The Trump administration has vowed that it will offer “maximum support” to agencies as they work to enhance cybersecurity, according to Federal CISO Grant Schneider.
Speaking last week at the Billington Cybersecurity Summit in Washington, D.C., Schneider said that the Office of Management and Budget has sought “to establish the ground floor of expectations for Federal agencies” on IT security, according to MeriTalk.
OMB is also revamping the government’s process for reviewing the cybersecurity postures at civilian agencies. The reviews, known as CyberStat, are “meant to function as one-on-one, in-depth analyses” between OMB and agencies, as FCW reports.
OMB sets and manages federal cybersecurity policy under the Federal Information Security Management Act, and the CyberStat reviews are meant to help agencies that may be struggling to comply with FISMA, helping them overcome issues by identifying the main causes of vulnerabilities so that they can be corrected, as FCW notes.
Schneider told FCW that the CyberStat program will be “evolving,” following a July Government Accountability Office report that found the number of reviews have dropped dramatically in recent years.
OMB Looks to Evolve the Conversation on Cybersecurity
Schneider said that, in concert with the Department of Homeland Security, “we really want to be there as a support structure” to improve federal cybersecurity, according to MeriTalk. The Trump administration, and Schneider in particular, has focused on treating cybersecurity as a risk management issue as opposed to something agencies need to do to check boxes so that they can be in compliance with FISMA.
“Talk about risk with your senior leadership,” Schneider advised when asked what agencies could do to improve IT security, according to MeriTalk. That includes mitigation capabilities and risk tolerance. Agency IT leaders also need to “focus on fundamentals,” including due diligence and patching known vulnerabilities, he added.
As MeriTalk reports, Schneider also highlighted DHS’ Continuous Diagnostics and Mitigation program as a “critical factor” for helping agencies enhance cybersecurity.
The GAO report notes that since the agency’s September 2017 report on fiscal year 2016 FISMA implementation, the number of agencies that have participated in a CyberStat engagement had “significantly declined.”
In fiscal year 2016, OMB scheduled CyberStat meetings with 24 agencies to “help develop action items that address information security risk, identify areas for targeted assistance, and track performance at the agencies throughout the year,” according to the report.
The number of agencies scheduled to participate in a CyberStat meeting fell to five during fiscal year 2017, then three during fiscal year 2018. As of May, according to the report, OMB staff in the Office of the Federal Chief Information Officer said that the agency had not scheduled any agencies to participate in a CyberStat engagement during fiscal year 2019. Schneider said there will be new reviews in the next fiscal year.
“By conducting fewer CyberStat engagements with agencies, OMB loses an opportunity to assist agencies with improving their information security posture,” the report says. “Additionally, OMB will limit its ability to oversee specific agency efforts to provide information security protections for federal information and information systems.”
The GAO recommends that director of OMB “should expand its coordination of CyberStat review meetings for those agencies with a demonstrated need for assistance in implementing information security.”
Schneider told FCW that his agency is taking “a hard look” at CyberStat and wants to reimagine the process ahead of next fiscal year. “What do we want the CyberStat program to look like and achieve,” he said, “and what are those numbers going to be?”
It’s not clear how the process will evolve, but Schneider told FCW that earlier versions of CyberStat were “higher level and really more about management attention” around meeting legal compliance metrics and going over general cybersecurity implementation challenges. Over the past few years, he told FCW, the reviews have morphed into a more holistic review of technical challenges agencies are facing with cybersecurity.
Schneider’s predecessor as federal CISO, retired Air Force Brig. Gen. Greg Touhill, told FCW at the Billington conference that earlier versions of CyberStat did not incorporate regular network monitoring data from programs like CDM, which were less mature than they are now.
“As you roll out those technologies and CDM, it makes sense you're going to pivot on CyberStat from instead of just … sampling a given period of time and sitting down with the deputy secretary, [to] having that information continuously available and quantified,” Touhill told FCW. “So I do think it’s important to make sure you have those management reviews but don’t necessarily rely on the way it used to be. We need to continue using the information that’s current and relevant.”