OMB constructs cyber marathon on themes of ‘never finished, ever changing’

Jason Miller: OMB constructs cyber marathon on themes of ‘never finished, ever changing’

Four months after agencies completed their sprint to improve federal cybersecurity, the Office of Management and Budget pulled the trigger on the marathon’s starting gun.

Federal Chief Information Officer Tony Scott and OMB Director Shaun Donovan signed off on two memos Oct. 30, each building on the 30-day cyber sprint to create a long-term vision and specific deadlines for agencies to give more than lip service to improving their network and data security.

First, Scott and Donovan signed the annual guidance for Federal Information Security Management Act (FISMA) reporting. Second, and maybe more significant, Scott and Donovan released the cybersecurity strategy and implementation plan (CSIP) for civilian agencies.

“As part of the sprint, a team of over 100 experts from across the government and private industry led a comprehensive review of the federal government’s cybersecurity policies, procedures, and practices. The team’s review made clear that we must continue to double down on this administration’s broad strategy to enhance federal cybersecurity and fundamentally overhaul information security practices, policies, and governance,” Scott wrote in a blog post on Oct. 30. “CSIP directs a series of actions to improve capabilities for identifying and detecting vulnerabilities and threats, enhance protections of government assets and information, and further develop robust response and recovery capabilities to ensure readiness and resilience when incidents inevitably occur.”

Office of Management and Budget (OMB) Chief Information Officer Tony Scott testifies on Capitol Hill in Washington, Thursday, June 25, 2015. (AP Photo/Susan Walsh)
Office of Management and Budget (OMB) Chief Information Officer Tony Scott testifies on Capitol Hill in Washington in June (AP Photo/Susan Walsh)

Both documents draw on agency progress during the cyber sprint as well as the ongoing insight and recommendations from federal CIOs, from the mandates in the Federal IT Acquisition Reform Act (FITARA) and the recent update of a new draft Circular A-130.

One example of that progress is the use of two-factor authentication to log onto agency networks. OMB says 80 percent of all federal employees now use two-factor authentication, whether under Homeland Security Presidential Directive-12 (HSPD-12) or through other means.

“While these statistics demonstrate marked improvement in identifying and closing the gaps in the federal cyber infrastructure, we still have more work to do. We must acknowledge the modern reality that the work of addressing cyber risks is never finished and is ever changing,” Scott wrote.

And it’s that theme, that cybersecurity is never finished and ever changing, that is marbled throughout the documents.

In the FISMA guidance, OMB demonstrated that concept in how it met a mandate in the updated law Congress passed and President Barack Obama signed into law about a year ago, called FISMA 2014.

Congress told OMB to better define a major incident.

The administration did that and detailed new reporting requirements for agencies.

A major incident now is defined as one that:

  • Involves information that is classified, controlled unclassified information (CUI) proprietary, CUI privacy, or CUI other;
  • Is not recoverable, not recoverable within a specified amount of time, or is recoverable only with supplemental resources; and
  • Has a high or medium functional impact to the mission of an agency; or
  • Involves the exfiltration, modification, deletion or unauthorized access or lack of availability to information or systems within certain parameters to include either: A specific threshold of number of records or users affected or any record of special importance.

“Although agencies may consult with the DHS United States Computer Emergency Readiness Team (US-CERT) on whether an incident is considered a “major incident”, it is ultimately the responsibility of the victim agency to make this determination. OMB reserves the right to modify the definition of major incident based upon incidents, risks, recovery activities, or other relevant factors,” OMB wrote. “After the initial agency notification DHS is required to notify OMB within one hour of the relevant agency notifying DHS that a major incident has occurred. Agencies shall also notify Congress within 7 days of the date on which the agency has a reasonable basis to conclude that a major incident has occurred; the agency should also notify affected individuals, in accordance with FISMA 2014, as ‘expeditiously as practicable, without unreasonable delay.’”

Another example of this theme of vigilance and on-going updates came out in both FISMA and CISP in specifically naming CIOs and chief information security officers (CISOs) as being responsible for oversight and implementation.

In FISMA, OMB told agencies to ensure CIOs and CISOs have top-secret, sensitive compartmented information access. Most CIOs and CISOs have this access today, but recent cyber attacks highlighted the need to ensure senior technology officials could work with top secret intelligence.

To that end, FISMA also reiterated the need for agencies to work with the Homeland Security Department to have a standing federal network authorization agreement. This lets DHS help agencies more easily if a cyber incident occurs. Agencies also must have a security operations center official report directly to US-CERT to be the main point of contact and responsible for reporting threats and attacks.

At the same time, the cybersecurity implementation plan mandates CIOs and CISOs to have “direct responsibility and accountability” to protect their agency’s systems and data.

Overall, OMB said the President’s Management Council (PMC) will oversee the CISP effort. The PMC has played a major role in overseeing recent White House cyber initiatives and the implementation plan keeps their role intact and active.

CISP also details 11 key milestones that underscore Scott’s themes of never finished and ever changing.

To deal with these challenges, OMB is giving DHS accelerated deadlines for implementing the EINSTEIN intrusion detection and prevention system, known as E3A, by Dec. 31, and phase 2 of the continuous diagnostics and mitigation (CDM) program by Sept. 30, 2016.

“DHS is piloting behavioral-based analytics to extend beyond the current approach of using known signatures and begin identifying threat activity that takes advantage of zero-day cyber intrusion methods,” the memo said. “DHS is examining technologies from the private sector to evolve to this next stage of network defense. DHS will share lessons learned from the pilot study and next steps with OMB by March 31, 2016.”

The General Services Administration gets another deadline to “develop a Business Due Diligence Information Service that will provide agencies with a common governmentwide capability for identifying, assessing, and managing cyber and supply chain risk throughout the acquisition process” by 2016.

OMB also is giving the CIO Council until Dec. 31 to establish a new subcommittee on rapid deployment of emerging technologies.

“This group will provide requirements, challenges, and feedback to both incubators and agencies,” the memo said. “The Cybersecurity Sprint identified a need for a federalwide technology assessment followed by a comprehensive program to assist agencies with the procurement, assessment, certification and accreditation of existing and emerging technology.”

All of these efforts hinge upon the federal IT workforce.

Scott detailed five different actions with deadlines around improving the cybersecurity workforce.

These range from the Office of Personnel Management and OMB compiling all existing special hiring authorities by agency and clarifying legal guidelines for how to use them, to DHS beginning to test its Automated Cybersecurity Position Description Hiring Tool across the government.

“DHS is also directed to develop and report on performance and adoption metrics so that agency leadership can better understand how to leverage the tool,” OMB wrote. “The tool enhances cybersecurity workforce recruitment by decreasing the applicant time-to-hire and by ensuring cybersecurity job announcements contain clear, technical content. DHS must also post their own internal Cyber Workforce Analysis results on the CIO Council Knowledge Portal by Nov. 30, 2015, as a best practice for other agencies to leverage.”

Scott said in his blog post that implementation plan and FISMA guidance continue to turn the government toward better cybersecurity.

“CSIP helps get our current federal house in order, but it does not re-architect the house,” he said. “As cyber threats become increasingly sophisticated and persistent, so must our actions to tackle them. From the public sector to private industry, we can best do this by properly funding cybersecurity investments, strengthening processes for developing, implementing and institutionalizing best practices; developing and retaining the cybersecurity workforce; and collaborating between public and private sector research and development communities to leverage the best of existing, new, and emerging technology and talent to enhance federal cybersecurity.”