The Office of Management and Budget (OMB) on December 6 issued new Federal Information Security Management Act (FISMA) guidance to Federal agencies for Fiscal Years 2021-2022 that promotes agency action on several items in the Biden administration’s Cybersecurity Executive Order issued in May, and that also aligns with aspects of current Senate legislation on FISMA reform.
OMB’s new guidance supersedes previous FISMA and Cyber EO reporting guidance issued in memoranda M-21-02 and M-17-25. The agency said the guidance does not apply to “national security systems,” although OMB said, “agencies are encouraged to leverage the document to inform agency national security system management processes.”
“Recognizing that the current threat landscape requires agencies to be laser-focused on critical security measures called for by this administration, OMB has retooled its annual guidance to agencies on operating and measuring the success of their security and privacy posture,” an OMB official said.
The FISMA guidance updates, the official said, are aimed to “help agencies focus less on compliance-based activities, and spend more time measuring information that is closely tied to observable and practical security outcomes.”
“These changes are intended to define a maturity baseline in certain high-impact capability areas, improve the quality of performance data collected at the enterprise level, and accelerate our efforts to make more informed risk-based decisions and achieve observable security outcomes,” OMB said in its guidance to agencies.
“As federal agencies face ever more sophisticated attempts to compromise government systems, it is vital that agency security efforts are focused on making it demonstrably harder for our adversaries to succeed,” said Federal Chief Information Security Officer Chris DeRusha in a statement.
“OMB’s updated FISMA guidance is designed to help agencies focus on practical security outcomes by measuring the use of rigorous multilayered security testing, automation of security and compliance controls, and progress in adopting a zero trust architecture.”
New Guidance Thumbnails
OMB said the new guidance includes:
- Requirements from the Cyber EO regarding multifactor authentication and encryption;
- Laying a foundation for collecting information that will support OMB’s zero trust strategy that the agency released in September;
- A review of the Continuous Diagnostics and Mitigation (CDM) Program and work to make it more effective in FY 2022;
- Requirements for Federal agencies to invest in more “sophisticated and multilayered application testing requirements” – which has been a big focus of DeRusha’s push this year for legislative updated of the FISMA statute;
- More Federal agency use of security automation technologies to improve efficiency and transparency;
- Implementation guidance for CISA’s cyber Incident Response Playbook.
OMB clarified that its new guidance represents its regular annual guidance to agencies rather than separate legislative efforts to update the FISMA law. The agency also said that required FISMA metrics under the existing law would be published within several days.
Here’s a closer look at the major items in the OMB memo to agencies:
OMB’s guidance lists the following tenets for agency reform of performance management. Those include:
- Many of the agency’s previously disclosed building blocks toward zero trust security architectures include the use of phishing-resistant multifactor authentication, an inventory of every device the government uses and the ability to prevent and respond to incidents on those devices, encryption of all Domain Name Systems and HHTP traffic, treatment of all applications as internet-connected, deployment of protections that make use of data categorization, and implementation of enterprise-wide logging and information sharing;
- Movement toward greater “ground truth testing” of agency security including methods that “empirically validate security and find weaknesses, such as manual and automated penetration testing and red team exercises”;
- FISMA assessments that move away from a checklist of controls to ones that “focus on risk-based processes that will provider agencies with sufficient information to consider threat, capability, and impact,” and allow agencies to “prioritize their efforts and orient towards the greatest threats facing the nation, as well as the individual risks faced by each agency”; and
- An emphasis on greater use of automation to collect FISMA data including the use of machine-readable data “to speed up reporting, reduce agency burden, and improve outcomes.”
Cyber EO-Related Reporting
OMB said agencies as part of their FY 2022 FISMA reporting, “will engage in key reporting activities” over the next year to satisfy requirements in the Cyber EO and that OMB may update required reporting metrics throughout the year. “The goal is to use existing data collection channels where possible to reduce burden while improving the quality and understanding of agency progress,” OMB said.
Cyber Incident Response Playbook
OMB said that agencies will begin to use the standardized cyber incident response playbook released last month by the Cybersecurity and Infrastructure Security Agency (CISA), emphasizing that “standardized response processes ensure a more coordinated and centralized cataloging of incidents and agency progress toward successful responses.”
As part of that effort, agencies will improve incident response for “planning and conducting cybersecurity vulnerability and incident response activities for agency information systems,” including detailing progress and completion through all phases of response and using the playbook’s common lexicon to “express current cybersecurity status in relation to a specific incident.”
CDM Program Provisions
OMB said that CISA will undertake a program review of its Continuous Diagnostics and Mitigation (CDM) program “and incorporate lessons learned into a strategy to continue improving the program for FY22.” That strategy, OMB said, “will articulate challenges and opportunities for improving delivery, data quality, and support for automation.”
Along with that, CISA will by April 2022 work with OMB and the National Institute of Standards and Technology (NIST) to “develop a strategy to continue to evolve machine-readable data standards for cybersecurity performance and compliance data through CDM (or a successor process).”
“This strategy will include a set of metrics (supplementing the existing CIO metrics) based on NIST Standards (e.g., NIST SP 800-53) for controls that can be reported in an automated manner, and will set forth a timeline for when these metrics will be collected automatically,” OMB said.
“These metrics should include the effectiveness of the Data Quality Management Plan (DQMP) and subsequent data exchanges. OMB will use these metrics in a scorecard and will begin to grade agencies by December 2022,” OMB said. “CISA will enable ongoing access to the data required to grade agencies on the new scorecard (through the CDM Federal dashboard or successor) to OMB and the Office of the National Cyber Director no later than December 2022.”
In acquiring monitoring tools, OMB said agencies will have the option to acquire technology outside of current or future CDM DEFEND contracts, but will need to justify that decision in writing to the CDM program, the Federal CISO, and the Federal CIO, “for concurrence.”
Agencies that previously acquired tools and capabilities outside of CDM acquisition vehicles may continue to use them, but are required to ensure they meet all CDM Federal Dashboard requirements.
“Further, when agencies exchange data with the Federal Dashboard, they have full responsibility for responding to risks identified through the CDM program and/or the agency dashboard,” OMB said, adding, “agencies are encouraged to provide the CDM PMO feedback on existing tools and input on additional tools that may prove valuable for current or future CDM acquisition vehicles.”
OMB also said that when the CDM PMO buys tools on behalf of an agency to fulfill CDM program requirements, the program will cover license and maintenance costs of the base year, and the maintenance cost for the first option year. CFO Act agencies will be responsible for funding longer-term operations and maintenance costs of tools and capabilities. For non-CFO Act agencies that can’t cover the cost of CDM tools, the CDM PMO will cover all costs.
The OMB FISMA guidance also states deadlines for agencies to report their annual CIO and Senior Agency Official for Privacy (SAOP) metrics.
OMB said that all agencies must update their CIO metrics quarterly. It continued, “Reflecting the Administration’s shift in focus from compliance to risk management, as well as the guidance and requirements outlined in OMB Memorandum M-19-03, Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program, Binding Operational Directive 18-02, Securing High Value Assets, and High Value Asset Program Supplemental Guidance 2.0, the CIO metrics are not limited to assessments and capabilities within NIST security baselines, and agency responses should reflect actual implementation levels.”
“OMB will identify agency programs that require additional support using CIO metrics and will utilize targeted agency engagement sessions to improve outcomes of agency information security programs and cybersecurity-mission programs,” the agency said.
For metrics provided to the Council of the Inspectors general on Integrity and Efficiency (CIGIE), agencies report on these IG metrics annually. OMB said it is “encouraging agencies to shift to a continuous assessment process for their independent assessment” that produces the IG metrics, and to help facilitate that change, OMB and CIGIE are transitioning the IG metrics process to a multi-year cycle. As a result, OMB will select a core group of metrics that need to be evaluated annually, and then the rest of the standards and controls will be evaluated in metrics on a two-year cycle based on agreement among CIGIE, the Federal CISO Council, OMB, and CISA.
OMB said that SAOP reporting will be done annually, and that agency’s should submit documents regarding their privacy plans, changes to the plan including leadership, breach response plan, continuous monitoring strategy, and how agencies are taking steps to avoid the use of social security numbers as personal identifiers.
OMB said that annual letters from agency heads required by FISMA regulations must feature a detailed assessment of adequacy and effectiveness of agency information security policies, including details on assessments for FY 2021 FISMA metrics, details on the total number of information security incidents reported through the CISA Incident Reporting System, and a detailed description of each incident including attack vectors, response, remediation, and system impacts, among other items.
OMB said agencies must also submit annual FISMA reports to the chairs and ranking members of the: House Oversight and Reform Committee; House Homeland Security Committee; House Science, Space, and Technology Committee; Senate Homeland Security and Governmental Affairs Committee; Senate Commerce, Science, and Transportation Committee; “appropriate authorization and appropriations committees” in the House and Senate; and the Government Accountability Office.
Incident Reporting Requirements
OMB also provided guidance to agencies for submitting incident response data, including reporting incidents to CISA within 72 hours, and details on how it plans to quicken the process.
“An estimated 47 percent of the incidents reported in the FY 2020 Annual FISMA report were reported by agencies through the webform on the US-CERT website, rather than automatically communicated through a machine-readable data format,” OMB said. “To ensure accurate reporting of information, agencies have historically needed to painstakingly and manually compare their incidents with US-CERT’s account.”
“By late spring of 2022, CISA, in coordination with OMB, will develop a strategy, including any technical standards, to modernize and improve the use of machine-readable incident data and indicators in a manner that communicates directly with agency SOCs and/or incident reporting systems. CISA will provide OMB real-time access to incident information no later than December 2022.”
Major Cyber Incident Definition
OMB also offered guidance to agencies on how to define a “major” cyber incident.
“A major incident is EITHER:
- Any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people. Agencies should determine the level of impact of the incident by using the existing incident management process established in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61, Computer Security Incident Handling Guide,
- A breach that involves personally identifiable information (PII) that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people.”
“While agencies should assess each breach on a case-by-case basis to determine whether the breach meets the definition of a major incident, this memorandum requires a determination of major incident for any unauthorized modification of, unauthorized deletion of, unauthorized exfiltration of, or unauthorized access to the PII of 100,000 or more people,” OMB said.