New FISMA guidance strikes familiar cyber tune, but can OMB change out the instruments?

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

In April 2010, the Office of Management and Budget called for real-time cybersecurity data reporting and the end of compliance and paperwork exercises.

Over the course of the next 11 years, an assortment of federal chief information officers followed with annual Federal Information Security Management Act (FISMA) guidance that played a similar tune.

In October 2012, it was continuous monitoring and collecting data through the Cyberscope tool.

By 2015 in the aftermath of the breach suffered by the Office of Personnel Management, OMB released the cybersecurity strategy and implementation plan (CSIP) for civilian agencies as part of a “broad strategy to enhance federal cybersecurity and fundamentally overhaul information security practices, policies, and governance.”

Over the next couple of years, it was more of the same, less prescriptive, more rigorous, more prescriptive and more rigorous and so on and so forth. Time and again, the annual FISMA guidance was an exercise in hope for change that provided limited improvements in select areas, but too often more paper and compliance efforts.

So don’t be surprised if the most recent FISMA guidance from OMB released Monday doesn’t elicit a feeling of “here we go again” from many veterans of the cybersecurity battlefield.

But if those long-time chief information security officers and information security officers look closely at the guidance, they will notice a distinct difference between then — 2010, 2012, 2015 and so on — and now.

New zero trust deadlines

OMB is moving away from self-attestation. OMB isn’t just saying lets continuously monitor and report the cybersecurity posture of systems, but it’s requiring the use of automated capabilities and the use of data standards to measure progress.

OMB isn’t just changing the metrics but leaving agencies out to dry with their inspectors general who are focused on what the law requires, leading to the expected “slap on the wrist” report.

Instead, OMB worked with the Council of the Inspectors General on Integrity and Efficiency (CIGIE) on new metrics that address continuous authorizations and other risk-based metrics.

And finally, OMB is using the continuous diagnostics and mitigation (CDM) program not just to drive cybersecurity changes like it has tried to do in the past, but to address long-standing problems around the delivery of capabilities, data quality and the move to automation.

“These changes are intended to define a maturity baseline in certain high-impact capability areas, improve the quality of performance data collected at the enterprise level and accelerate our efforts to make more informed risk-based decisions and achieve observable security outcomes,” wrote Jason Miller, OMB’s deputy director for management, in a memo to agency leaders.

The clearest direction in the new FISMA guidance is around zero trust. OMB continues to build on President Joe Biden’s May cyber executive order by setting a deadline of Sept. 30, 2024, for agencies to meet certain goals across all five pillars of the zero trust maturity model.

Under the identity pillar, for example, agencies must “use an enterprise-wide identity to access the applications they use in their work. Phishing-resistant multi-factor authentication (MFA) protects those personnel from sophisticated online attacks.”

Under the networks pillars, OMB says agencies must encrypt all domain name system (DNS) requests and HTTP traffic within their environment, and begin executing a plan to break down their perimeters into isolated environments.

And under the applications and workloads pillar, OMB told agencies to “treat all applications as internet-connected, routinely subject their applications to rigorous testing and welcome external vulnerability reports.”

“As federal agencies face ever more sophisticated attempts to compromise government systems, it is vital that agency security efforts are focused on making it demonstrably harder for our adversaries to succeed,” said Chris DeRusha, the federal CISO, in a statement. “OMB’s updated FISMA guidance is designed to help agencies focus on practical security outcomes by measuring the use of rigorous multi-layered security testing, automation of security and compliance controls and progress in adopting a zero trust architecture.”

Next evolution of CDM coming

Aside from the focus on the move toward zero trust, OMB has continued to update the approach to CDM.

Along with reiterating the requirement to justify why an agency wouldn’t use the tools and capabilities provided by the Cybersecurity and Infrastructure Security Agency, OMB also set two new deadlines for agencies.

First, by April 2022, “CISA, in coordination with OMB and the National Institute of Standards and Technology, will develop a strategy to continue to evolve machine-readable data standards for cybersecurity performance and compliance data through CDM (or a successor process)” — interesting aside here that OMB brings us a “successor” to CDM, which may be the first time this has been mentioned. Though at the same time, let’s not read too much into it, yet.

OMB says the machines-readable data standards will include metrics that will supplement existing CIO metrics from CISA and enable agencies to report their security controls in an automated and timely manner.

“OMB will use these metrics in a scorecard and will begin to grade agencies by December 2022. CISA will enable ongoing access to the data required to grade agencies on the new scorecard (through the CDM federal dashboard or successor) to OMB and the Office of the National Cyber Director no later than December 2022,” the memo stated.

The one thing OMB made clear about the new FISMA guidance is they are not rewriting the law through policy. Senate lawmakers and OMB are working on an update to the legislation, which Congress passed first in 2002 and updated again in 2014.

The Homeland Security and Governmental Affairs Committee introduced and passed the Federal Information Security Modernization Act of 2021 in October. There is no House companion bill.

OMB also signaled changes to the FISMA reporting guidance after the latest report to Congress. DeRusha said at the time the changes to FISMA come from the current cyber threat environment and the continued need to focus on risk-based metrics.

New IG metrics

Moving toward a risk-based approach is a common theme in the new FISMA guidance — and it’s not a surprise. OMB mentions the word “risk” 17 times in 15 pages, including in how agencies should use CISA’s recently released incident response playbook.

“Utilizing the standard incident response playbook will enhance the ability of CISA and other agencies involved in incident response and recovery to assess the risk of vulnerabilities and execute incident response activities,” the memo stated. “The cybersecurity vulnerability and incident response procedures currently used to identify, remediate, and recover from vulnerabilities and incidents affecting agency systems vary across agencies. Standardized response processes ensure a more coordinated and centralized cataloging of incidents and agency progress toward successful responses.”

OMB also made this point in how it developed new IG metrics with CIGIE.

The lack of coordination between OMB and CIGIE often has led to frustrations among CIOs and across the oversight community.

For this year’s FISMA guidance, OMB and CIGIE are transitioning the IG metrics process to a multi-year cycle and thus encouraging agencies to shift to a continuous assessment process for their independent assessment.

“OMB will select a core group of metrics, representing a combination of administration priorities and other highly valuable controls, that must be evaluated annually,” the memo stated. “The remainder of the standards and controls will be evaluated in metrics on a two-year cycle based on a calendar agreed to by CIGIE, the CISO Council, OMB and CISA. These changes do not in any way limit the scope of IG authority to evaluate information systems on an as-needed or ad-hoc basis.”

Additionally, OMB is shifting the due date for the report on how agencies are meeting the IG metrics to July from October to better align with the development of the president’s budget request.

“Reflecting OMB’s shift in emphasis away from compliance in favor of risk management, IGs are encouraged to evaluate the IG metrics based on the risk tolerance and threat model of their agency, and to focus on the practical security impact of weak control implementations, rather than strictly evaluating from a view of compliance or the mere presence or absence of controls,” OMB stated in the memo.

The call to focus on practical security is well heeled in time and remembrance. The question comes back to, as it always does, whether the changes are attainable and how OMB continues to press agencies forward, because DeRusha and others at OMB can’t just sign and forget it.

Related Stories

    Chairman Sen. Gary Peters, D-Mich., speaks during a Senate Governmental Affairs Committee hybrid nominations hearing on Capitol Hill in Washington, Thursday, April 22, 2021, to consider the nominees for Postal Service Governors Anton Hajjar, Amber McReynolds, and Ronald Stroman, along with Kiran Ahuja, the nominee to be Office of Personnel Management Director. (AP Photo/Andrew Harnik)

    Senate lawmakers introduce FISMA reforms, including cyber incident reporting for agencies, contractors

    Read more
    (Amelia Brust/Federal News Network)

    Federal CISO DeRusha: FISMA report details a key part of cyber roadmap

    Read more

Comments