Taking Steps to Improve Federal Information Security

In a rapidly changing technological environment, we must have robust procedures, policies, and systems in place to protect our nation’s most sensitive information. Growing cybersecurity threats make it ever more important for the Federal government to maintain comprehensive information security controls to assess and mitigate emerging risks. That is why today, the Office of Management and Budget, in coordination with our partners at the National Security Council (NSC) staff and the Department of Homeland Security (DHS), is releasing annual guidance to agencies on improving the security of Federal information and networks, in accordance with the Federal Information Security Management Act (FISMA) of 2002.

This year, and for the first time, the annual guidance on Improving Information Security and Privacy Management Practices, establishes a new process for DHS to conduct regular and proactive scans of Federal civilian agency networks to enable faster and more comprehensive responses to major cybersecurity vulnerabilities and incidents.  This new process complements existing agency information security operations, to include network scans, and will provide a consistent scanning methodology that quickly identifies risks and vulnerabilities that may have government-wide implications.

In coordination with this release, the DHS is publishing the FY 2015 Chief Information Officer (CIO) Annual Federal Information Security Management Act (FISMA) Metrics and Updated U.S. Computer Emergency Readiness Team (US-CERT) Incident Notification Guidelines.

• The FISMA Metrics are the result of a yearlong inter-agency process to improve the quality of the metrics.  Ultimately, these metrics are more than just a compliance exercise – they will get us closer to determining whether our processes are actually making us safer.
• The US-CERT Incident Notification Guidelines streamline the way agencies report cybersecurity incident information to US-CERT, while improving US-CERT’s ability to quickly respond to emerging cybersecurity threats.

These substantial improvements should not distract from the important work that lies ahead.  Evolving cybersecurity incidents underscore why agencies must remain ever vigilant to combat emerging threats.  As such, OMB, in coordination with the NSC staff and DHS, will continue to prioritize implementation of the FY 2015 Cybersecurity Cross Agency Priority (CAP) Goals and the DHS Continuous Diagnostics and Mitigation (CDM) program.  The FY 2015 CAP Goals, which can be found on www.performance.gov will continue to emphasize the implementation of basic cyber hygiene practices.  Additionally, once fully implemented, the DHS CDM program (initiated by M-14-03:  Enhancing the Security of Federal Information and Information Systems) will allow agencies to continuously monitor their networks and respond to risk indicators in near real-time. Ensuring the security of information on the Federal government’s networks and systems will remain a core focus of the Administration as we move forward aggressively to implement new protections and respond quickly to new challenges as they arise.

Beth Cobert is the Deputy Director for Management at the Office of Management and Budget.