Information Security

OMB updates info security guidance, accelerates real-time monitoring

Shutterstock image: examining computer code.

OMB is rewriting outdated information security standards in response to new legislation, while an increased focus on cybersecurity offers a window into federal networks.

The government is still managing information security under policy guidelines developed before the Department of Homeland Security even existed. For the past few years, the Office of Management and Budget has been developing revisions to its A-130 Circular, to catch up with the way agencies were managing security. The task is taking on a little more urgency as the government works to implement legislation passed in the final hours of the 113th Congress covering federal network security and IT acquisition.

The changes will bring the guidance up to date with the Federal Information Security Management Act modernization, and the Series 800 guidelines promulgated by the National Institute for Standards and Technology (NIST), Carol Bales, a senior policy analyst at the  Office of Management and Budget, said at a meeting of NIST's Information Security and Privacy Advisory Board on Feb. 12. The new A-130 will also take into account an OMB memorandum waiving the three-year security reauthorizations that agencies were required to undergo.

Bales said a comprehensive update of the A-130, that takes into account the new FISMA and FITARA statues, should be ready by December 2015.

OMB is also upping its cybersecurity game on the operational side. Grant Schneider, who previously served as CIO of the Defense Intelligence Agency, is on a two-year detail to OMB to act as cybersecurity advisor to the federal CIO, and to lead a dedicated cybersecurity and national security unit inside OMB that has been stood up in the last month and a half.

Schneider is also working on implementation of the continuous diagnostics and mitigation (CDM) program that is jointly administered with DHS. Policy and guidance will only get you so far, Schneider said, at the ISPAB meeting on Feb. 11. CDM gives agencies a dashboard view of activities on their networks, and gives OMB and DHS a government-wide view that can help identify problems and protect networks.

"In my experience, with most security incidents and certainly most successful ones, the vast majority exploited a known vulnerability or a known user behavior. We know that people shouldn't click on that email, and unzip the zip file and execute the executable file, we all know not to do that, and yet those things still tend to happen. We think that with CDM, we're going to get significantly further ahead because now we'll know where our vulnerabilities are," he said.

All of these efforts are improving the security posture of federal networks, Schneider said. "We're doing oversight with deputy directors of agencies at levels that we've never done before. They're getting far more involved, willingly or unwillingly in their cybersecurity," he said. But the big unknown remains whether progress is outpacing adversaries' ability to attack, he said.

"Time will tell. Unfortunately we never talk about the cybersecurity defensive successes. They don't make the news," Schneider said.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.