Agency Cyber Risk Management Performance Under OMB Scrutiny in FY 2018

Published: October 19, 2017

CybersecurityPolicy and Legislation

The Office of Management and Budget (OMB)’s new cybersecurity reporting guidance directs agencies to assess and report on their cyber risk management.

Each year OMB provides agencies with reporting guidance and deadlines related to the Federal Information Security Modernization Act of 2014 (FISMA). The latest OMB memorandum provides reporting requirements for Fiscal Year (FY) 2017-2018.

With each update OMB addresses current and new issues that track with the evolution of federal cybersecurity efforts. Here are the high-points of what looks to be new this year.

Updated Information Security Program Oversight and FISMA Reporting Requirements

Under FISMA, agencies are requires to report on the status of their information security programs to OMB. These metrics represent baseline security controls that all agencies must meet. CFO Act agencies are required to report their data quarterly and non-CFO Act agencies must report on a semiannual basis. Starting in FY2018, all federal civilian agencies must respond to all of the questions in their metrics submissions.

Risk Management Assessments

During FY 2017, OMB and the Department of Homeland Security (DHS) assessed federal civilian agencies’ risk management to comply with Executive Order (EO) 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. OMB will use the FY 2018 FISMA reporting process to conduct these risk management assessments for FY 2018 to meet the requirements of the EO.

Privacy Breach Response

In addition to the FISMA metrics, each agency’s Senior Agency Officials for Privacy (SAOP) must report on their agency’s breach response plan – tailored to the agency and its missions, size, structure, and functions – and that includes the policies and procedures for reporting, investigating, and managing a breach. OMB references their Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, from January 2017.

Improved Incident Response Coordination

To ensure the best possible response to incidents and attacks and to improve coordination with DHS:

  • All agency CIO and the CISO positions, at a minimum, are to be designated as sensitive, requiring Top Secret Sensitive Compartmented Information access, given that information regarding malicious-actor Tactics, Techniques, and Procedures (TTPs) is often classified.   
  • Agencies will designate a principal Security Operations Center (SOC) which will be accountable for all incident response activities for that agency.

Consolidation of Requirements

OMB typically notes areas and policies that the new guidance supersedes or clarifies. This updated guidance consolidates requirements from prior OMB annual FISMA guidance to ensure consistency, performance and the adoption of best practices. The consolidation also addresses the burden reduction requirements in OMB Memorandum M-17-26, Reducing Burden for Federal Agencies by Rescinding and Modifying OMB Memoranda. Accordingly, OMB rescinds the previous 3 FISMA guidance memos covering FY 2014-15, FY 2015-16, and FY 2016-17.