OMB updates info security guidance, accelerates real-time monitoring

OMB is rewriting outdated information security standards in response to new legislation, while an increased focus on cybersecurity offers a window into federal networks.

The government is still managing information security under policy guidelines developed before the Department of Homeland Security even existed. For the past few years, the Office of Management and Budget has been developing revisions to its A-130 Circular, to catch up with the way agencies were managing security. The task is taking on a little more urgency as the government works to implement legislation passed in the final hours of the 113th Congress covering federal network security and IT acquisition.

The changes will bring the guidance up to date with the Federal Information Security Management Act modernization, and the Series 800 guidelines promulgated by the National Institute for Standards and Technology (NIST), Carol Bales, a senior policy analyst at the  Office of Management and Budget, said at a meeting of NIST's Information Security and Privacy Advisory Board on Feb. 12. The new A-130 will also take into account an OMB memorandum waiving the three-year security reauthorizations that agencies were required to undergo.

Bales said a comprehensive update of the A-130, that takes into account the new FISMA and FITARA statues, should be ready by December 2015.

OMB is also upping its cybersecurity game on the operational side. Grant Schneider, who previously served as CIO of the Defense Intelligence Agency, is on a two-year detail to OMB to act as cybersecurity advisor to the federal CIO, and to lead a dedicated cybersecurity and national security unit inside OMB that has been stood up in the last month and a half.

Schneider is also working on implementation of the continuous diagnostics and mitigation (CDM) program that is jointly administered with DHS. Policy and guidance will only get you so far, Schneider said, at the ISPAB meeting on Feb. 11. CDM gives agencies a dashboard view of activities on their networks, and gives OMB and DHS a government-wide view that can help identify problems and protect networks.

"In my experience, with most security incidents and certainly most successful ones, the vast majority exploited a known vulnerability or a known user behavior. We know that people shouldn't click on that email, and unzip the zip file and execute the executable file, we all know not to do that, and yet those things still tend to happen. We think that with CDM, we're going to get significantly further ahead because now we'll know where our vulnerabilities are," he said.

All of these efforts are improving the security posture of federal networks, Schneider said. "We're doing oversight with deputy directors of agencies at levels that we've never done before. They're getting far more involved, willingly or unwillingly in their cybersecurity," he said. But the big unknown remains whether progress is outpacing adversaries' ability to attack, he said.

"Time will tell. Unfortunately we never talk about the cybersecurity defensive successes. They don't make the news," Schneider said.