EXCLUSIVE: OMB uses budget to set cyber deadlines

Wednesday - 1/26/2011, 7:09am EST

WFED's Jason Miller

Click below to hear the report on the Federal Drive

Download mp3

By Jason Miller
Executive Editor
Federal News Radio

The Office of Management and Budget gave agency chief information officers marching orders to implement software to continuously monitor the security of their networks by the end of fiscal 2012.

This was just one of several governmentwide provisions in the administration's annual IT budget passback guidance. Federal News Radio obtained exclusive details about the passback from multiple federal sources.

Federal chief information officer Vivek Kundra sent agency CIOs guidance as part of the 2012 budget request in December.

A request to OMB for comment on the IT passback was not returned.

But multiple federal sources, who requested anonymity because the information is considered pre-decisional, say OMB focused on only a handful of governmentwide areas, instead of the 18 they did in last year's passback. The officials say OMB placed several agency-specific provisions in the guidance around financial management systems, data center consolidation and other areas.

"The things we asked for relative to supporting our programs, they came back and said 'do it,'" said one federal official. "OMB gave us what we asked for in funding as well. We had no comments on the IT passback. It was fine just the way it is."

OMB instructed agencies to meet several deadlines in this year and next. Along with the continuous monitoring requirements, the administration wants agencies to use the cyberscope tool to submit standard data on the health of their IT systems by Sept. 30.

The Homeland Security Department will issue guidance in the coming months detailing how the information should look when exported to cyberscope, the officials say.

The idea behind continuous monitoring is to know in real time or near real time the health of agency computer networks instead of checking them a few times a year. It also will help DHS and agencies address threats or potential threats sooner.

That real time or near real time information is then fed into the Einstein tool run by DHS.

"I don't see how people will do this," said another federal official. "There hasn't been buy-in across the board. Some agencies such as State, NASA and Justice will be able to do it. But others didn't want to do it and haven't started."

The official added that some agencies that received an "A" on their Federal Information Security Management Act scorecard will struggle with cyberscope because it's no longer just about filling out paperwork.

The official also said vendors will struggle, especially those who have made a living on compliance.

Through cyberscope, agencies will feed cumulative data into the online software tool to show how they are meeting FISMA requirements. DHS will use the data to get a more holistic picture of federal cybersecurity.

OMB also reiterated its cloud-first policy, which it first revealed in the 2010 passback and made it public with its 25-point IT reform plan in December. The guidance also instructs agencies to consider the technologies that have been approved under the FEDRamp process.

The General Services Administration and the departments of Defense and Homeland Security are collaborating on a set of requirements to certify and accredit cloud services that meet the government's common security requirements.

Officials say FEDRamp could be ready to examine the initial set of vendor services this spring.

Another governmentwide topic is the transition to Internet Protocol version 6.

OMB wants agencies to complete their transition plans by April to move external facing servers to the new protocol.

OMB called for agencies external services to use IPv6 by the end of fiscal 2012. Agencies also must upgrade internal servers that communicate with the public facing Internet and supporting enterprise networks to IPv6 by 2014.

E-government and line of business initiatives are two areas where OMB intensified its guidance for 2011.

The administration instructed agencies through hard deadlines to pay for e-government and line of business shared services.

OMB wants agency managing partners to get funding requests in to them by May 31, meaning contributing agencies should tell the managing partners how much money they will provide.

And by Aug. 31, partner agencies have to confirm the funding levels by having their CFO sign off on the amount so it can be included in 2013 budget submission.

The second official called this year's guidance much more direct compared with last year's guidance on these initiatives, which they called "squishy."

"Agencies didn't know what the funding would be until the end of the fiscal year," the source said. "It's been sloppily governed all along. And it looks like OMB is trying to put more accountability on the managing partners."