OMB Sets Agency Deadlines To Strengthen Cybersecurity

The Obama administration issues new guidelines for continuous monitoring programs to bolster information security.

The Office of Management and Budget (OMB) has directed the heads of all federal departments and agencies to implement measures to safeguard federal information systems and the information they process and store.

Among other measures, the OMB has made cybersecurity one of 14 cross-agency performance priority goals that agencies are responsible for achieving. And the memo to federal agencies provides guidelines for managing information security risks through continuous monitoring processes established by the National Institute of Standards and Technology.

OMB Director Sylvia Burwell said in the memo that all agencies must establish information security continuous monitoring (ISCM) programs that help them manage security risks and address how they authorize information systems (and the environments in which they operate) on an ongoing basis. "All strategies must address the agencies' plans for transitioning to and maintaining consistency with federal information security policies, standards, and guidelines."

To firm up the nation's cybersecurity approach, Burwell also directed agencies to develop plans in coordination with the Department of Homeland Security (DHS).

Another critical component of the OMB's initiative to fully implement ISCM across the government is a push for standardization. Burwell said ISCM must become an "agency-wide solution" for deploying products and services. Under the DHS Continuous Diagnostics and Mitigation (CDM) Program, federal, state, and local governments can deploy a basic set of capabilities for continuous monitoring as part of a blanket purchase agreement (BPA).

[What agencies also need to know about cybersecurity for the cloud: Read Q&A: FedRAMP Director Discusses Cloud Security Innovation]

In August, the General Services Administration and the DHS awarded a BPA to 17 vendors that supply hardware and software for implementing continuous-monitoring-as-a-service. The contract provides a "consistent, government-wide set of information security continuous monitoring tools to enhance the federal government's ability to identify and respond, in real-time or near real-time, to the risk of emerging cyber threats," Burwell said.

The memo set deadlines of Feb. 28, 2014, for agencies to develop their ISCM strategy and April 30, 2014, for naming specific individuals who will manage ISCM programs. Agencies are also required to verify by May 30, 2014, that all information systems are authorized to operate according to federal requirements before deploying their continuous monitoring initiatives. Those initiatives are part of a broader effort to make continuous monitoring central to agency information security controls by fiscal year 2017.

The DHS is tasked with training agency managers on how to implement ISCM. It will also provide contract support to agencies that obtain ISCM services through the CDM Program, the memo said. The initial suite of products available under the BPA covers hardware asset management, software asset management (such as malware management), configuration setting management, and common vulnerability management. The suite will expand to cover additional capabilities.

"By strengthening the underlying information technology infrastructure through the application of state-of-the-art architectural and engineering solutions, agencies can improve the effectiveness of the safeguards and countermeasures protecting federal information," Burwell said.

Moving email to the cloud has lowered IT costs and improved efficiency. Find out what federal agencies can learn from early adopters. Also in the Great Email Migration issue of InformationWeek Government: Lessons from a successful government data site (free registration required).