This section consists of language from OMB guidance that further demarcates, expands upon, or otherwise clarifies the responsibilities of agency CIOs with regards to information security and privacy. See sections on OMB Memoranda and OMB Circulars for more information about these forms of OMB guidance. See sections on Office of Inspector General (OIG) and Government Accountability Office (GAO) to review how compliance with policies is measured.
Personal Identifiable Information (PII) Breach Notification
The agency’s [SAOP] as well as other senior agency officials, managers, and staff who help evaluate the risk of harm to individuals potentially affected by a breach are responsible for breach notification. In addition, sections of this Memorandum are relevant for an agency’s [CIO], Senior Agency Information Security Officers (e.g., [CISO]), and other information technology (IT) and cybersecurity staff who participate in breach response activities.
Contracts and Contractor Requirements for Breach Response
In addition, the SAOP and CIO shall ensure that the agency’s breach response plan and system security authorization documentation clearly define the roles and responsibilities of contractors that operate Federal information systems that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII on behalf of the agency.
Identifying Logistical and Technical Support to Respond to a Breach
When identifying technical support to respond to a breach, the CIO shall identify technical remediation and forensic analysis capabilities that exist within the agency and which offices are responsible for maintaining those capabilities. Depending on the size, missions, and structure of each agency, the CIO may find the necessary expertise and technical support within the agency. As a part of this process, however, the CIO may identify gaps in the agency’s technical capabilities and therefore should communicate with the CAO and other agency officials on the need to enter into contracts or to explore other options for ensuring that certain functions are immediately available during a time-sensitive response. Additionally, while the SAOP might not lead the technical team, the SAOP should understand the ability of the agency to gather, analyze, and preserve the evidence necessary to support an investigation and identify and assess the risk of harm to potentially affected individuals. The CIO, in coordination with the SAOP, should also consider whether other Federal agencies can support the agency in the event of a breach. Agencies may request technical assistance from US-CERT. In addition, GSA may have BPAs and other guidance for agencies to procure technical services to assist with responding to a breach. (Note: for a complete list of all SAOP requirements see the full memo). (OMB M-17-12. Preparing for and Responding to a Breach of Personally Identifiable Information. 1/3/2017.)
Trusted Internet Connections (TIC) Agency Implementation
[For] TIC program updates to achieve the goal of diversifying technology options for agencies while retaining strong protections for Federal systems and information, OMB, DHS, and the agencies themselves, need to have details of the technologies and defenses deployed across Federal networks. As such, agency CIOs shall maintain an accurate inventory of agency network connections, including details on the service provider, cost, capacity, traffic volume, logical/physical configurations, and topological data for each connection in the event OMB, DHS, or others request this information to assist with government-wide cybersecurity incident response or other cybersecurity matters.
Within one year of the release of this memorandum, agencies shall complete updates to their own network and system boundary policies to reflect this memorandum, including guidance regarding potential pilots. Agencies will identify which TIC Use Case will be allowed for the agency. OMB and DHS will track agency implementation through the Federal Information Security Modernization Act of 2014 (FISMA) reporting. (OMB M-19-26. Update to the Trusted Internet Connections (TIC) Initiative. 9/19/2019.)
Cybersecurity Strategy and Implementation Plan (CSIP)
The CSIP is the result of a comprehensive review of the Federal Government’s cybersecurity policies, procedures, and practices by the Sprint Team (A 30-day Cybersecurity Sprint Team led by OMB and was comprised of representatives from the National Security Council (NSC), the Department of Homeland Security (DHS), the Department of Defense (DoD), and other Federal civilian and defense agencies). The goal was to identify and address critical cybersecurity gaps and emerging priorities and make specific recommendations to address those gaps and priorities. The CSIP will strengthen Federal civilian cybersecurity through the following five objectives:
Specifically, the CSIP’s key actions include:
Agency CIOs must identify a technical point of contact to DHS (FISMA.FNS@dhs.gov) to aid with the implementation of telework security requirements. This point of contact will serve as a technical manager and must have operational and technical expertise to implement the Act within the agency. (OMB M-11-27. Implementing the Telework Enhancement Act of 2010: Security Guidelines. 7/15/2011.)