1.6.2 CIO Responsibilities – OMB Guidance
This section consists of language from OMB guidance that further demarcates, expands upon, or otherwise clarifies the responsibilities of agency CIOs with regards to information security and privacy. See sections on OMB Memoranda and OMB Circulars for more information about these forms of OMB guidance. See sections on Office of Inspector General (OIG) and Government Accountability Office (GAO) to review how compliance with policies is measured.
Personal Identifiable Information (PII) Breach Notification
The agency’s [SAOP] as well as other senior agency officials, managers, and staff who help evaluate the risk of harm to individuals potentially affected by a breach are responsible for breach notification. In addition, sections of this Memorandum are relevant for an agency’s [CIO], Senior Agency Information Security Officers (e.g., [CISO]), and other information technology (IT) and cybersecurity staff who participate in breach response activities.
Contracts and Contractor Requirements for Breach Response
In addition, the SAOP and CIO shall ensure that the agency’s breach response plan and system security authorization documentation clearly define the roles and responsibilities of contractors that operate Federal information systems that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII on behalf of the agency.
Identifying Logistical and Technical Support to Respond to a Breach
When identifying technical support to respond to a breach, the CIO shall identify technical remediation and forensic analysis capabilities that exist within the agency and which offices are responsible for maintaining those capabilities. Depending on the size, missions, and structure of each agency, the CIO may find the necessary expertise and technical support within the agency. As a part of this process, however, the CIO may identify gaps in the agency’s technical capabilities and therefore should communicate with the CAO and other agency officials on the need to enter into contracts or to explore other options for ensuring that certain functions are immediately available during a time-sensitive response. Additionally, while the SAOP might not lead the technical team, the SAOP should understand the ability of the agency to gather, analyze, and preserve the evidence necessary to support an investigation and identify and assess the risk of harm to potentially affected individuals. The CIO, in coordination with the SAOP, should also consider whether other Federal agencies can support the agency in the event of a breach. Agencies may request technical assistance from US-CERT. In addition, GSA may have BPAs and other guidance for agencies to procure technical services to assist with responding to a breach. (Note: for a complete list of all SAOP requirements see the full memo). (OMB M-17-12. Preparing for and Responding to a Breach of Personally Identifiable Information. 1/3/2017.)
Trusted Internet Connections (TIC) Agency Implementation
[For] TIC program updates to achieve the goal of diversifying technology options for agencies while retaining strong protections for Federal systems and information, OMB, DHS, and the agencies themselves, need to have details of the technologies and defenses deployed across Federal networks. As such, agency CIOs shall maintain an accurate inventory of agency network connections, including details on the service provider, cost, capacity, traffic volume, logical/physical configurations, and topological data for each connection in the event OMB, DHS, or others request this information to assist with government-wide cybersecurity incident response or other cybersecurity matters.
Within one year of the release of this memorandum, agencies shall complete updates to their own network and system boundary policies to reflect this memorandum, including guidance regarding potential pilots. Agencies will identify which TIC Use Case will be allowed for the agency. OMB and DHS will track agency implementation through the Federal Information Security Modernization Act of 2014 (FISMA) reporting. (OMB M-19-26. Update to the Trusted Internet Connections (TIC) Initiative. 9/19/2019.)
Cybersecurity Strategy and Implementation Plan (CSIP)
The CSIP is the result of a comprehensive review of the Federal Government’s cybersecurity policies, procedures, and practices by the Sprint Team (A 30-day Cybersecurity Sprint Team led by OMB and was comprised of representatives from the National Security Council (NSC), the Department of Homeland Security (DHS), the Department of Defense (DoD), and other Federal civilian and defense agencies). The goal was to identify and address critical cybersecurity gaps and emerging priorities and make specific recommendations to address those gaps and priorities. The CSIP will strengthen Federal civilian cybersecurity through the following five objectives:
- Prioritized Identification and Protection of high value information and assets;
- Timely Detection of and Rapid Response to cyber incidents;
- Rapid Recovery from incidents when they occur, and Accelerated Adoption of lessons learned from the Sprint assessment;
- Recruitment and Retention of the most highly qualified Cybersecurity Workforce talent the Federal Government can bring to bear; and
- Efficient and Effective Acquisition and Deployment of Existing and Emerging Technology. (OMB M-16-04. Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government. 10/30/2015.)
Specifically, the CSIP’s key actions include:
- All agencies will continue to identify their high value assets (HVAs) and critical system architecture in order to understand the potential impact to those assets from a cyber incident and ensure robust physical and cybersecurity protections are in place. The identification of HVAs will be an ongoing activity due to the dynamic nature of cybersecurity risks.
- All agencies will improve the identity and access management of user accounts on Federal information systems to drastically reduce vulnerabilities and successful intrusions.
- CIOs and [CISO] will also have direct responsibility and accountability for implementation of the CSIP, consistent with their role of ensuring the identification and protection of their agency’s critical systems and information. (Ibid.)
Agency CIOs must identify a technical point of contact to DHS (FISMA.FNS@dhs.gov) to aid with the implementation of telework security requirements. This point of contact will serve as a technical manager and must have operational and technical expertise to implement the Act within the agency. (OMB M-11-27. Implementing the Telework Enhancement Act of 2010: Security Guidelines. 7/15/2011.)