This section consists of language from OMB guidance that further demarcates, expands upon, or clarifies IT authorities assigned to agencies. This language directly or indirectly tasks the CIO with duties or responsibilities pertaining to information security and privacy. See sections on OMB Memoranda and OMB Circulars for more information about these forms of OMB guidance. See sections on Office of Inspector General (OIG) and Government Accountability Office (GAO) to review how compliance with policies is measured.
The following excerpt is from the Privacy and Information Security section in OMB A-130. (OMB Circular A-130. Managing Information as a Strategic Resource. Page 16.)
To provide proper safeguards, agencies shall ensure that the CIO designates a senior agency information security officer to develop and maintain an agency-wide information security program in accordance with the Federal Information Security Modernization Act of 2014 (FISMA). (OMB Circular A-130. Managing Information as a Strategic Resource. Page 18.)
Reporting Pursuant to OMB Circular No. A-130, Appendix I
Appendix I of OMB Circular No. A-130 establishes minimum requirements for Federal information security programs, assigns Federal Agency responsibilities for the security of information and information systems, and links Agency information security programs and Agency management control systems established in accordance with OMB Circular No. A-123. The appendix also establishes requirements for Federal privacy programs, assigns responsibilities for privacy program management, and describes how agencies must take a coordinated approach to implementing information security and privacy controls. (OMB M-16-17. OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control. 7/15/2016.)
[Security Budget Estimates]
[Agency budget estimates] should reflect a comprehensive understanding of OMB security policies, such as OMB Circular A-130, and National Institute of Standards and Technology (NIST) guidance, including compliance with the Federal Information Security Modernization Act, and OMB Memorandum M-17-05, Fiscal Year 2016-2017 Guidance on Federal Information Security and Privacy Management Requirements, by: (OMB Circular A-11. Preparation, Submission, and Execution of the Budget. Management Improvement Initiatives and Policies. Section 31.8.)
Once the agency determines that an information system contains Personal Identifiable Information (PII), the agency must then consider the privacy risks and the associated risk to agency operations, agency assets, individuals, other organizations, and the Nation. When considering privacy risks, the agency must consider the risks to an individual or individuals associated with the agency’s creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of their PII. (OMB M-16-17. OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control. 7/15/2016. Page 44.)
Privacy Impact Assessments (PIA)
As a general matter, an agency must conduct a privacy impact assessment (PIA) under section 208(b) of the E-Government Act of 2002, absent an applicable exception under that section, when the agency develops, procures, or uses information technology to create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII. Moreover, a PIA is not a time- restricted activity that is limited to a particular milestone or stage of the information system or PII life cycles. Rather, the privacy analysis must continue throughout the information system and PII life cycles. (Ibid.)
Risk Management Framework
Agencies’ privacy programs have responsibilities under the Risk Management Framework. The Risk Management Framework provides a disciplined and structured process that integrates information security, privacy, and risk management activities into the information system development life cycle. Agencies should refer to OMB Circular No. A-130 for more detailed guidance regarding the role of agencies’ privacy programs under the Risk Management Framework (OMB M-16-17. OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control. 7/15/2016. Page 46). The CIO Council and the Cyber-ERM Community of Interest updated the Federal ERM Playbook and added a chapter on Cyber-ERM Integration. The chapter provides foundations of Information Security and Cybersecurity that identifies integration points with physical security, addresses privacy, cyber supply-chain risk, incorporates NIST standards, addresses FISMA audits and “enterprise” scope, and other information related to terms, roles, responsibilities and communication flow.
[Privacy Budget Estimates]
Designation of the [SAOP]
The head of the agency is ultimately responsible for ensuring that privacy interests are protected and that PII is managed responsibly within the agency.
To ensure that agencies effectively carry out the privacy-related functions described in law and OMB policies, Executive Order 13719 requires the head of each agency to designate or re- designate an SAOP who has agency-wide responsibility and accountability for the agency’s privacy program. (OMB M-16-24. Role and Designation of Senior Agency Officials for Privacy. 9/15/2016.)
[SAOP Reporting Requirements]
Given the importance of privacy, as highlighted in policies such as OMB Circular A-130, Managing Information as a Strategic Resource, and OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, agencies must take appropriate measures to comply with privacy requirements and manage privacy risks.
High Value Asset (HVA) Program
While the HVA initiative is compatible with and must leverage existing policies and guidelines regarding IT assets, such as those listed above, agencies must also consider their HVA risks from a strategic enterprise-wide perspective. As such, the agency HVA process described herein requires explicit consideration of the following factors:
The Agency HVA Process
Agencies must take a strategic enterprise-wide view of risk that accounts for all critical business and mission functions when identifying HVAs (OMB M-17-09. Management of Federal High Value Assets. 12/9/2016). HVAs are those assets, Federal information systems, information, and data for which an unauthorized access, use, disclosure, disruption, modification or destruction could cause significant impact to the United States’ nations security interests, foreign relations, economy, or to the public confidence, civil liberties, or public health and safety of the American people. Agencies [must establish] appropriate governance of HVA activities across the enterprise and should integrate HVA remediation activities into agency planning, programming, budgeting, and execution processes. These efforts must align with OMB policy, Federal law and regulations, Federal standards and guidelines, and agency policies, processes, and procedures. (Ibid.) For complete details on the agency HVA process see the memo.
Information Security Management
Information Security and Privacy Program Oversight and FISMA Reporting Requirements
[OMB and DHS use] CIO and IG metrics to compile the Annual FISMA Report to Congress and may use this reporting to compile agency-specific or government-wide risk management assessments as part of an ongoing effort in support of Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.
At a minimum, CFO Act agencies must update their CIO Metrics quarterly and non-CFO Act agencies must update their CIO metrics on a semiannual basis. Reflecting the Administration’s shift from compliance to risk management, as well as the guidance and requirements outlined in OMB Memorandum M-19-03, Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program, and Binding Operational Directive 18-02, Securing High Value Assets, CIO Metrics are not limited to assessments and capabilities within [NIST] security baselines, and agency responses should reflect actual implementation levels. Although FISMA requires an annual IG assessment, OMB strongly encourages CIOs and IGs to discuss the status of information security programs throughout the year.
Cybersecurity Reporting: Overview and Purpose
On May 11, 2017, the President signed the Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which outlines a number of actions to enhance cybersecurity across Federal agencies and critical infrastructure partners. Section 1 of the Executive Order reinforces the Federal Information Security Modernization Act of 2014 (FISMA) by holding agency heads accountable for managing the cybersecurity risks to their enterprises. This Memorandum provides implementing guidance on actions required in Section 1 of the Executive Order. (OMB M-17-25. Reporting Guidance for Reporting Progress on Executive Order on Strengthening the Cybersecurity of Federal Network and Critical Infrastructure. 5/19/2017.)
Policy to Require Secure Connections across Federal Websites and Web Services
OMB Memorandum M-15-13 requires that all publicly accessible Federal websites and web service only provide service through a secure connection. The strongest privacy and integrity protection currently available for public web connections is Hypertext Transfer Protocol Secure (HTTPS).
[To] promote the efficient and effective deployment of HTTPS, the timeframe for [compliance is outlined below]. This Memorandum requires that Federal agencies deploy HTTPS on their domains using the following guidelines. (OMB M-15-13. Policy to Require Secure Connections across Federal Websites and Web Services. 6/8/2015.)
FISMA Reporting and Agency Privacy Management
OMB requires that the head of each agency submit, as part of the agency’s annual report, a signed electronic copy of an official letter to CyberScope providing a comprehensive overview reflecting his or her assessment of the adequacy and effectiveness of information security policies, procedures, and practices, and compliance with the requirements of the Federal Information Security Modernization Act (FISMA) for the agency. (OMB M-14-04. Fiscal Year 2013 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. 11/18/2013.)
Below are activities explicitly outlined in FISMA:
Submit Privacy Documents
As part of the annual report, Senior Agency Officials for Privacy are to submit the following documents through CyberScope:
OMB [requires] agencies to submit these four privacy documents whether or not the documents have changed from versions submitted in previous years.
Information Security Continuous Monitoring (ISCM)
To fully implement ISCM across the Government, agencies shall: 1) Develop and maintain, consistent with existing statutes, OMB policy, NIST guidelines and the CONOPS, an ISCM strategy, and establish an ISCM program that: a. Provides a clear understanding of organizational risk and helps officials set priorities and manage such risk consistently throughout the agency; and b. Addresses how the agency [conducts] ongoing authorizations of information systems and the environments in which those systems operate, including the agency’s use of common controls. (OMB M-14-03. Enhancing the Security of Federal Information and Information Systems. 11/18/2013.)
Federal Information Security Management Act (FISMA) Agency Reporting Activities
To comply with this guidance, [agencies carry out] the following activities:
CyberScope is the platform for the FISMA reporting process. Agencies should note that a Personal Identity Verification card, compliant with Homeland Security Presidential Directive 12 is required for access to CyberScope. No FISMA submissions [are] accepted outside of CyberScope. For information related to CyberScope, please visit: https://max.omb.gov. (The website MAX.gov is only accessible to federal employees.) CIOs, Inspectors General, and Senior Agency Officials for Privacy [all] report through CyberScope. Micro agencies (According to M-11-33, micro agencies are agencies employing 100 or fewer full time equivalents (FTEs)) [also] report using this automated collection tool. (OMB M-11-33. FY 2011 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. 9/14/2011).
Agency Implementation of Identify Credentialing and Access Management (ICAM)
[In] line with the Federal Government’s updated approach to modernization, it is essential that agencies’ ICAM strategies and solutions shift from the obsolete Levels of Assurance (LOA) model towards a new model informed by risk management perspectives, the Federal resource accessed, and outcomes aligned to agency missions. To set the foundation for identity management and its usage to access physical and digital resources, agencies must implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63-3 and any successive versions (hereafter referred to as NIST SP 800-63). (OMB M-19-17. Enabling Mission Delivery through Improved Identity, Credential, and Access Management, 5/21/2019.)
[Telework Security Guidelines]
Agencies are expected to implement security telework policies to best suit their unique needs. At a minimum, agency policies must comply with FISMA requirements and address the following: (OMB M 11-27. Implementing the Telework Enhancement Act of 2010: Security Guidelines. 07/15/2011.)
[Telework Security Point of Contact]
Agency CIOs must identify a technical point of contact to DHS (FISMA.FNS@dhs.gov) to aid with the implementation of telework security requirements. This point of contact will serve as a technical manager and must have operational and technical expertise to implement the [Telework Enhancement Act] within the agency. (Ibid.)