Jordan Burris, senior cybersecurity advisor to Federal CIO Suzette Kent at the Office of Management and Budget (OMB), said Friday at an Information Security and Privacy Advisory Board (ISPAB) meeting that Federal agencies are continuing to make progress on curbing their cybersecurity risks, following concerning findings from the White House.
These hints of progress come on the heels of the Federal Cybersecurity Risk Determination Report and Action Plan released by the OMB last month, which did not look kindly upon those agencies’ practices, saying three out of four are at serious cyber risk.
Burris reflected on the key findings of the risk report, and noted steps that OMB, along with the Department of Homeland Security (DHS), General Services Administration (GSA), and other agencies are taking to get better cybersecurity products into agency hands.
“We are working toward setting a direction for Federal cybersecurity that allows us to focus on the capabilities agencies should be working toward to protect against the threats we see in the landscape,” Burris said.
Part of that work, he said, involves OMB working with DHS to enhance FISMA CIO Metrics that relate to mitigating threats, as well DHS’ .gov Cybersecurity Architecture Review program (.govCAR).
“Both the enhanced metrics and the .govCAR program will help set the direction for Federal cybersecurity for years to come,” Federal CIO Kent said in a May 30 statement.
DHS also released binding operational directive (BOD) 18-02 last month, aimed at securing the Federal government’s most critical, high impact information systems–known as high value assets (HVA). Burris said OMB is working with DHS on HVAs and “looking at maturing the work that had been done,” by expanding the number of Federal agencies involved and incorporating security architecture reviews to those HVAs.
“We had to take a look at the architectures that were in place and find opportunities to improve them,” Burris said.
Another aspect of the HVA program includes partnership with GSA to refine offerings under IT Schedule 70’s Highly Adaptive Cybersecurity Services Special Item Numbers (HACS SIN)–which involve penetration testing, incident response, cyber hunt, and vulnerability assessments.
“The intent behind this is to help expand the capabilities that are offered as part of HACS SINs,” Burris said. A request for information, seeking input from industry stakeholders, Federal, state and local governments on how to enhance the HACS Program, ends tomorrow.
Burris also noted that OMB is looking to help agencies acquire security operation centers (SOCs) as a service, contracted from both fellow Federal agencies and private sector vendors who excel in the area. He said OMB is actively working to determine which Federal entities would be best equipped to provide these services.
“We’re still working on naming those agencies that are leaders in this area, and that’s something you can expect from us within a couple months,” he said.
Taking all of these programs into account, Burris said there is movement–which OMB is tracking through the President’s Management Agenda–in using security capabilities to address the alarming gaps flagged in the risk report last month.
“I can say that we are continuing to make progress in achieving these items,” he said.