The White House wants to change how it manages agency cybersecurity efforts by shifting away from self attestation and compliance approaches to more continuous monitoring of networks and outcome-focused measurements, according to the federal chief information security officer (CISO).
The Office of Management and Budget is ensuring agencies are providing the data called for in May’s cybersecurity executive order with some “strict governance,” according to Chris DeRusha, the federal CISO at OMB.
“We’re measuring and dashboarding the data call layer first, the practical things — are people doing what we asked them to do on the timelines we’ve asked them to do it,” DeRusha said during a July 28 event hosted by Oracle.
Ultimately, the White House wants to tie the EO’s data calls and goals into the Federal Information Security Modernization Act (FISMA) process, the law governing how executive branch leaders manage cybersecurity across agencies.
“We want to fold this naturally into FISMA,” DeRusha continued. “And we also want to reform FISMA so that we’re focusing on security outcomes and real, tested security, continuous monitoring, and we start moving away from the self attestation and compliance-based approach.”
FISMA lays out a framework for what agencies should do to defend their information and networks, such as maintaining an inventory of IT systems, categorizing data and systems according to risk, and using a system security plan — among numerous other requirements.
The law hasn’t seen major reforms since 2014. “Things have changed a lot since then,” DeRusha said.
He said the Biden administration is working closely with Congress, with officials expecting to see a proposal from lawmakers “very soon.”
Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) and Ranking Member Rob Portman (R-Ohio) signaled in May they were eyeing FISMA reforms after the SolarWinds breach affected multiple federal agencies.
“FISMA clearly needs some adjustments to ensure agencies and [the Cybersecurity and Infrastructure Security Agency] have the information necessary to understand our risk and allocate our resources to address those risks that have been identified,” Peters said during a May 11 hearing. “The law needs to reflect the intent of Congress, so there is no ambiguity. So there’s no confusion on when and if an agency needs to declare a major incident and notify Congress about those events.
An aide to Peters confirmed the Michigan Democrat is actively working on FISMA reform legislation. The aide was not able to discuss a timetable for the proposal’s release.
Meanwhile, DeRusha said “there’s plenty” OMB can do by itself on FISMA. And moving away from the compliance-based doesn’t necessarily mean letting agencies off the hook, either. The fiscal year 2020 FISMA report showed agencies saw an 8% increase in cyber incidents compared to the previous year.
“We’re not talking about backing off in any way, but we do need to, when we do more, give somewhere, because agencies are at capacity for what they’re doing,” DeRusha said. “So we need to find a way to do more value-added, tested security approaches, make sure continuous monitoring is being employed, make sure that we’re helping them justify their budgets by asking the right questions and drawing out the right kind of data on workforce and hiring, and on all sorts of other issues.”
He also said he’s “bullish” on the Technology Modernization Fund and its potential to transform agency IT. The American Rescue Plan allocated $1 billion for the TMF, which has otherwise received $175 million through the normal appropriations process since it was established in 2017.
“They didn’t come up with it in weeks — they’ve had this as a lingering investment need for a significant period of time,” DeRusha said. “I think we should all really take that very seriously. If we’re not getting these investments done through the normal budget cycle, how are we going to change that, or use something like this to get it done?”