OMB loosening the reins on major cyber programs for 2019

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

If you read through the new Federal Information Security Management Act (FISMA) guidance for fiscal 2019, the letter from Suzette Kent, the federal chief information officer, to the Senate Homeland Security and Governmental Affairs Committee, and listen to what the Office of Management and Budget has been saying about the upcoming Trusted Internet Connections (TIC) memo, the message to agencies is clear.

Agencies can no longer point to the Homeland Security Department as the excuse for why improvements to the security of their networks and data aren’t happening fast enough.

OMB is giving agencies a stronger voice and driving accountability back to CIOs, chief information security officers and deputy secretaries.

In the FISMA guidance and letter to the committee, which Federal News Network obtained, OMB is adding flexibilities in how agencies meet the requirement of governmentwide programs like the continuous diagnostics and mitigation (CDM) and the intrusion detection and protection program called EINSTEIN. At the same time, OMB seems to be telling agencies that what’s most important is not adhering a specific method or approach, but achieving the final result of using advanced tools and techniques to secure their systems and data.

“The Office of Management and Budget (OMB) acknowledges that there is a need to enhance existing capabilities and programs to better safeguard federal information systems and data, and we plan to convey this vision as part of the President’s 2020 Budget,” Kent writes in a Sept. 14 letter to the Senate committee. “In order to inform future investment decisions, the Department of Homeland Security’s National Protection and Programs Directorate (NPPD) is working on a threat-based security architecture assessment. This threat-based security approach, adopted from the Department of Defense, will provide a holistic assessment of existing federal cybersecurity capabilities and creates a common framework to discuss and assess cybersecurity capabilities related to threats. The results are being used to inform DHS’ cybersecurity investment priorities across federal civilian departments and agencies in order to enhance enterprise cybersecurity and reduce risk.”

The underlying message in the letter is clear. The fiscal 2020 budget request will propose more money for agencies to implement cyber capabilities more quickly and effectively whether through CDM or EINSTEIN or in other ways.

FISMA guidance continues CDM evolution

OMB goes even further in the FISMA guidance, released Oct. 25, around the need for more flexibility and accountability at the agency level.

The administration is opening the door for agencies to acquire continuous monitoring tools and capabilities outside of CDM. The memo is part of the continued evolution of CDM.

“[H]owever, they are required to provide sufficient justification should they pursue acquisition of tools with continuous monitoring capabilities that are not aligned with current or future CDM acquisition vehicles (includes CDM Dynamic and Evolving Federal Enterprise Network Defense [DEFEND], GSA IT Schedule 70 CDM Tools Special Item Number, etc.). Prior to purchasing these tools, a justification memorandum must be sent from the agency CISO to the CDM PMO, the respective OMB Resource Management Office (RMO), and the Office of the Federal Chief Information Officer (OFCIO) Cybersecurity Team,” the guidance states.

Additionally, OMB is telling agencies they can continue to use existing tools or capabilities that meet CDM requirements, but were purchased outside the contracts run by the General Services Administration.

Then if you add to what we know about the upcoming TIC guidance, the theme of moving more toward flexibility and accountability continues.

Margie Graves, the federal deputy CIO, said at the 2018 ELC conference in Philadelphia on Oct. 15 that the TIC policy will move toward a risk based approach based on the cyber framework from the National Institute of Standards and Technology.

“The policy doesn’t push us all the way to right in terms of mandating the use of controls. It opens up the aperture in terms of what commercial cloud services already are built into the environments that are meeting the controls. If it’s like-for-like, we’re not going to prescript how as long as it’s meeting the security requirements,” Grave said. “We are doing the same thing for CDM as well. If we can get to the point where we are doing continuous authorization through automated controls and automated use of data, then suddenly all the authority to operate (ATO) paperwork and approach becomes totally different. There is more veracity and more accurate because it’s based on data in the environment. That’s where we are going.”

All of these changes signal a major change in how OMB is involved with and views cybersecurity.

During most of the Obama administration, OMB passed to DHS the responsibility and some of the authority for federal cybersecurity efforts.

Part of the reason for OMB is increasing its oversight and giving agencies more flexibility may be agency frustration with the slowness of the rollout of CDM tools and capabilities as well as the perceived ineffectiveness of EINSTEIN.

EINSTEIN must be operationally relevant

In Kent’s letter to the Senate committee, she said the “National Cybersecurity Protection System (NCPS) detected 379 of the 39,171 incidents across federal civilian networks via the EINSTEIN sensor suite from April 2017 to present.” That is less than a 1 percent detection rate of all cyber incidents. This doesn’t mean EINSTEIN is ineffective, but it means the program isn’t being the proactive tool once envisioned.

Jeanette Manfra, DHS assistant secretary in the Office of Cybersecurity and Communications, said the goal this year and next is to make sure the tools under EINSTEIN are operationally relevant.

Advertisement
“We have been working with agencies to better understand challenges they may have in making sure how best to use the tools under the NCPS,” Manfra said in an interview on Ask the CIO. “Two areas we have been looking at for some time is can we implement some behavior analytics, looking at developments in non-signature based detection capabilities. We’ve had some success in that, what I would call a limited deployment so we will be expanding that.”

She said the goal of the non-signature based detection capabilities is looking for abnormal behavior based on a baseline of normal behavior.

She said DHS also is looking at how EINSTEIN’s on-premise model, similar to the TIC policy, integrates with cloud services.

The question that emerges from all of these changes is how can OMB and DHS ensure CDM, EINSTEIN and other cyber initiatives continue to push agencies down a similar path so there are fewer cyber breaches, unpatched vulnerabilities and a better understanding the government’s overall cyber risk while at the same time not letting the inertia of government prevent real progress?

Read more of the Reporter’s Notebook