception that the non-cyber IT workers who may know something about technology aren’t there to provide insight or help. But comparably, that’s a minimal drop in overall security.
A real victim of the shutdown is the General Services Administration’s multi- billion dollar professional services contract, known as OASIS.
GSA announced late Thursday that it was suspending the due date for proposals from industry for the One Acquisition Solution for Integrated Services (OASIS) indefinitely because of the government shutdown.
“A definitive proposal due date will be established once the Government shutdown situation is resolved,” GSA stated in a notice of FedBizOpps.gov. “Offerors are instructed to NOT submit proposals until further instruction.”
The notice comes after GSA already extended the due date for proposals to Oct. 10. The agency also faces a third protest of the solicitation.
Of course, if the shutdown ends fairly quickly, the impact on OASIS will be minimal. But the delay because of the shutdown will cause the timeline to stretch out even farther no matter.
There were a couple of personnel changes that have gone under the radar in the last few weeks.
Greg Elin, the first federal chief data officer, recently left the Federal Communications Commission to start his own company.
Elin was with the FCC for more than three years after spending time at the Sunlight Foundation. He started as the associate managing director of new media, became acting CDO and eventually became the first full-time chief data officer.
The CDO trend is gaining momentum throughout government. The FCC has 10 CDO’s across all of its divisions, but more importantly, Rep. Darrell Issa (R- Calif.) and Sen. Mark Warner (D-Va.), included requirements in their separate versions of the DATA Act for agencies to name a senior accountable official in charge of the agency’s data.
The Postal Service has a new acting CIO. James Cochrane took over the position from Ellis Burgoyne, who retired in August after more than 35 years of service.
Cochrane becomes the acting CIO after spending the last two years as the vice president of product information where he was responsible for innovations in technologies and tracking systems, including the Intelligent Mail barcode and Intelligent Mail package barcode.
During his tenure, Burgoyne focused on five main projects aimed at cutting costs while improving efficiency and growing revenue. These included mail digitization and a global positioning satellite system for real-time tracking of mail.
Director of National Intelligence James Clapper and Gen. Keith Alexander, director of the National Security Agency, offered an update on the changes the IC is making in the post Snowden era. Sen. Al Franken (D-Minn.) asked about how the IC is better tracking and protecting how and when information is accessed.
“[W]e’ve implemented the two-person control on devices into certain rooms and stuff, and we’re piloting part of that for the intelligence [community/committee],” Alexander said according to the hearing transcript provided by the committee.
Clapper added the pilot includes two aspects. The first is a system of continuous evaluation of people cleared.
“One is to go to a system of continuous evaluation for people who are cleared, as opposed to the current system, where if someone is given an initial clearance and then may go five years or more for a top secret clearance or 10 years for a secret clearance, that system’s got to change so we can do this continuously,” he said. The second part is insider threat detection that started in the aftermath of the WikiLeaks publication of classified material.
Clapper said the IC needs a “more comprehensive means of detecting anomalous electronic behavior of people on the job.”
Clapper has discussed the changes to the process, but this is really the most detail he’s provided on what the IC believes will be real improvements to the process.
The big question is not what events are schedules, but which ones actually will happen next week. One that is still on is the AFFIRM luncheon Thursday on cybersecurity, where Federal News Radio’s Francis Rose moderates a panel that includes NIST’s Adam Sedgewick, GSA’s Maria Roat and DHS’s John Streufert. Other events are less clear, such as the Digital Government Institute’s one-day conference Thursday on big data and Meritalk’s cloud computing forum. On Tuesday, the Senate Armed Services Committee will hold a hearing on the impact of sequestration on DoD in 2014, while the Partnership for Public Services holds a discussion on the federal workforce with three former Office of Personnel Management directors, including Linda Springer.