With the Senate’s efforts to pass a comprehensive cyber bill stuck in neutral, the Office of Management and Budget is laying the groundwork for significant reforms to federal cyber policy.
Three former alumni and other experts are offering their suggestions to OMB as part of its efforts to revise Circular A-130, specifically the cybersecurity appendix, which is about 10 years old.
Frank Reeder, president of the Reeder Group and a former OMB official, said the group is specifically looking at areas that the Commission on Cybersecurity for the 44th President, which was led by the Center for Strategic and International Studies, didn’t address.
“It was our view that a lot could be done using existing authorities,” Reeder said during a presentation Thursday at the Information Security and Privacy Advisory Board meeting at the National Institute of Standards and Technology headquarters in Gaithersburg, Md. “We’ve been engaged in conversations with a number of folks inside the executive branch, who have been very supportive of what we are doing, and they are certainly interested in what we have to say as it supports the work that is already underway at OMB to revise the circular.”
An OMB spokeswoman declined to comment on the effort to update A-130.
Still, Reeder said his group expects to submit its white paper with recommendations to OMB this summer. He said he is unsure of OMB’s timeframe to release a revised draft circular.
Reeder; Karen Evans, the former OMB administrator for e-government and IT; and Dan Chenok, a former branch chief with OMB’s Office of Information and Regulatory Affairs; presented ideas on how to improve A-130 to the ISPAB and were asking for suggestions.
Roles and responsibilities changed
One of the areas A-130 needs updating is in the roles and responsibilities it assigns for cyber oversight.
Reeder said one example of how the circular is out-of-date is it doesn’t mention the Homeland Security Department and highlights the General Services Administration’s role in cybersecurity.
“OMB has since issued guidance to revisit the whole question of responsibilities in the circular, specifically to acknowledge and explicitly task DHS in some areas. This is an area that has created some heartburn on Capitol Hill, we know,” Reeder said. “At the same time, we think OMB has ample authority to address a large part of this. The role of GSA has certainly changed. In fact, some of the governmentwide responsibilities that were assigned to GSA probably belong more appropriately in DHS.”
Evans said another area is to include the concept of services in A-130. With the push by the administration to use cloud computing and shared services, OMB is telling agencies to get out of the business of owning their own systems. But at the same time, inspectors general and Government Accountability Office auditors still are holding departments responsible for the security of those systems.
“The idea of getting rid of these physical types of systems, it’s an Oracle this, or it’s that, it’s more like here is the data and here is the service associated with that,” she said. “That becomes the new definition of how security gets measured and progress or non-progress against that would be measured.”
A third area is whether to consider the development of a maturity model for cybersecurity. There are maturity models for software development and for enterprise architecture. Evans wondered if agencies could use such a cyber maturity model to assess their risk and decide which level of maturity meets their needs the best and then work toward that level.
A cyber maturity model may help IGs
If OMB added a maturity model to the oversight process, it would give agencies and IGs a roadmap to follow, Evans said.
Gail Stone, a deputy assistant IG for audit of financial systems and operations audits for the Social Security Administration and a member of the advisory board, said she thinks IGs would give a maturity model mixed reviews.
But for her, Stone thinks it would be easier to audit systems because she would have solid baseline and, once a few areas are clarified such as definitions of a system, which she says forces IGs and agencies into unnecessary conversations, this would be a much smoother process.
Two other areas would be most difficult to address in the A-130 revision.
Evans said with the push toward continuous monitoring, OMB should consider redefining what makes a system.
Under A-130, a major information system “means an information system that requires special management attention because of its importance to an agency mission; its high development, operating or maintenance costs; or its significant role in the administration of agency programs, finances, property or other resources.”
But with cloud computing and shared services, Evans said maybe it’s time to change that definition and she offers a possible new way to define a system.
She said it starts with information and its use.
“You would put groupings or security around the types of information that you are managing,” Evans said. “Therefore, things like shared service or cloud services or as technology evolves, you are really thinking about having information as an asset, and what is the risk associated with that. Then how do you measure that and who is responsible for this grouping of information?”
Reeder called this the most challenging change intellectually.
“How do we move away from a definition of major application or system to a construct that recognizes a reality, at least in our view, the organizing principle is probably around information?” he said. “At an abstract level, it sounds pretty easy, but as a practical matter, it will take a lot of work.”
The third-rail of A-130
The second big area that could be an obstacle is what Reeder called the third-rail of A-130 — redefining what is a national security system and what isn’t.
Under A-130, a national security system is defined with a five-part definition that covers most systems run by agencies such as the NSA, CIA, Defense Intelligence Agency and the other 14 intelligence community agencies.
But the problem is similar systems that hold classified data not in the intelligence community or those with unclassified data for that matter, may come under A-130. Reeder called separation of the two types of systems a bright line in the law.
“That bright line doesn’t work for several reasons, in my opinion. One is a substantial portion of our cybersecurity competence lives on the dark side of the bright line,” he said. “Duplicating that technical capability on the civilian side — though certainly DHS and NIST are highly competent agencies — is plain silly. It’s an economic question.”
Reeder said the other reason is the line between those systems really doesn’t exist anymore.
“Is a payroll system that is used to pay people in the Department of Defense fundamentally different from a payroll system, in the security characteristics, in the risks attendant to operate, as a civilian agency,” he said. “We are trying to make distinctions where, as a practical matter, none exist.”
Whether Congress pass and President Barack Obama signs a comprehensive cybersecurity bill into law or not, OMB’s changes to A-130 also will make it easier for agencies and IGs.
Reeder said the current approach causes agencies to spend money on things that do not enhance security.
But a revision to A-130 would let agencies focus on real threats and mitigate risks rather than responding to checklists, he said.
“Certainly, the agencies that get it would find their lives would be easier if some provisions were modified,” he said.