Federal agencies have until September 30, 2023, to report at least 80 percent of their IT systems through the Cybersecurity and Infrastructure Security Agency’s (CISA) Continuous Diagnostics and Mitigation (CDM) program, according to an OMB Federal Information Security Modernization Act (FISMA) guidance issued on Dec. 2.
The memo – which builds on OMB’s 2021 FISMA memorandum – pushes for agency action on several items highlighted in President Biden’s cybersecurity executive order issued in May 2021, with a focus on modernizing FISMA data collection.
Notable in the latest guidance is the shift away from manual reporting to automated means of tracking cybersecurity metrics across government.
The OMB guidance memo also follows CISA’s release in October of a binding operational directive which requires agencies beginning next year to more routinely scan their IT systems for assets and vulnerabilities through the CDM program.
The CDM program provides Federal agencies with tools to monitor vulnerabilities and threats in IT systems in near real-time. The program also provides agencies with a dashboard for tracking IT data, while also feeding agency into a Federal Dashboard that gives CISA and OMB visibility across agency networks.
However, “even where full automation is not yet achievable, this memorandum requires CISA to provide performance and incident data to OMB in an automated manner and machine-readable format,” the new FISMA memo reads.
Collecting and reviewing data is time-consuming and impacts time that could be spent on security outcomes. Therefore, OMB intends for agencies to collect only data that provides critical insight into their security stance, according to the memo.
The memo also establishes a CISO Council FISMA Metrics Subcommittee to work with CISA to advise OMB on refining and improving FISMA guidance and metrics specifically regarding automation. However, because fully automated identification of certain assets through CDM may not be feasible, the memo states agencies can continue adding those systems can still be reported through the Department of Homeland Security’s CyberScope website.
In addition, CISA plans to release a list of software categories that meet the definition of critical software no later than Jan. 15, 2023, to better assist agencies in better understanding and identifying “instances of critical software,” the memo states.
CISA will include examples of software products in each category so that FISMA reporting on this metric remains consistent, it adds.
The memo also requires agencies who wish to acquire continuous monitoring tools via means outside the CDM program to provide sufficient justification before pursuing acquisition tools.
OMB also explained that it will continue to align performance management under FISMA with benchmarks for the implementation of zero trust architecture and the NIST Cybersecurity Framework to help measure progress made in accomplishing Federal zero trust strategy goals.
FISMA metrics have not focused enough on defense measures beyond the perimeter and because modern cyber threat campaigns continue to be successful in breaching perimeters, it has become essential to evaluate cybersecurity measures throughout the entire ecosystem, according to the memo.
“With this guidance, OMB continues to refine and update metrics to assess agencies’ protection from threat actors,” the memo reads. “Adequate protection derives not simply from the maintenance of outer defenses, but also from restricting the attack surface available to threat actors and the rapid detection and neutralization of malicious activity.”