OMB officially expands DHS's cyber role

Friday - 7/9/2010, 6:17am EDT

By Jason Miller
Executive Editor
Federal News Radio

The Office of Management and Budget put the Homeland Security Department officially in charge of all civilian agency computer networks.

OMB Director Peter Orszag and White House cybersecurity coordinator Howard Schmidt signed a memo July 6 detailing the roles of responsibilities around federal cybersecurity for DHS, OMB and Schmidt's office.

"Everybody interprets things differently which is why we are looking to make sure there is clarity out there on stuff the people need to be doing," says Schmidt after his speech at the AFCEA Cybersecurity Symposium in Washington Thursday.

He says the memo is not related to the multiple bills Congress is considering that would redefine Schmidt's office as well as how agencies comply with the Federal Information Security Management Act (FISMA). And one bill, sponsored by Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine) and Tom Carper (D-Del.), would give DHS more authority over civilian networks.

"It is strictly related to the work we are looking to do with the agencies out there, just for clarification," Schmidt says.

OMB first hinted at these major changes in its 2010 FISMA guidance issued in April. In it, OMB says it will start collecting data from agencies on the health of their networks in real time through the Cyberscope tool, and begin interviewing agencies about how they ensure their computers are safe. DHS will play a major role in both of these actions.

Now in the new memo, OMB says DHS will:

  • Oversee the governmentwide and agency-specific implementation of and reporting on cybersecurity policies and guidance;

  • Oversee and assist governmentwide and agency-specific efforts to provide adequate, risk-based and cost-effective cybersecurity;

  • Oversee the agencies' compliance with FISMA and developing analyses for OMB to assist in the development of the FISMA annual report;

  • Oversee the agencies' cybersecurity operations and incident response and providing appropriate assistance; and

  • Review agencies' cybersecurity programs annually.

"To clarify and avoid confusion, effective immediately, OMB will be responsible for the submission of the annual FISMA report to Congress, for the development and approval of the cybersecurity portions of the President's Budget, for the traditional OMB budgetary and fiscal oversight of the agencies' use of funds and for coordination with the Cybersecurity Coordinator on all policy issues related to the prior three responsibilities," the memo states. "The Cybersecurity Coordinator will have visibility into DHS efforts to ensure federal agency compliance with FISMA and will serve as the principal White House official to coordinate interagency cooperation with DHS cybersecurity efforts."

Previously, OMB's Office of E-Government and Information Technology assumed responsibility for many of the efforts DHS now will oversee.

While Schmidt didn't address the memo in his speech at the AFCEA conference, he did recognize that DHS, OMB and the White House cannot secure federal networks alone.

He says public-private partnerships are crucial to the effort, but it has to be more than just words. The private sector owns as much as 90 percent of the critical infrastructure the government uses to meet its mission.

"We still need to smooth that out and redefine it," Schmidt says. "We have to wind up in a position where we have the ability to share information at all kinds of levels that really make a change for people."

Schmidt says the government must look at the information it's getting about cyber threats or vulnerabilities and not just classify it.

"There's got to be a balance that we have to do given that the owners and operators of our critical infrastructure are so key to our success on the government side," he says.

The need for better partnerships or relationships was a theme throughout the conference. Several speakers pointed to the need to improve information sharing.

Guy Copeland, chairman of the Cross-Sector Cybersecurity Working Group and CSC's vice president of information infrastructure, says many times the classified information the government gives industry isn't all that helpful for the network administrator.

"It's not something you can take and apply to the network," he says. "It's far more oriented toward who is doing what, what they intend to do with it, what's their agenda and what are they after. For a network administrator, that's almost useless."

He says the goal is to get down to the bits and bytes the operators can use and get the information in real time.

A group of companies are trying to do just that. About 30 technology, financial services, Defense industrial base and communications firms are taking part in a pilot to share cyber threats in real time.