Published on February 1st, 2022 📆 | 6097 Views ⚑
0Congress wants to overhaul FISMA. Agencies are already measuring security differently
Lawmakers are eyeing reforms to federal cyber standards, but the White House is already starting to ask new questions about how agencies are making progress on cybersecurity.
The changes are laid out in fiscal year 2022 metrics used by the Office of Management and Budget to evaluate agency cybersecurity performance under the Federal Information Security Modernization Act. Agency chief information officers report on the metrics to OMB and the Cybersecurity and Infrastructure Security Agency throughout the year. The data is assessed quarterly and compiled into an annual FISMA report.
The new metrics come as Congress considers the first update to FISMA since 2014. Leaders on the House Oversight and Reform Committee introduced the FISMA 2022 bill last week. The legislation seeks to better align roles and responsibilities for cybersecurity in the executive branch, while also replacing âpoint-in-time assessmentsâ with a more dynamic set of cyber standards.
But experts said OMBâs and CISAâs FY 22 metrics start to push the government down that path. Published in December, the metrics break away from previous iterations of the guidance that have been organized into the âidentify; protect; detect; respond; and recoverâ framework.
Instead, the metrics were reorganized and injected with new questions featuring a major focus on multifactor authentication (MFA) and other priorities laid out in President Joe Bidenâs May 2021 cybersecurity executive order.
The FY 22 document asks agencies more than a dozen questions regarding their adoption of multifactor authentication and encryption. Previous iterations of the FISMA metrics have featured just a few questions about the use of two-factor authentication and encryption for high-value assets.
Grant Schneider, former federal chief information security officer and senior director of cybersecurity services at Venable, applauded the granular focus on multifactor authentication, especially the emphasis on methods that are resistant to phishing.
âIf I were to consult with an organization, and they could only do one thing, that would be the thing,â Schneider said of phishing-resistant MFA. âEncryption is also really important, being able to be sure that your information is secure while itâs inside the environment.â
The new metrics tie into the Biden administrationâs bid to shift agencies to the âzero trustâ cybersecurity footing. The concept is a âparadigm shiftâ and envisions verifying âanything and everything attempting to establish accessâ to federal data, according to the White Houseâs zero trust strategy released last week.
The FISMA 2022 bill in the House also seeks to promote ânext-generation security principles like a risk-based paradigm, zero trust principles, endpoint detection and response, cloud migration, automation, penetration testing and vulnerability disclosure programs.â
Chris DeRusha, the federal chief information security officer, said new items in the FY 22 metrics like vulnerability disclosure programs, blue teaming and penetration testing are âgetting to a greater focus on capabilities that are leading to observable security outcomes.â
âWe need to make sure that weâre emphasizing the growth of these capabilities,â DeRusha said in an interview. âAnd thatâs a lot of what the metrics are doing is first taking a temperature of where agencies actually at with those so we can understand what we may need to do as interventions to help them support the build out of this capabilities.â
OMBâs questions about âground truth testingâ are looking to âgo beyond the assumption that generic vulnerability scanning tools are sufficient for testing system security,â the metrics document states.
The metrics ask for information on the use of penetration testing, red team exercises, blue teaming and access to threat intelligence. It also surveys agencies about the use of Vulnerability Disclosure Programs after OMB issued new guidance last year encouraging the use of external security researchers.
Renee Wynn, who served as CIO at both the Environmental Protection Agency and then NASA, said the focus on security testing should help agencies tackle both persistent and potentially catastrophic issues.
âFrankly, those were very telling activities that you would do inside your agency,â she said. âSometimes youâd be really like, âOh, really, we still have that problem?â And other times, âWow, Iâm really glad they found that because if perhaps a nefarious actor had found that, it might have been pretty problematic.ââ
The metrics also ask agencies about their use of logging capabilities. Last August, OMB issued new requirements to ensure agencies were logging and retaining cybersecurity incident data. The Government Accountability Office recently found gaps in log coverage prevented eight agencies from quickly responding to the SolarWinds incident.
OMB is additionally polling agencies about their information security workforce needs for the first time in the metrics. It seeks answers from agencies about how many additional full-time equivalents they require for specific work roles, including forensics analysts, incident responders and secure software assessors, among other roles.
âIâm excited about the workforce questions, because frankly, nothing gets done without people,â Wynn said.
But she noted deliberations over cybersecurity workforce requirements will fall short without the involvement of agency chief human capital officers, who oversee workforce matters at federal agencies.
âWorkforce is a great place to be paying attention, but laying it at the feet of the CIOs and CISOs, Iâm not a big supporter of that,â Wynn said. âIt is a team effort. And chief human capital officers need to be part of this conversations. Their systems need to be tracking this, so all I have to do is push a button, and I get my data to report back to them.â
Overall, the FY 22 document represents a âmore dynamic, outcome-focused series of metrics,â according to Ross Nodurft, former chief of OMBâs cyber team and executive director of the Alliance for Digital Innovation.
âThis is a series of metrics that starts to measure things that Congress has been asking agencies to move towards,â he said.
But he also noted the challenge inherent in changing metrics that are used to measure agency progress year-over-year.
âWe have to recognize that weâre measuring new things, so weâre not going to get 100% across the board,â Nodurft said. âThat doesnât mean that our security is collapsing around itself. We have to be smart about how weâre understanding and interpreting these metrics.â
John Pescatore, director of emerging security trends at SANS Institute, said the emphasis on multifactor authentication and encryption at agencies is âreally important.â But the initial results this year could be âabysmal.â
âAnd then theyâve got to stick to it and say, âNo, weâre going to make this happen,ââ he said.
Pescatore noted how in the past, the government has led industry in the adoption of security measures like new Internet security protocols.
âIf they could do this for multifactor authentication and data encryption, that would be just huge for the country,â he continued. âIf the government starts using strong authentication, then the government contractors have to ⌠and it just grows its use in the marketplace.â
Gloss