OMB’s Updated Cybersecurity Guidance Pushes Agencies to Share Their Data

Each year about this time the Office of Management and Budget (OMB) issues updated guidance to agencies on what they need to do in the new fiscal year (FY) to meet federal cybersecurity and privacy requirements, including reporting requirements under the Federal Information Security Management Act (FISMA). In the recently released FY 2020-2021 Guidance memo on Federal Information Security and Privacy Management Requirements OMB took the opportunity to continue to raise the bar on agencies to implement cybersecurity capabilities under the Continuous Diagnostics and Mitigation (CDM) program.

Requiring Cybersecurity Dashboard Data Exchange in FY 2021

One of the CDM program’s FY 2021 priorities is to add agencies to the list of those leveraging the new CDM dashboard to maintain cyber-situational awareness. Agencies that have the technical capabilities in place to operate, maintain, and exchange the cybersecurity data will be able to exchange data with CISA’s federal-wide dashboard to provide aggregated situational awareness of federal cybersecurity posture.

According to the updated guidance, to help agencies meet the technical data standards, the Cybersecurity and Infrastructure Security Agency (CISA) in the Department of Homeland Security (DHS) will provide agencies with the CDM Program Data Quality Management Plan (DQMP) and the CDM Program Management Office (PMO) will work with agencies to implement the data exchange. OMB emphasized the goal of ensuring that “all CFO Act agencies are certified and fully able to exchange timely data to the Federal Dashboard by the end of FY 2021” (emphasis is OMB’s). For CFO Act agencies that are unable to meet this target date their Chief Information Officer (CIO) must provide a written justification to both OMB and CISA.

Non-CFO Act agencies do not get a total pass on this either. The CDM PMO will work with participating non-CFO Act agencies to ensure that they establish information exchange between their dashboards and the Federal Dashboard by the end of the end of FY 2021.

The push to get more agencies on board with CDM follows an August 2020 report by the Government Accountability Office (GAO) that found the use of CDM capabilities was uneven among some agencies. While the agencies GAO evaluated reported that the program improved their network awareness, none of those agencies had effectively implemented all key CDM program requirements. The issues reduced agencies’ situational awareness and ability to protect assets on their networks.