New OMB guidance focuses on federal data collection, privacy management requirements

The U.S. Office of Management and Budget (OMB) recently published a memorandum that requires executive departments and federal agencies to report on at least 80 percent of government-furnished equipment (GFE) through the Cybersecurity and Infrastructure Security Agency’s (CISA) Continuous Diagnostics and Mitigation (CDM) program by the end of the current fiscal year. The OMB memo also establishes a CISO Council FISMA Metrics Subcommittee tasked with advising the OMB on refining and improving FISMA guidance and metrics.

The current OMB comes on the back of U.S. President Joe Biden’s Executive Order 14028 released last May and another January 2022 OMB memorandum that directs agencies to the highest-value starting points on their path to a zero-trust strategy that describes several shared services, which should be prioritized to support a long-term government-wide effort. In July, the OMB and the Office of the National Cyber Director (ONCD) released another OMB memorandum outlining the cross-agency cyber investment priorities of the U.S. administration. It calls upon federal civilian executive branch (FCEB) agencies to make investments across three cyber priorities.

The memorandum said that federal agencies will make progress toward that outcome by meeting the requirements of a CISA-issued Binding Operational Directive (BOD) issued in October that called upon FCEB agencies to make measurable progress toward enhancing visibility into asset discovery and vulnerability enumeration across their networks. 

“CISA will provide OMB with performance data, including information on scanning cadence, rigor, and completeness of vulnerability enumeration starting in the third quarter of FY 2023, as part of the FY 2023 metrics,” the current OMB memorandum said. “Starting in the first quarter of FY 2023, agencies must provide data on assets in an automated manner to the maximum extent feasible.” 

CISA and the CISO Council FISMA Metrics Subcommittee will work with OMB to identify future metrics for automation in FY 2024 and beyond, the memorandum said. “Fully automated identification of certain assets through CDM may not be feasible. Agencies must continue to report such assets through CyberScope. To assist agencies in better understanding and identifying ‘instances of critical software,’” it added.

Additionally, CISA will make available to agencies a list of software categories that meet the definition of critical software no later than January 15, 2023. CISA will include examples of software products in each category so that FISMA reporting on this metric remains consistent. 

The memorandum said that to ensure agencies are continuing to drive forward implementation of EO 14028 and subsequent Administration actions, this memorandum is designed to modernize FISMA data collection in five ways. These include measuring zero trust implementation, providing clear, actionable, and outcome-focused data, ensuring input from across the federal enterprise, improving security-privacy coordination, and working on ways to improve incident response. 

Addressing the zero trust approach, the OMB memorandum said that “the Federal Government no longer considers any Federal system or network to be ‘trusted’ unless that confidence is justified by clear data; this means internal traffic and data must be considered at risk. Historically, FISMA metrics have not focused enough on defense measures beyond the perimeter. Because modern cyber threat campaigns have continued to find success in breaching perimeters, it is essential to evaluate cybersecurity measures throughout the entire ecosystem.” 

With this guidance, OMB continues to refine and update metrics to assess agencies’ protection from threat actors, it added. “Adequate protection derives not simply from the maintenance of outer defenses, but also from restricting the attack surface available to threat actors and the rapid detection and neutralization of malicious activity.”

The OMB guidance also works to ensure that agencies can continue to focus on outcomes over manual reporting, as the FY 2023 chief information officers (CIOs) metrics will fully automate certain reporting. “Even where full automation is not yet achievable, this memorandum requires CISA to provide performance and incident data to OMB in an automated manner and machine-readable format. Collecting and reviewing data consumes time that could be spent on security outcomes,” it added. 

Additionally, the OMB intends for agencies to collect only data that provides critical insight into their security stance. “This guidance (and associated CIO and IG metrics) will provide clarity on agency maturity in high-impact capability areas and inform risk-based decisions and agency investments—all while reducing the burden on individual agencies.”

The OMB guidance also builds on administration efforts to ensure CISA works closely with federal agencies in building a cohesive, coordinated incident response infrastructure. “EO 14028 laid out a series of actions to modernize the Federal Government’s investigative and remediation capabilities. If incidents are not properly reported—or updates are improperly logged—the detection, investigation, and remediation of sophisticated cyber threats may suffer,” it added.

The CISO Council FISMA Metrics Subcommittee will for the fiscal year 2023 work on identifying appropriate means and intervals for testing critical systems, and clarifying the components and boundaries of FISMA systems so that agencies may identify and assess those systems, including high-value assets, more consistently. It will also prioritize the automation of specific metrics for FY 2024 and beyond, and work with agencies to prepare for the necessary processes to ensure accurate data. 

Furthermore, the subcommittee is tasked with incorporating CDM data into FISMA reporting. It also recommends additional methodologies to capture information regarding agency risk-based decisions and mitigations, as well as agency exceptions to OMB policies and guidance, and to CISA Emergency Directives and BODs.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.