OMB and DHS Continue Actions, but Opportunities Remain for Improving Annual Reporting of Agency Information Security Programs
FISMA 2002 required that OMB, among other things, oversee and annually report to Congress on agencies’ implementation of information security policies, standards, and guidelines. To support its oversight responsibilities, OMB assigned responsibilities to DHS, including overseeing and assisting government efforts to provide adequate, risk-based, cost-effective cybersecurity. OMB and DHS have continued overseeing and assisting agencies with implementing and reporting on cybersecurity, including the following:
- CyberStat sessions: According to OMB, these sessions were held with agencies to ensure they are accountable for their cybersecurity posture and to assist them in developing a focused strategy for improving their information security. According to a DHS official, these sessions were held with eight agencies during fiscal year 2013 and four agencies during fiscal year 2014. Beginning in fiscal year 2015, OMB officials stated that that these sessions will be held with agencies with high risk factors, as determined by cybersecurity performance and incident data.
- Cybersecurity metrics: Each year, OMB and DHS provide metrics to federal agencies and their inspectors general for preparing FISMA reports that DHS summarizes for OMB’s report to Congress. The metrics listed in the reporting guidance help to form the basis for information on agencies’ progress in implementing FISMA requirements and in determining whether agencies have met certain cybersecurity goals set by the current administration.
- Proactive scans of publicly-facing agency networks: In October 2014, OMB instructed DHS and federal agencies to implement a process that allows DHS to conduct regular and proactive vulnerability scans of the publicly-facing segments of the agencies’ networks. In addition, DHS is to provide federal agencies with specific results of the scans; offer additional risk and vulnerability assessment services at the request of individual agencies; and report to OMB on the identification and mitigation of risks and vulnerabilities across federal agencies’ information systems. According to a DHS official, the department began these scans in February 2015 and has been issuing more than 100 reports per week to federal departments and agencies.