OMB alumni to suggest revisions to cyber section of A-130

Friday - 6/1/2012, 5:43am EDT

Jason Miller, executive editor, Federal News Radio

Download mp3

With the Senate's efforts to pass a comprehensive cyber bill stuck in neutral, the Office of Management and Budget is laying the groundwork for significant reforms to federal cyber policy.

Three former alumni and other experts are offering their suggestions to OMB as part of its efforts to revise Circular A-130, specifically the cybersecurity appendix, which is about 10 years old.

Frank Reeder, president of the Reeder Group and a former OMB official, said the group is specifically looking at areas that the Commission on Cybersecurity for the 44th President, which was led by the Center for Strategic and International Studies, didn't address.

"It was our view that a lot could be done using existing authorities," Reeder said during a presentation Thursday at the Information Security and Privacy Advisory Board meeting at the National Institute of Standards and Technology headquarters in Gaithersburg, Md. "We've been engaged in conversations with a number of folks inside the executive branch, who have been very supportive of what we are doing, and they are certainly interested in what we have to say as it supports the work that is already underway at OMB to revise the circular."

An OMB spokeswoman declined to comment on the effort to update A-130.

Still, Reeder said his group expects to submit its white paper with recommendations to OMB this summer. He said he is unsure of OMB's timeframe to release a revised draft circular.

Reeder; Karen Evans, the former OMB administrator for e-government and IT; and Dan Chenok, a former branch chief with OMB's Office of Information and Regulatory Affairs; presented ideas on how to improve A-130 to the ISPAB and were asking for suggestions.

Roles and responsibilities changed

One of the areas A-130 needs updating is in the roles and responsibilities it assigns for cyber oversight.

Reeder said one example of how the circular is out-of-date is it doesn't mention the Homeland Security Department and highlights the General Services Administration's role in cybersecurity.

"OMB has since issued guidance to revisit the whole question of responsibilities in the circular, specifically to acknowledge and explicitly task DHS in some areas. This is an area that has created some heartburn on Capitol Hill, we know," Reeder said. "At the same time, we think OMB has ample authority to address a large part of this. The role of GSA has certainly changed. In fact, some of the governmentwide responsibilities that were assigned to GSA probably belong more appropriately in DHS."

Evans said another area is to include the concept of services in A-130. With the push by the administration to use cloud computing and shared services, OMB is telling agencies to get out of the business of owning their own systems. But at the same time, inspectors general and Government Accountability Office auditors still are holding departments responsible for the security of those systems.

"The idea of getting rid of these physical types of systems, it's an Oracle this, or it's that, it's more like here is the data and here is the service associated with that," she said. "That becomes the new definition of how security gets measured and progress or non-progress against that would be measured."

A third area is whether to consider the development of a maturity model for cybersecurity. There are maturity models for software development and for enterprise architecture. Evans wondered if agencies could use such a cyber maturity model to assess their risk and decide which level of maturity meets their needs the best and then work toward that level.

A cyber maturity model may help IGs

If OMB added a maturity model to the oversight process, it would give agencies and IGs a roadmap to follow, Evans said.

Gail Stone, a deputy assistant IG for audit of financial systems and operations audits for the Social Security Administration and a member of the advisory board, said she thinks IGs would give a maturity model mixed reviews.

But for her, Stone thinks it would be easier to audit systems because she would have solid baseline and, once a few areas are clarified such as definitions of a system, which she says forces IGs and agencies into unnecessary conversations, this would be a much smoother process.

Two other areas would be most difficult to address in the A-130 revision.

Evans said with the push toward continuous monitoring, OMB should consider redefining what makes a system.

Under A-130, a major information system "means an information system that requires special management attention because of its importance to an agency mission; its high development, operating or maintenance costs; or its significant role in the administration of agency programs, finances, property or other resources."