Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications at the Department of Homeland Security, said today that the new update to Federal Information Security Modernization Act (FISMA) guidance will place even more accountability on department leaders and reflects an evolution in discussions between agencies and DHS.
“This has always been the case, but I think you see it much more clearance in the FISMA guidance now is, ‘Agency heads, you’re accountable for your cybersecurity,’” Manfra told a pool of reporters at the Symantec Government Symposium.
She called attention to DHS’ EINSTEIN intrusion prevention system, a mandatory requirement for Federal agencies in order to give DHS a window into potential cyberattacks. Manfra indicated that the conversation is now shifting to architecting EINSTEIN for individual agencies “in a way that makes sense.”
The new FISMA guidance, issued on Oct. 25, also includes language that reinforces the importance of DHS’ Continuous Diagnostics and Mitigation (CDM) program, while providing more flexibility around agency acquisition of monitoring tools. Manfra indicated the new guidelines may not necessarily mark a strong shift in agency adoption, because DHS is already seeing strong buy-in.
“Most agencies are very eager to take us up on CDM,” Manfra said of agency involvement in the CDM Program. “I actually see them more eager to take our services.”
She relayed takeaways from a meeting held Monday between DHS and agency CISOs and a portion of CIOs, where she said the conversation centered on establishing clearer definitions about what resources are provided by DHS, and what resources the agencies themselves contribute.
She noted that some CDM services provided by DHS will be mandated, “because we need to raise the baseline of security for all agencies,” she said. Other services will be provided on an “if needed” basis, dependent largely on agency resources and the awareness that larger cyber gaps may exist in certain agencies compared to others.
“There are some agencies that have more resources than others, that’s just a fact. So some agencies will need more assistance, and so we’re going to be having more capabilities that will be available but not necessarily mandated.” She again noted that the update to FISMA reinforces the approach her agency is taking.
“I think the FISMA guidance really reflects what we’ve been talking about. This is a risk management approach. You have the resources, you have to align your resources, and we’re working with all the agencies to understand what’s that baseline, what do we mandate, and then what’s that above area where it’s–if needed–that they can take advantage of it,” Manfra said.