Information Security

OMB updates info security guidance, accelerates real-time monitoring

Shutterstock image: examining computer code.

OMB is rewriting outdated information security standards in response to new legislation, while an increased focus on cybersecurity offers a window into federal networks.

The government is still managing information security under policy guidelines developed before the Department of Homeland Security even existed. For the past few years, the Office of Management and Budget has been developing revisions to its A-130 Circular, to catch up with the way agencies were managing security. The task is taking on a little more urgency as the government works to implement legislation passed in the final hours of the 113th Congress covering federal network security and IT acquisition.

The changes will bring the guidance up to date with the Federal Information Security Management Act modernization, and the Series 800 guidelines promulgated by the National Institute for Standards and Technology (NIST), Carol Bales, a senior policy analyst at the  Office of Management and Budget, said at a meeting of NIST's Information Security and Privacy Advisory Board on Feb. 12. The new A-130 will also take into account an OMB memorandum waiving the three-year security reauthorizations that agencies were required to undergo.

Bales said a comprehensive update of the A-130, that takes into account the new FISMA and FITARA statues, should be ready by December 2015.

OMB is also upping its cybersecurity game on the operational side. Grant Schneider, who previously served as CIO of the Defense Intelligence Agency, is on a two-year detail to OMB to act as cybersecurity advisor to the federal CIO, and to lead a dedicated cybersecurity and national security unit inside OMB that has been stood up in the last month and a half.

Schneider is also working on implementation of the continuous diagnostics and mitigation (CDM) program that is jointly administered with DHS. Policy and guidance will only get you so far, Schneider said, at the ISPAB meeting on Feb. 11. CDM gives agencies a dashboard view of activities on their networks, and gives OMB and DHS a government-wide view that can help identify problems and protect networks.

"In my experience, with most security incidents and certainly most successful ones, the vast majority exploited a known vulnerability or a known user behavior. We know that people shouldn't click on that email, and unzip the zip file and execute the executable file, we all know not to do that, and yet those things still tend to happen. We think that with CDM, we're going to get significantly further ahead because now we'll know where our vulnerabilities are," he said.

All of these efforts are improving the security posture of federal networks, Schneider said. "We're doing oversight with deputy directors of agencies at levels that we've never done before. They're getting far more involved, willingly or unwillingly in their cybersecurity," he said. But the big unknown remains whether progress is outpacing adversaries' ability to attack, he said.

"Time will tell. Unfortunately we never talk about the cybersecurity defensive successes. They don't make the news," Schneider said.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.