1.6.4 Agency IT Authorities – OMB Guidance
This section consists of language from OMB guidance that further demarcates, expands upon, or clarifies IT authorities assigned to agencies. This language directly or indirectly tasks the CIO with duties or responsibilities pertaining to information security and privacy. See sections on OMB Memoranda and OMB Circulars for more information about these forms of OMB guidance. See sections on Office of Inspector General (OIG) and Government Accountability Office (GAO) to review how compliance with policies is measured.
The following excerpt is from the Privacy and Information Security section in OMB A-130. (OMB Circular A-130. Managing Information as a Strategic Resource. Page 16.)
- Ensure that the SAOP and the agency’s privacy personnel closely coordinate with the agency CIO, senior agency information security officer, and other agency offices and officials, as appropriate.
To provide proper safeguards, agencies shall ensure that the CIO designates a senior agency information security officer to develop and maintain an agency-wide information security program in accordance with the Federal Information Security Modernization Act of 2014 (FISMA). (OMB Circular A-130. Managing Information as a Strategic Resource. Page 18.)
Reporting Pursuant to OMB Circular No. A-130, Appendix I
Appendix I of OMB Circular No. A-130 establishes minimum requirements for Federal information security programs, assigns Federal Agency responsibilities for the security of information and information systems, and links Agency information security programs and Agency management control systems established in accordance with OMB Circular No. A-123. The appendix also establishes requirements for Federal privacy programs, assigns responsibilities for privacy program management, and describes how agencies must take a coordinated approach to implementing information security and privacy controls. (OMB M-16-17. OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control. 7/15/2016.)
[Security Budget Estimates]
[Agency budget estimates] should reflect a comprehensive understanding of OMB security policies, such as OMB Circular A-130, and National Institute of Standards and Technology (NIST) guidance, including compliance with the Federal Information Security Modernization Act, and OMB Memorandum M-17-05, Fiscal Year 2016-2017 Guidance on Federal Information Security and Privacy Management Requirements, by: (OMB Circular A-11. Preparation, Submission, and Execution of the Budget. Management Improvement Initiatives and Policies. Section 31.8.)
- Reflecting the cost considerations used to calculate IT security costs (see section 51.19);
- Demonstrating that the costs of security controls are understood and are explicitly incorporated in the life-cycle planning of the overall system, including the additional costs of employing standards and guidance more stringent than those issued by NIST;
- Demonstrating how the agency ensures that risks are understood and continually assessed;
- Demonstrating how the agency ensures that the security controls are commensurate with the risk and magnitude of harm;
- Identifying additional security controls for systems that promote or permit public access, other externally accessible systems, and those that are interconnected with systems over which program officials have little or no control; and
- Demonstrating how the agency ensures the effective use of security and privacy controls, as well as authentication tools to protect privacy for those systems that promote or permit public access.
Once the agency determines that an information system contains Personal Identifiable Information (PII), the agency must then consider the privacy risks and the associated risk to agency operations, agency assets, individuals, other organizations, and the Nation. When considering privacy risks, the agency must consider the risks to an individual or individuals associated with the agency’s creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of their PII. (OMB M-16-17. OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control. 7/15/2016. Page 44.)
Privacy Impact Assessments (PIA)
As a general matter, an agency must conduct a privacy impact assessment (PIA) under section 208(b) of the E-Government Act of 2002, absent an applicable exception under that section, when the agency develops, procures, or uses information technology to create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII. Moreover, a PIA is not a time- restricted activity that is limited to a particular milestone or stage of the information system or PII life cycles. Rather, the privacy analysis must continue throughout the information system and PII life cycles. (Ibid.)
Risk Management Framework
Agencies’ privacy programs have responsibilities under the Risk Management Framework. The Risk Management Framework provides a disciplined and structured process that integrates information security, privacy, and risk management activities into the information system development life cycle. Agencies should refer to OMB Circular No. A-130 for more detailed guidance regarding the role of agencies’ privacy programs under the Risk Management Framework (OMB M-16-17. OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control. 7/15/2016. Page 46). The CIO Council and the Cyber-ERM Community of Interest updated the Federal ERM Playbook and added a chapter on Cyber-ERM Integration. The chapter provides foundations of Information Security and Cybersecurity that identifies integration points with physical security, addresses privacy, cyber supply-chain risk, incorporates NIST standards, addresses FISMA audits and “enterprise” scope, and other information related to terms, roles, responsibilities and communication flow.
[Privacy Budget Estimates]
- Demonstrate [awareness] of applicable privacy requirements and has fully assessed he cost to the agency for ensuring compliance with those requirements and managing privacy risks;
- [Reflect the inventory] of information systems that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of personally identifiable information; and
- [Reflect the consideration of privacy] continuous monitoring strategy and the resources and associated costs required to ensure that privacy controls are effectively monitored on an ongoing basis at an assessment frequency sufficient to ensure compliance with applicable privacy requirements and to manage privacy risks. (OMB Circular A-11. Preparation, Submission, and Execution of the Budget. Section 31.8. 2020.)
Designation of the [SAOP]
The head of the agency is ultimately responsible for ensuring that privacy interests are protected and that PII is managed responsibly within the agency.
To ensure that agencies effectively carry out the privacy-related functions described in law and OMB policies, Executive Order 13719 requires the head of each agency to designate or re- designate an SAOP who has agency-wide responsibility and accountability for the agency’s privacy program. (OMB M-16-24. Role and Designation of Senior Agency Officials for Privacy. 9/15/2016.)
[SAOP Reporting Requirements]
Given the importance of privacy, as highlighted in policies such as OMB Circular A-130, Managing Information as a Strategic Resource, and OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, agencies must take appropriate measures to comply with privacy requirements and manage privacy risks.
- SAOPs are required to report annually and must submit each of the following items as separate documents through CyberScope: (OMB M-20-04. Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements. 11/19/2019.)
- The agency’s privacy program plan;
- A description of any changes made to the agency’s privacy program during the reporting period, including changes in leadership, staffing, structure, and organization;
- The agency’s breach response plan;
- The agency’s privacy continuous monitoring strategy;
- The Uniform Resource Locator (URL) for the agency’s privacy program page, as well as the URL for any other sub-agency, component, and/or program-specific privacy program pages; and,
- The agency’s written policy to ensure that any new collection or use of Social Security numbers (SSNs) is necessary, along with a description of any steps the agency took during the reporting period to explore alternatives to the use of SSNs as a personal identifier.
High Value Asset (HVA) Program
While the HVA initiative is compatible with and must leverage existing policies and guidelines regarding IT assets, such as those listed above, agencies must also consider their HVA risks from a strategic enterprise-wide perspective. As such, the agency HVA process described herein requires explicit consideration of the following factors:
- Agencies’ assessment of risk should not be limited to IT and other technical considerations. HVA risk assessments should incorporate operational, business, mission, and continuity considerations. All key stakeholders of an agency, to include the CFO, CAO, [SAOP], mission, business, and policy owners as well as the CIO and [CISO] organizations, should be engaged in evaluating HVA risks.
- Agencies’ assessment of risk should consider not just the risk that an HVA poses to the agency itself, but also the risk of interconnectivity and interdependencies leading to significant adverse impact on the functions, operations, and mission of other agencies.
The Agency HVA Process
Agencies must take a strategic enterprise-wide view of risk that accounts for all critical business and mission functions when identifying HVAs (OMB M-17-09. Management of Federal High Value Assets. 12/9/2016). HVAs are those assets, Federal information systems, information, and data for which an unauthorized access, use, disclosure, disruption, modification or destruction could cause significant impact to the United States’ nations security interests, foreign relations, economy, or to the public confidence, civil liberties, or public health and safety of the American people. Agencies [must establish] appropriate governance of HVA activities across the enterprise and should integrate HVA remediation activities into agency planning, programming, budgeting, and execution processes. These efforts must align with OMB policy, Federal law and regulations, Federal standards and guidelines, and agency policies, processes, and procedures. (Ibid.) For complete details on the agency HVA process see the memo.
Information Security Management
Information Security and Privacy Program Oversight and FISMA Reporting Requirements
[OMB and DHS use] CIO and IG metrics to compile the Annual FISMA Report to Congress and may use this reporting to compile agency-specific or government-wide risk management assessments as part of an ongoing effort in support of Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.
At a minimum, CFO Act agencies must update their CIO Metrics quarterly and non-CFO Act agencies must update their CIO metrics on a semiannual basis. Reflecting the Administration’s shift from compliance to risk management, as well as the guidance and requirements outlined in OMB Memorandum M-19-03, Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program, and Binding Operational Directive 18-02, Securing High Value Assets, CIO Metrics are not limited to assessments and capabilities within [NIST] security baselines, and agency responses should reflect actual implementation levels. Although FISMA requires an annual IG assessment, OMB strongly encourages CIOs and IGs to discuss the status of information security programs throughout the year.
Cybersecurity Reporting: Overview and Purpose
On May 11, 2017, the President signed the Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which outlines a number of actions to enhance cybersecurity across Federal agencies and critical infrastructure partners. Section 1 of the Executive Order reinforces the Federal Information Security Modernization Act of 2014 (FISMA) by holding agency heads accountable for managing the cybersecurity risks to their enterprises. This Memorandum provides implementing guidance on actions required in Section 1 of the Executive Order. (OMB M-17-25. Reporting Guidance for Reporting Progress on Executive Order on Strengthening the Cybersecurity of Federal Network and Critical Infrastructure. 5/19/2017.)
Policy to Require Secure Connections across Federal Websites and Web Services
OMB Memorandum M-15-13 requires that all publicly accessible Federal websites and web service only provide service through a secure connection. The strongest privacy and integrity protection currently available for public web connections is Hypertext Transfer Protocol Secure (HTTPS).
[To] promote the efficient and effective deployment of HTTPS, the timeframe for [compliance is outlined below]. This Memorandum requires that Federal agencies deploy HTTPS on their domains using the following guidelines. (OMB M-15-13. Policy to Require Secure Connections across Federal Websites and Web Services. 6/8/2015.)
- Newly developed websites and services at all Federal agency domains or subdomains must adhere to this policy upon launch.
- For existing websites and services, agencies should prioritize deployment using a risk- based analysis. Web services that involve an exchange of personally identifiable information (PII), where the content is unambiguously sensitive in nature, or where the content receives a high-level of traffic should receive priority and migrate as soon as possible.
- Agencies [should have made] all existing websites and services accessible through a secure connection (HTTPS-only, with HTTP Strict Transport Security (HSTS)) by December 31, 2016.
- The use of HTTPS is encouraged on intranets, but not explicitly required.
FISMA Reporting and Agency Privacy Management
OMB requires that the head of each agency submit, as part of the agency’s annual report, a signed electronic copy of an official letter to CyberScope providing a comprehensive overview reflecting his or her assessment of the adequacy and effectiveness of information security policies, procedures, and practices, and compliance with the requirements of the Federal Information Security Modernization Act (FISMA) for the agency. (OMB M-14-04. Fiscal Year 2013 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. 11/18/2013.)
Below are activities explicitly outlined in FISMA:
DHS will [conduct] annual interviews with agencies’ CIO and [CISO] based on their agency’s security posture. Each interview session has three distinct goals:
- Assessing progress towards the administration cybersecurity priorities and other FISMA compliance and challenges;
- Identifying security best practices and raising awareness of FISMA reporting requirements; and
- Establishing meaningful dialogue with the agency’s senior leadership.
Submit Privacy Documents
As part of the annual report, Senior Agency Officials for Privacy are to submit the following documents through CyberScope:
- Description of the agency’s privacy training for employees and contractors;
- Breach notification policy;
- Progress update on eliminating unnecessary use of Social Security Numbers; and
- Progress update on the review and reduction of holdings of personally identifiable information. (Ibid.)
OMB [requires] agencies to submit these four privacy documents whether or not the documents have changed from versions submitted in previous years.
Information Security Continuous Monitoring (ISCM)
To fully implement ISCM across the Government, agencies shall: 1) Develop and maintain, consistent with existing statutes, OMB policy, NIST guidelines and the CONOPS, an ISCM strategy, and establish an ISCM program that: a. Provides a clear understanding of organizational risk and helps officials set priorities and manage such risk consistently throughout the agency; and b. Addresses how the agency [conducts] ongoing authorizations of information systems and the environments in which those systems operate, including the agency’s use of common controls. (OMB M-14-03. Enhancing the Security of Federal Information and Information Systems. 11/18/2013.)
Federal Information Security Management Act (FISMA) Agency Reporting Activities
To comply with this guidance, [agencies carry out] the following activities:
- Establish monthly data feeds to CyberScope;
- Respond to security posture questions; and
- Participate in CyberStat accountability sessions and agency interviews.
CyberScope is the platform for the FISMA reporting process. Agencies should note that a Personal Identity Verification card, compliant with Homeland Security Presidential Directive 12 is required for access to CyberScope. No FISMA submissions [are] accepted outside of CyberScope. For information related to CyberScope, please visit: http://max.omb.gov. (The website MAX.gov is only accessible to federal employees.) CIOs, Inspectors General, and Senior Agency Officials for Privacy [all] report through CyberScope. Micro agencies (According to M-11-33, micro agencies are agencies employing 100 or fewer full time equivalents (FTEs)) [also] report using this automated collection tool. (OMB M-11-33. FY 2011 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. 9/14/2011).
Agency Implementation of Identify Credentialing and Access Management (ICAM)
[In] line with the Federal Government’s updated approach to modernization, it is essential that agencies’ ICAM strategies and solutions shift from the obsolete Levels of Assurance (LOA) model towards a new model informed by risk management perspectives, the Federal resource accessed, and outcomes aligned to agency missions. To set the foundation for identity management and its usage to access physical and digital resources, agencies must implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63-3 and any successive versions (hereafter referred to as NIST SP 800-63). (OMB M-19-17. Enabling Mission Delivery through Improved Identity, Credential, and Access Management, 5/21/2019.)
[Telework Security Guidelines]
Agencies are expected to implement security telework policies to best suit their unique needs. At a minimum, agency policies must comply with FISMA requirements and address the following: (OMB M 11-27. Implementing the Telework Enhancement Act of 2010: Security Guidelines. 07/15/2011.)
- Controlling access to agency information and information systems;
- Protecting agency information (including personally identifiable information) and information systems;
- Limiting the introduction of vulnerabilities;
- Protecting information systems not under the control of the agency that are used for teleworking;
- Safeguarding wireless and other telecommunications capabilities that are used for teleworking; and
- Preventing inappropriate use of official time or resources that violates subpart G of the Standards of Ethical Conduct for Employees of the Executive Branch by viewing, downloading, or exchanging pornography, including child pornography.
[Telework Security Point of Contact]
Agency CIOs must identify a technical point of contact to DHS (FISMA.FNS@dhs.gov) to aid with the implementation of telework security requirements. This point of contact will serve as a technical manager and must have operational and technical expertise to implement the [Telework Enhancement Act] within the agency. (Ibid.)