The most important information in the cyber risk determination report issued back in mid-May by the Office of Management and Budget isn’t governmentwide data on 96 agencies or even the plans to consolidate security operations centers governmentwide. The most important highlight in the report, which was required under the May 2017 cyber executive order signed by President Donald Trump, is the ability to use the data to explain to non-IT executives why money needs to be spent, what actions need to be taken and why they are responsible for all of these ongoing cyber challenges.
“There is still a great deal of work to be done and OMB will work with agencies to intensify the ongoing focus on improved management of cybersecurity risk. Many of these efforts will be addressed, in part, through upcoming budget processes, which will utilize the risk report to drive strategic investment designed to buy down the federal government’s overall level of risk,” wrote Suzette Kent, the Federal Chief Information Officer, and Grant Schneider, the acting Federal Chief Information Security Officer and senior director for cybersecurity policy in the National Security Council, in a blog post.
An OMB senior adviser said the data in this report is not new by any means. Agency inspectors general publish it in the annual Federal Information Security Management (FISMA) report to Congress.
“This is not the first time we’ve had this view of risk, but it’s the first time we’ve shared that view governmentwide,” the adviser said. “Historically, it’s more of a one-on-one with the agencies. What we wanted to do, and the president wanted us to do, with this was determine what’s our starting point as baseline and then start moving forward.”
The difference here also is the clarity of what the problems are and plans to fix them. And this is especially important given the concerns about a lack of centralized governmentwide cyber leadership without a named cyber coordinator or permanent federal CISO.
“What you will see in that one of the most comprehensive risk assessments of 96 agencies. It was based on the updated NIST cyber framework and they have a much better understanding of the universe and cyber maturity of each of those agencies,” said Trevor Rudolph, a cybersecurity policy fellow at New America and a former chief of OMB’s cyber and national security team and now a cybersecurity policy fellow at New America, a think tank. “It’s not just understanding the maturity of each agency, but taking that maturity into account when figuring out appropriate resource levels. That is probably the highlights from the progress on the EO, in particular.”
The report found agencies struggle to identify, detect respond, and if necessary, recover from cyber incidents. OMB found 71 of 96 agencies (74 percent) participating in the process had cybersecurity programs that were either “at risk” or at “high risk.”
“OMB and the Homeland Security Department also found that federal agencies are not equipped to determine how threat actors seek to gain access to their information,” the report states. “The risk assessments show that the lack of threat information results in ineffective allocations of agencies’ limited cyber resources. This situation creates enterprisewide gaps in network visibility, IT tool and capability standardization, and common operating procedures, all of which negatively impact federal cybersecurity.”
The most aggressive plan of action to begin to solve many of these problems is for agencies to consolidate their security operations centers (SOCs).
OMB and DHS found only 27 percent of agencies reported they have the ability to detect and investigate attempts to access large volumes of data, and even fewer agencies report testing these capabilities annually.
“Simply put, agencies cannot detect when large amounts of information leave their networks, which is particularly alarming in the wake of some of the high-profile incidents across government and industry in recent years,” the report states.
Mike Pitcher, the vice president of technical cyber services for Coalfire federal, said agencies do not have an understanding of true risk in part because of the limited visibility across their networks.
“The SOCs are largely an uncoordinated effort and rarely do we see agencies using ticketed items so they are not making sure two people aren’t looking at same thing within SOCs. There are a lot of stove pipes,” Pitcher said. “We’ve seen information sharing in the SOC as a big challenge.”
OMB and DHS expect the continuous diagnostics and mitigation (CDM) program to help considerably with network visibility, but the consolidation is SOCs is the key to improving all agencies.
“OMB, in partnership with DHS and the General Services Administration (GSA), is working to finalize a set of requirements for organizations to begin acquiring security operations center-as-a-service,” Kent and Schneider write. “This will allow agencies currently lacking adequate security to shift to managed security solutions and provide an option to address gaps in their existing defenses much more quickly. Some federated agencies are already consolidating their security operations centers to achieve greater enterprise visibility and increase the standardization of cybersecurity tools and capabilities.”
A senior OMB adviser added consolidating SOCs or providing them as a service will drive agencies to normalize the way they do IT operations.
“Some departments have 8-to-10 internal organizations so getting to one [cyber risk] score there will be important,” said the adviser, who spoke on background in order to talk to the press.
A second OMB adviser added new FISMA metrics as well as the requirements in Circular A-11 around IT spending will help the administration see if there is duplication, where the gaps exist and what needs to be done to fill them.
The new FISMA metrics are designed to focus on capabilities that directly correspond to mitigating threats identified in the Cyber Threat Framework issued by the Office of the Director of National Intelligence.
“DHS has also put the Cyber Threat Framework into practice via its .gov Cybersecurity Architecture Review (.govCAR) program, which is based on a tool developed by the National Security Agency for the Department of Defense to map defensive capabilities against intelligence-informed threat vectors,” Kent and Schneider write. “Though still in its early stages, the program has already identified existing gaps against certain adversary activities, allowing the government to remediate shortcomings.”
The adviser said OMB is raising the bar for agencies to improve situational awareness beyond the basics of CDM. The addition of the threat framework will give federal decision makers the insight and knowledge to prioritize cybersecurity investment and risk mitigation decisions through a hierarchical, structured, transparent, and repeatable methodology.
The idea to consolidate SOCs isn’t new. OMB tried a version of it in 2005 with the security line of business. Then in 2016, OMB told agencies to designate a principal SOC to report to DHS for all incident response activities.
The first senior adviser said the risk report and the President’s Management Agenda are among the levers OMB can pull to make sure consolidations happen more quickly.
“We are setting performance expectations for how they meet these metrics and cross-agency priority goals,” said the first OMB senior adviser. “Some agencies can get straight there. For others it will be evolutionary getting visibility and then getting centralization. Agencies will be accountable as they outsource or leverage another service provide. If an agency is not meeting these requirements then we can lean on them through budget or other political tools. We need to move toward a shared service.”
Coalfire’s Pitcher said based on what his company is seeing in the CDM program, the best thing a report like may do it get executives to ask for and Congress to allocate more money for cybersecurity.
Civilian agencies already are spending more than $5.6 billion on cybersecurity tools and services, but as the risk report shows significant gaps remain.
“The report helps with how we talk about threats so there is consistency with threat sharing,” he said. “Too often agencies are using funding to acquire solutions but they are not addressing what systems or networks the actors are exploiting. They also have many tools with overlapping functionality. I hope this report raises awareness and helps make sure budgets are allocated to the right places.”