Government // Cybersecurity
News
11/21/2013
08:00 AM
100%
0%

OMB Sets Agency Deadlines To Strengthen Cybersecurity

The Obama administration issues new guidelines for continuous monitoring programs to bolster information security.

The Office of Management and Budget (OMB) has directed the heads of all federal departments and agencies to implement measures to safeguard federal information systems and the information they process and store.

Among other measures, the OMB has made cybersecurity one of 14 cross-agency performance priority goals that agencies are responsible for achieving. And the memo to federal agencies provides guidelines for managing information security risks through continuous monitoring processes established by the National Institute of Standards and Technology.

OMB Director Sylvia Burwell said in the memo that all agencies must establish information security continuous monitoring (ISCM) programs that help them manage security risks and address how they authorize information systems (and the environments in which they operate) on an ongoing basis. "All strategies must address the agencies' plans for transitioning to and maintaining consistency with federal information security policies, standards, and guidelines."

To firm up the nation's cybersecurity approach, Burwell also directed agencies to develop plans in coordination with the Department of Homeland Security (DHS).

Another critical component of the OMB's initiative to fully implement ISCM across the government is a push for standardization. Burwell said ISCM must become an "agency-wide solution" for deploying products and services. Under the DHS Continuous Diagnostics and Mitigation (CDM) Program, federal, state, and local governments can deploy a basic set of capabilities for continuous monitoring as part of a blanket purchase agreement (BPA).

[What agencies also need to know about cybersecurity for the cloud: Read Q&A: FedRAMP Director Discusses Cloud Security Innovation]

In August, the General Services Administration and the DHS awarded a BPA to 17 vendors that supply hardware and software for implementing continuous-monitoring-as-a-service. The contract provides a "consistent, government-wide set of information security continuous monitoring tools to enhance the federal government's ability to identify and respond, in real-time or near real-time, to the risk of emerging cyber threats," Burwell said.

The memo set deadlines of Feb. 28, 2014, for agencies to develop their ISCM strategy and April 30, 2014, for naming specific individuals who will manage ISCM programs. Agencies are also required to verify by May 30, 2014, that all information systems are authorized to operate according to federal requirements before deploying their continuous monitoring initiatives. Those initiatives are part of a broader effort to make continuous monitoring central to agency information security controls by fiscal year 2017.

The DHS is tasked with training agency managers on how to implement ISCM. It will also provide contract support to agencies that obtain ISCM services through the CDM Program, the memo said. The initial suite of products available under the BPA covers hardware asset management, software asset management (such as malware management), configuration setting management, and common vulnerability management. The suite will expand to cover additional capabilities.

"By strengthening the underlying information technology infrastructure through the application of state-of-the-art architectural and engineering solutions, agencies can improve the effectiveness of the safeguards and countermeasures protecting federal information," Burwell said.

Moving email to the cloud has lowered IT costs and improved efficiency. Find out what federal agencies can learn from early adopters. Also in the Great Email Migration issue of InformationWeek Government: Lessons from a successful government data site (free registration required).

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Chuck Brooks
50%
50%
Chuck Brooks,
User Rank: Author
11/26/2013 | 1:13:48 PM
OMB/Cyber
Because of the vulnerability to networks and systems, deadlines are critical. It is good to see OMB and DHS proactive on strengthening cybersecurity. Also, their role in promoting collaboration with the private sector is the right step.
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 16, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.