One of the last vestiges of the old way of thinking about cybersecurity is dead.
The requirement to reevaluate the security of IT systems every three years has been flushed from the governmentwide policy that for so long stood in front of agencies and inspector generals moving toward a continuous monitoring approach.
The Office of Management and Budget July 28 issued the update to Circular A-130.
“The revised circular consolidates in one guidance document a wide range of policy updates in information governance, acquisitions, records management, open data, workforce, security, and privacy. In particular, the revisions highlight requirements from the Federal Information Technology Acquisition Reform Act (FITARA) to improve the acquisition and management of information resources,” OMB said in a fact sheet about A-130. “The revised circular also emphasizes and clarifies the role of both privacy and security in the federal information lifecycle. Importantly, the revised circular represents a shift from viewing security and privacy requirements as compliance exercises to understanding security and privacy as crucial components of a comprehensive, strategic, and continuous risk-based program.”
OMB last updated A-130 in 2000 so it was due for a refresh. The White House released the draft update in October and received 67 comments from companies, industry organizations and several others.
The termination of the requirement to authorize IT systems every three years also finally puts to rest the challenges faced by agencies and auditors around the need to follow the existing policy of every three-year cyber reviews of IT systems while the reality of technology requires constant reviews.
“A-130 demonstrates the recognition that strong cybersecurity is achieved through actionable continuous steps rather than snapshots that occur every three years,” said Dan Chenok, a former OMB executive and now executive director of IBM Center for The Business of Government. “One of the things that really comes across is the integration of privacy and security as a policy matter. It emphasizes strong security protections paired with strong privacy for personal information. It becomes part of the risk management framework for agencies. A-130 along with the re-issuance of A-123 raises the bar on risk management and shows a more mature understanding that risk management goes across multiple disciplines.”
The administration and the Homeland Security Department have been pushing agencies toward a more continuous evaluation approach, and even Congress joined the effort by passing the Federal Information Security Modernization Act (FISMA) in 2014.
This law required OMB to rewrite A-130 to include the new provisions such as the assessment of how agencies are moving toward continuous monitoring.
For Frank Reeder, a 22-year OMB veteran and now director of the Center for Internet Security, the change to the security requirements is all that mattered about the new A-130.
“My mission over last several years, through my work with the center, has been to get the government to change from what generally has been a waste of a lot of money doing what some people refer to checklist security rather than looking at what is important,” he said. “The thing that encouraged me in earlier versions was to make sure there is a clear shift away from the checklist and toward ongoing monitoring exercise. If that’s the case, then this is an important shift. That is the heart of the matter to me.”
But Reeder said after he cut through all the “gibberish in the document,” it’s still unclear if the checklist mentality has been gotten rid of once and for all.
“Agencies still must comply with all parts of the National Institute of Standards and Technology and that like asking agencies to comply with an encyclopedia,” he said. “If OMB, the IGs and the Government Accountability Office all read this in the same way that lets agencies made risk-based decisions, then it’s an important change. But if auditors read this to mean agencies still must meet all parts of SP-800-53, then it continues to be a checklist exercise, and A-130 is just a statement of good intentions to move away from checklist.”
To their credit, OMB very much highlights the need for agencies to take a risk-based approach, telling agencies to “Protect information in a manner commensurate with the risk that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of such information,” the circular stated.
In Appendix I, OMB takes this further: “Implement a risk management framework to guide and inform the categorization of federal information and information systems; the selection, implementation, and assessment of security and privacy controls; the authorization of information systems and common controls; and the continuous monitoring of information systems.”
And, “Employ a process to select and implement security controls for information systems and the environments in which those systems operate that satisfies the minimum information security requirements in FIPS Publication 200 and security control baselines in NIST SP 800-53, tailored as appropriate.”
Mark Forman, a former administrator of the Office of E-Government and IT and now global head, vice president and general manager of Unisys’ public sector division, said one key to A-130’s successful implementation is the recognition of senior leadership that agency chief information officers play a huge role in managing risk.
“I’ve seen numerous times when the system owner answers questions about what you should do about risk management based on the NIST framework and they don’t realize it puts them at medium-high or medium-medium and they don’t want to implement controls so they change their answer. There must be accountability for managing risk,” Forman said. “I wish they had made similar clear statements around IT transformation initiatives for business processes. They didn’t clearly articulate what it means and how to manage those programs. Under the Clinger-Cohen Act there was a two-tiered approach. The agency head had responsibility to kill a poorly performing project, and if not then it was OMB’s responsibility. In the A-130, CIOS hold TechStat sessions so it locks in a process but not a governance framework. There are too many processes where agency heads implement it, but there isn’t any clear guidance around governance.”
Forman said the lack of specific direction about who is in charge is the biggest concern he has about A-130.
He said the document talks a lot about bringing people together, but doesn’t clearly define the process for who has the final say or who is in charge.
“There are a lot of provisions that say, essentially, ‘It would be good to do this,’ versus saying ‘here is how we are managing IT,’” Forman said. “Even where it is direct, it’s not direct in how agencies are managing IT. It’s direct in saying who should get together to form a consensus. It’s clear to me this is a consensus document, and the risk is the consensus reflects the people who are in the jobs at this time, but a lot of CIOs and OMB people will change with the next administration. The consensus and basis for decisions that underlie this and the governance framework will leave with those people. Will the next administration know what to do with this regulation because it’s not clear in the decision making chain of command and in the basis for decisions? It’s clear who is involved, but not the actual workflow because there are too many options.”
Glenn Schlarman, who worked at OMB for 10 years and now runs the consulting firm, Second Opinion Consulting and Knowledge, said he also doesn’t like the flexibility agencies have under A-130.
“It continues the ‘waiver’ option which was never exercised in my experience and shouldn’t be available. To me, waiver options imply bad underlying policy and are unmanageable anyway,” he said. “I began thinking in terms of security, but expanded to all information and IT management functions — privacy, records management, security, architecture, systems development — all are CIO responsibilities and even beyond. The continuing problems agencies face in all of these areas result from the fact the CIO, for example, works for the agency and is subject to changing priorities, revolving appointed personnel, in many cases revolving CIOs, etc.”
In the circular, agencies can ask the OMB director for a waiver from meeting the requirements of certain sections of the policy.
Generally, the former OMB officials praised the new A-130 and OMB for taking on this mammoth task of rewriting it.
Chenok said the rewrite is not trying to layer on more compliance requirements, but rather framing IT and information around a consistent oversight and implementation framework.
Next week, I’ll take a look at another section of A-130, the identity management and access control requirements.