OMB has authority to make federal cybersecurity more dynamic, says report


The Office of Management and Budget could use existing authorities to make agency cybersecurity efforts more efficient and dynamic, says a report released Oct. 23 by the Center for Strategic and International Studies.

The agency has "ample legal authority to adopt reforms," say authors of the report (.pdf)--who include former Office of Management and Budget executives, including Karen Evans who occupied the equivalent position of federal chief information officer during much of the Bush administration and cybersecurity experts including James Andrew Lewis of CSIS.

Their main recommendation is that federal cybersecurity efforts shift to continuous monitoring.

By that, report authors say they mean a software-based approach that compares network performance and machine configuration to specific standards and known vulnerabilities. They suggest OMB use an existing guidance document known as Circular A-130 that establishes governmentwide policy over information technology management to build on existing continuous monitoring guidance by setting minimal controls. It could also require through A-130 standardized processes and databases to store baseline security data.

The shift to the more dynamic posture that continuous monitoring heralds would be continued were agencies to change the cybersecurity focus to information rather than systems or applications, authors also say. By moving the definition of what needs protecting away from technology per se, agencies would be able to take better advantage of new capabilities. The shift would ensure that information processed in systems that could escape oversight due to their not rising to the level of "major" under variable agency definitions of that threshold wouldn't be overlooked.

It could be undertaken by, again, modifying A-130 to state that "information system" is not meant to denote a static set of technological resources, and by modifying Federal Information Processing Standards Publication 199 so that it defines a major system as any one whose compromise would have a severe consequence or whose compromise would put significant financial resources at risk.

Authors also call on OMB to end what they say is an obsolete distinction between national security and non-national security systems. Overall government policy should be based on risk levels rather than the agency the system is housed in.

The Homeland Security Department should also be assigned specific cybersecurity tasks within A-130. It's been OMB policy since 2010 to make DHS the focal point for federal cybersecurity efforts, but DHS "needs to be made a central element in the implementation of a continuous monitoring measurement, and mitigation requirement," they say.

The report also calls for development of a maturity model for agency cybersecurity; it would be, the report says, a more meaningful basis for assessing needs for improvement than the annual inspectors general annual audits of agency compliance with the Federal Information Security Management Act.

For more:
- download the report, "Updating U.S. Federal Cybersecurity Policy and Guidance; Spending Scarce Taxpayer Dollars On Security Programs That Work" (.pdf)   

Related Articles:
New White House cybersecurity strategy needs new ideas, says CSIS commission 
Cybersecurity bill won't advance in Senate 
DHS must improve cybersecurity professional recruitment, career path