Cybersecurity legislation might have failed, a potential cyber executive order might be facing opposition, budgets might be stretched thin, but that doesn’t mean that federal cybersecurity can’t be greatly improved.
A report released by the Center for Strategic and International Studies suggests the Office of Management and Budget (OMB) take action to direct agencies to reallocate resources dedicated to cybersecurity. Three of the five authors of the report are former OMB officials, and sources said that the proposal is likely to be taken up by the agency.
The proposal is based on a suggestion that OMB rewrite the guidelines included in OMB Circular A-130, a document that directs agencies to produce a variety of reports based on other federal obligations. The authors suggest that eliminating some of these reports, some of which have long been criticized by cyber experts as a waste of time and money — in particular Federal Information Security Management Act reports — and dedicating the savings toward continuous monitoring and other security solutions could greatly improve security without additional cost.
“The rationale for the report is that a lot of us concluded a long time ago that we were spending a lot of money doing triennial reviews and certifications and accreditations that were not particularly security enhancing,” said Franklin Reeder, former chief of information policy at OMB and one of the report’s authors. “This was resulting in wasting agency resources that weren’t improving security and the problem was being exacerbated by IG’s [inspectors general] that tend to look at agencies in terms of compliance.”
Reeder said the group looked at the landscape and decided that a policy shift by OMB would be the best technique to effect change.
“We were uncertain, even pessimistic, about the prospects for legislation, and in the federal side we didn’t think it was even necessary,” Reeder said. “That isn’t to say that we don’t think that legislation is necessary, it’s just that to deal with this piece of the problem, it isn’t necessary. We hope that this would complement any executive order that the administration is cooking.”
The report, “Updating U.S. Federal Cybersecurity Policy and Guidance,” while focused on revising A-130, also includes suggestions to reorganize the Department of Homeland Security, as well as continued efforts to share information with the intelligence community.
The authors say the OMB policy shift, the backbone of the suggestion, requires no additional authority and could take effect in 2013 because it does not require new budget authority.
“As we looked at it, we thought that OMB had ample authority under the current statute to shift the focus of cybersecurity management away from reviews and other less productive approaches to continuous monitoring,” said Reeder, who is the co-founder and director of the Center for Internet Security and the National Board of Information Security Examiners.
Reeder said he’s confident that the report will get traction with current OMB officials.
“We’ve had policy discussions with some at OMB, and no one has thrown us out of the room and told us that we’re crazy.”