Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
Lawmakers are eyeing reforms to federal cyber standards, but the White House is already starting to ask new questions about how agencies are making progress on cybersecurity.
The changes are laid out in fiscal year 2022 metrics used by the Office of Management and Budget to evaluate agency cybersecurity performance under the Federal Information Security Modernization Act. Agency chief information officers report on the metrics to OMB and the Cybersecurity and Infrastructure Security Agency throughout the year. The data is assessed quarterly and compiled into an annual FISMA report.
But experts said OMB’s and CISA’s fiscal 2022 metrics start to push the government down that path. Published in December, the metrics break away from previous iterations of the guidance that have been organized into the “identify; protect; detect; respond; and recover” framework.
Instead, the metrics were reorganized and injected with new questions featuring a major focus on multifactor authentication (MFA) and other priorities laid out in President Joe Biden’s May 2021 cybersecurity executive order.
The FY 22 document asks agencies more than a dozen questions regarding their adoption of multifactor authentication and encryption. Previous iterations of the FISMA metrics have featured just a few questions about the use of two-factor authentication and encryption for high-value assets.
Grant Schneider, former federal chief information security officer and senior director of cybersecurity services at Venable, applauded the granular focus on multifactor authentication, especially the emphasis on methods that are resistant to phishing.
“If I were to consult with an organization, and they could only do one thing, that would be the thing,” Schneider said of phishing-resistant MFA. “Encryption is also really important, being able to be sure that your information is secure while it’s inside the environment.”
The new metrics tie into the Biden administration’s bid to shift agencies to the “zero trust” cybersecurity footing. The concept is a “paradigm shift” and envisions verifying “anything and everything attempting to establish access” to federal data, according to the White House’s zero trust strategy released last week.
The FISMA 2022 bill in the House also seeks to promote “next-generation security principles like a risk-based paradigm, zero trust principles, endpoint detection and response, cloud migration, automation, penetration testing and vulnerability disclosure programs.”
Chris DeRusha, the federal chief information security officer, said new items in the FY 22 metrics like vulnerability disclosure programs, blue teaming and penetration testing are “getting to a greater focus on capabilities that are leading to observable security outcomes.”
“We need to make sure that we’re emphasizing the growth of these capabilities,” DeRusha said in an interview. “And that’s a lot of what the metrics are doing is first taking a temperature of where agencies actually at with those so we can understand what we may need to do as interventions to help them support the build out of this capabilities.”
OMB’s questions about “ground truth testing” are looking to “go beyond the assumption that generic vulnerability scanning tools are sufficient for testing system security,” the metrics document states.
The metrics ask for information on the use of penetration testing, red team exercises, blue teaming and access to threat intelligence. It also surveys agencies about the use of Vulnerability Disclosure Programs after OMB issued new guidance last year encouraging the use of external security researchers.
Renee Wynn, who served as CIO at both the Environmental Protection Agency and then NASA, said the focus on security testing should help agencies tackle both persistent and potentially catastrophic issues.
“Frankly, those were very telling activities that you would do inside your agency,” she said. “Sometimes you’d be really like, ‘Oh, really, we still have that problem?’ And other times, ‘Wow, I’m really glad they found that because if perhaps a nefarious actor had found that, it might have been pretty problematic.’”
The metrics also ask agencies about their use of logging capabilities. Last August, OMB issued new requirements to ensure agencies were logging and retaining cybersecurity incident data. The Government Accountability Office recently found gaps in log coverage prevented eight agencies from quickly responding to the SolarWinds incident.
OMB is additionally polling agencies about their information security workforce needs for the first time in the metrics. It seeks answers from agencies about how many additional full-time equivalents they require for specific work roles, including forensics analysts, incident responders and secure software assessors, among other roles.
“I’m excited about the workforce questions, because frankly, nothing gets done without people,” Wynn said.
But she noted deliberations over cybersecurity workforce requirements will fall short without the involvement of agency chief human capital officers, who oversee workforce matters at federal agencies.
“Workforce is a great place to be paying attention, but laying it at the feet of the CIOs and CISOs, I’m not a big supporter of that,” Wynn said. “It is a team effort. And chief human capital officers need to be part of this conversations. Their systems need to be tracking this, so all I have to do is push a button, and I get my data to report back to them.”
Overall, the FY 22 document represents a “more dynamic, outcome-focused series of metrics,” according to Ross Nodurft, former chief of OMB’s cyber team and executive director of the Alliance for Digital Innovation.
“This is a series of metrics that starts to measure things that Congress has been asking agencies to move towards,” he said.
But he also noted the challenge inherent in changing metrics that are used to measure agency progress year-over-year.
“We have to recognize that we’re measuring new things, so we’re not going to get 100% across the board,” Nodurft said. “That doesn’t mean that our security is collapsing around itself. We have to be smart about how we’re understanding and interpreting these metrics.”
John Pescatore, director of emerging security trends at SANS Institute, said the emphasis on multifactor authentication and encryption at agencies is “really important.” But the initial results this year could be “abysmal.”
“And then they’ve got to stick to it and say, ‘No, we’re going to make this happen,’” he said.
Pescatore noted how in the past, the government has led industry in the adoption of security measures like new Internet security protocols.
“If they could do this for multifactor authentication and data encryption, that would be just huge for the country,” he continued. “If the government starts using strong authentication, then the government contractors have to … and it just grows its use in the marketplace.”