OMB to take central role implementing cyber executive order, acting U.S. CIO says
This story first appeared on CyberScoop.
The White House Office of Management and Budget will be at the center of the Trump administration’s move to modernize and secure federal computer networks, the government’s senior-most IT official said Wednesday.
The agency is at the hinge where several important IT initiatives meet the federal budgeting process, explained acting federal CIO Margie Graves. Not only does it help implement the Federal Information Security Modernization Act, or FISMA, but it also has new tasks under the cybersecurity executive order signed recently.
Under the EO, every federal agency or department has to conduct a risk assessment using the Cybersecurity Framework developed by the National Institute of Standards and Technology, and then submit it to the OMB director and the Homeland Security secretary.
That process, she told the Public Sector Innovation Summit presented by VMware, was the essential underpinning for both security and modernization efforts because it identifies the areas where investment is needed. It also had the added benefit of highlighting where operational needs might have to be overridden by security considerations while modernization is pending.
“Understanding your [IT] assets and understanding your [IT] environment … is the very foundation to be able to make those risk-based decisions and those tradeoffs that you make in operational situations on a daily basis,” she said.
“Even though operational effectiveness and cyber are side-by-side,” she added, “Sometimes you have to thread that needle.”
Modernization would proceed, she said, hand in hand with shared services — buying email or storage systems for instance for several departments at once.
“IT modernization and shared services … reduce our attack service … [and] enable us to protect whatever we do with the latest capabilities,” she said.
But it is in the budgeting process that the risk assessments will really add long term value, she explained, and put the OMB at the center of balancing security and resources.
“We’re really key to this,” she said, “not only in terms of managing the FISMA process, the technology side of the equation, but OMB has the power to connect the FISMA requirements and the gaps and the vulnerabilities that we identify [in the risk assessment] — and the solutions that we want to bring forward —back to the federal budget.”
Among the questions the assessments would help the OMB answer, she went on, was “how do we understand the magnitude of the problem in dollars and how do we march down the risk-based approach of buying down that risk with every dollar that we spend.”
“The executive order on IT modernization also feeds into this,” she said, referring to the May 1 document that established an American Technology Council of senior Cabinet-level officials to drive modernization of federal IT.
But the risk assessments, she said, would help officials decide “What should go first.”
“The identification, through the risk management proposals that the agencies are going to turn in, to show us where we should go … which shared services are going to be most advantageous and which cloud services we should pursue first.”
“To have our approach to [IT modernization ] informed by that [risk management reporting] is huge … because the two of these have to work together. Modernization … has to be informed by what the risk ultimately is,” she concluded.