Inside the Reporter's Notebook: OMB adds clarity to new cyber policy; Cyber risks during shutdown overstated; OASIS delayed indefinitely

Friday - 10/4/2013, 4:36pm EDT

"Inside the Reporter's Notebook," is a biweekly dispatch of news and information you may have missed or that slipped through the cracks at conferences, hearings and the like.

This is not a column nor commentary. It's news tidbits, strongly sourced buzz and other items of interest that have happened or are happening in the federal IT and acquisition communities.

As always, I encourage you to submit ideas, suggestions, and, of course, news to me at

T he Office of Management and Budget is finalizing new cybersecurity guidance, the first major policy in more than three years.

Industry and government sources confirm OMB Director Sylvia Burwell is reviewing the new policy that would tell agencies how to implement federal information system continuous monitoring (FISCM).

Notice the change here — it's no longer just continuous monitoring, but OMB is clarifying what agencies will continuously monitor. In this case, it's only federal systems or the dot-gov network.

Several sources confirmed that OMB had the document ready to go a few weeks ago, but senior officials expressed concern over the term "continuous monitoring" without a modifier. Call it fallout from the Edward Snowden situation.

Sources say OMB pulled the memo back from being published and re-reviewed it to specifically address any concerns over what types of systems and information agencies will monitor.

Industry and government sources applauded OMB's foresight into this situation. Those in the general media and public who are under-educated about what continuous monitoring means and how it works could have caused a huge uproar over something that is fairly benign.

Sources say OMB adopted the information system continuous monitoring designation from the National Institute of Standards and Technology's Special Publication 800- 137, which helps agencies develop and implement a continuous monitoring program.

Of course, a change like that flows down several layers and into other policies and standards, which is a major reason for the delay in releasing the new policy.

Sources say the policy is fairly long, more than 10 pages, and addresses all aspects of implementing FISCM.

OMB will release the policy just as the Homeland Security is getting its blanket purchase agreement for continuous diagnostic and monitoring services up and running.

DHS awarded the contract to 17 vendors in early August. The vendors will provide tools, hardware and software to implement continuous-monitoring-as-a-service (CMaaS).

Suzanne Spaulding, the nominee to be DHS's under secretary of the National Protection and Programs Directorate (NPPD), testified last week during her nomination hearing that the CDM program faces budget and legislative hurdles. A DHS official said after the hearing that all 23 civilian CFO Act agencies have signed agreements to implement continuous monitoring.

And speaking of cybersecurity, there has been a lot of focus — and vendor pitches — about what would happen to agency system security during the shutdown.

Federal Chief Information Officer and acting Deputy Director for Management at OMB Steve VanRoekel even gave The Wall Street Journal an interview on the potential cyber problems created by the government shutdown.

But is there really any increased risk to federal systems?

Several cyber experts with years of experience in the federal market say, it's all a bunch of hooey — a technical term I'm told.

One small agency chief information officer said they asked staff before the shutdown what systems were absolutely essential and the skeleton staff is monitoring only those applications actively.

But the CIO, who requested anonymity so they could speak to the press, also said the chief information security officer and other key security federal employees at their agency are essential employees, and all contractors running their network operations center (NOC) are at work during the shutdown. The CIO said their agency ensured there was enough funding under the contract to keep the NOC running at least through the end of October.

As for those systems that were not deemed vital, the NOC still is paying close attention and will fix any cyber vulnerabilities. But the CIO said if a server fails or if the application needs updating that is unrelated to cybersecurity, that may have to wait until after the shutdown.

Another industry cyber expert said agencies keep the most talented and important cybersecurity employees on during the shutdown.

"You actually get a glorious understanding of who matters and what you can do without during the shutdown," said the industry expert, who requested anonymity in order to speak more candidly. "The guys running the systems do know who is good and who isn't, but it doesn't do them any good to tell people during a non- shutdown time."