Agencies should expect a cybersecurity revival of sorts from the Office of Management and Budget this year. OMB is reasserting its cyber oversight role with a new group of experts called the E-Gov Cyber and National Security Unit.
Grant Schneider, a federal cybersecurity adviser within OMB, said the new unit is part of how the Office of Electronic Government and Information Technology oversees agency cyber efforts.
In many ways, this move is part of how OMB is returning to the way it managed cybersecurity in the mid-2000s.
The White House’s cyber coordinator’s office took over the oversight of federal network cybersecurity during the Obama administration’s first six years. First Howard Schmidt and now Michael Daniel have issued memos, held agencies accountable under the President’s Management Agenda’s cross-agency priority goals and brought in a steady stream of people from other agencies to help run the federal policy side.
OMB’s E-Gov office, meanwhile, has been unusually quiet around cyber, leaving the Homeland Security Department and the National Security Council to do most of the heavy lifting.
But over the past year, and especially with Schneider coming to OMB on a two-year detail from the Defense Intelligence Agency in October to focus on cybersecurity, the E-Gov office has reemerged in its cyber leadership role.
“We have to institutionalize the way we do our cybersecurity oversight of the federal space,” Schneider told Federal News Radio in exclusive interview Wednesday after speaking at the Information Security and Privacy Advisory Board (ISPAB) meeting in Washington. “The National Security staff has some distinctive roles from a national and international, and private sector work, and OMB really owns that federal government oversight. We are clarifying some of the delineation. We are making sure all of this cyber oversight is going to be able to be institutionalized into the day-to-day way we do oversight because we don’t want it to be a one-off. We want it to be a continual and steeped in policy and processes.”
Not a game of gotcha
In President Barack Obama’s 2016 budget request to Congress released earlier this month, the administration said it would improve oversight of cybersecurity through the cyberstat process.
The new E-Gov Cyber unit will lead that effort.
Schneider said the unit, which is led by Trevor Rudolph, will decide which agencies will undergo the cyberstat process in the coming year.
“The intent of them is to get at what we need to do to enhance their cybersecurity. We are not there to play ‘gotcha,'” Schneider said. “We are there to actually help them enhance their security posture and really be able to better defend their systems and networks, and make sure we both — the agency and OMB — have a clear understanding of where they are at.”
An OMB spokesman said by email Congress provided funding for the E-Gov Cyber unit in 2014 and 2015 through the Information Technology Oversight and Reform (ITOR) fund. OMB received $8 million in 2014, expects to get about $20 million in 2015 and asked for $35.2 million in 2016.
“In FY 2015, E-Gov Cyber will target oversight through cyberStat reviews based on agencies with high risk factors, as determined by cybersecurity performance and incident data. Through increased resources, OMB will be able to ensure that these reviews help equip agencies with the proper tools and processes to enhance their cybersecurity capabilities,” the OMB spokesman said.
“The unit will remain focused on ensuring successful DHS implementation of critical programs such as the National Cybersecurity Protection System (NCPS) and Continuous Diagnostics & Mitigation (CDM).”
Schneider said the E-Gov cyber unit may be a new name, but the cyber experts have been working with agencies for a while.
The unit has some people on staff already and is looking to hire others.
“It’s really about the amount of resources that need to be on this. There also has been with the creation of this unit conversations with the National Security staff and Michael Daniel’s organization on some of the things they were doing looking at the federal government, that really are an OMB role so some of this is a shift as well,” he said. “The timing, I would actually argue to some degree, is this is more of a codification of an evolution OMB has been going through for quite a while.”
Along with cyberstats, OMB will be focusing heavily on the continued implementation of the continuous diagnostics and mitigation (CDM) program.
CDM dashboard chosen
DHS has the lead, but Schneider said OMB is overseeing the government’s progress as part of the White House’s cross-agency priority goals.
Schneider said DHS and the General Services Administration, which is acting as the procurement arm for the CDM program, will make the first award under phase 1, task order 2 for integration services for DHS in the next few weeks.
Schneider said the second award under task order two for a group of agencies, including the departments of Agriculture, Veterans Affairs, Energy and Transportation, the Office of Personnel Management and the Executive Office of the President, is expected shortly afterwards.
“I think what we will learn is some of what is most critical and the integration with the dashboard,” he said. “We’re always looking to get capabilities out quickly and then do it with as much due diligence as possible. I think we have struck a balance between the timing to get capabilities to some of the most critical agencies — though all are critical — early on and learn enough as we go from an integration standpoint and an acquisition standpoint and everything else.”
Under task order 2, Schneider said agencies will get integration services for the tools and the agencywide dashboard, which will collect the data.
In December, DHS and GSA’s CDM dashboard contractor Metrica Team Venture chose RSA’s Archer tool for the agency dashboards.
Metrica currently is conducting an analysis of alternatives for the governmentwide dashboard that each of these agencywide tools will feed data to as part of the cyberstat and OMB oversight efforts..
The award for the agencywide dashboard comes after there was confusion back in September over whether Metrica chose RSA or not.
GSA and DHS issued a request for information (RFI) last year for Phase 2 of CDM, and Schneider said they are reviewing responses.
The vendors under the CDM blanket purchase agreement should expect to receive more detailed Phase 2 requirements by Feb. 17. Then 45 days later, vendors must propose new tools that meet those new requirements.
DHS and GSA will evaluate those offerings and modify the BPA before the end of June.
Schneider said DHS and GSA are scheduled to award the task orders for Phase 2 in fiscal 2016 and Phase 3 in 2017.
“From an overall cybersecurity standpoint, you have to understand your environment in order to protect your environment,” Schneider said. “CDM in the next year is going to get us great amounts of insight into situational awareness and then with that situational awareness, we can have conversations with agencies about what needs to be done so what patches, what provision levels or what devices may need to come off the network or system, and to really make those proactive decisions and enhance the security posture.”