The federal CISO’s plan for getting agencies to focus on cybersecurity measures the administration considers most urgent did not go over so well in a shifting Congress.
The Government Accountability Office wants to see more reporting from the Office of Management and Budget, an official from the agency told the House Oversight Committee’s panel on government operations during a biannual hearing to review agencies’ performance managing their information technology assets.
“It's unclear to me whether [OMB is] sitting on that information or whether they just don't have that information,” said GAO Information Technology and Cybersecurity Director Carrol Harris. “The main issue at hand is that there are, at this time, no specific [Information Technology Cross-Agency Performance] goals, and that is clearly and distinctly in the law, that they should have distinct IT CAP goals … and at this time, we don't see that coming out.”
Harris testified before the subcommittee Thursday. Her comments were in response to objections Rep. Jody Hice, R-Ga.—the ranking member of the subcommittee—raised to OMB’s methodology for assessing agencies, which he said does more to comply with a May 2021 executive order on cybersecurity than the law.
The CAP goals are required under the GPRA Modernization Act of 2010. GPRA refers to the 1993 Government Performance and Results Act. The goals are supposed to be issued—along with regular reporting on agencies’ performance toward meeting them on a publicly accessible website–every four years, under the law.
Referring to written testimony from Federal Chief Information Security Officer Chris DeRusha, who works from within OMB, Hice said, “you mention 20 references to the president's executive order on cybersecurity, but no references to the cross-agency priority goals.”
“This is backwards to me,” he continued, addressing DeRusha during the hearing. “Just because there's an executive order does not give you or anybody else the right to ignore federal law, including the administration, and it's time this stuff gets cleared up. The law is the law and it means something. And it does not mean that we can ignore it. And I would think that the chairman shares my frustration with this. The law is significant. It's the law for crying out loud.”
DeRusha said OMB’s position is that the agency is complying with the law, because they’ve integrated the president’s information technology and cybersecurity order into goals that should be prioritized across agencies.
“We made a decision to weave IT and cybersecurity throughout the president's management agenda and several CAP goals,” he said. “And we had a very aggressive executive order, which we needed to measure our progress on. So we repurposed our [Federal Information Security Modernization Act] metrics to really align with all of the goals and objectives that we laid out there.”
In an October 2021, interview with Nextgov, DeRusha indicated efforts were underway to reduce agencies’ reporting obligations, so they would have flexibility to focus on activities that he said were most important for protecting agencies against cybersecurity compromises, like the intrusion campaign involving federal IT management contractor SolarWinds.
DeRusha pointed to a new entry on Performance.gov—the website established to track the CAP goals—which outlines new metrics for assessing cybersecurity. The proposed metrics would award agencies more points for implementing measures to “protect” critical services, over four other functions outlined in the National Institute of Standards and Technology’s 2014 cybersecurity framework: identify, detect, respond and recover.
But GAO’s Harris said OMB needs to account separately for broader CAP goals, which were issued in 2018, under the previous administration.
“The law clearly states that these IT CAP goals need to be standalone, in order to address these long-standing IT management challenges that we face,” she said. “It's a great thing that OMB has infused and weaved technology into these other CAP goals, for example customer service ... all for that, but it is not addressing these long-standing issues that we have had with IT relative to cybersecurity and IT management.”
DeRusha said OMB is open to further adjusting the proposed metrics for assessing agencies’ cybersecurity.
“We're open to continuing conversations with the committee on other focus areas,” he said. “Our view is it's important that we've got the metrics out in public, and we're going to continue to evolve as we go.”