The U.S. Department of Homeland Security (DHS) now is responsible for ensuring agencies comply with federal information security requirements, according to a recent memo issued by the federal Office of Management and Budget (OMB).
The July 6 memo, signed by Peter Orszag, the OMB director, and Howard Schmidt, White House cybersecurity coordinator, lays out the responsibilities of a number of parties with respect to the federal government's implementation of the Federal Information Security Management Act of 2002 (FISMA).
According to the memo, the DHS assumes the responsibility of overseeing agencies' compliance with FISMA.
Under FISMA, federal agencies are required to conduct annual reviews of their information security programs. These reviews are presented once a year to Congress to verify compliance.
OMB, which previously was responsible for overseeing FISMA compliance, will be in charge of submitting the annual FISMA report to Congress, the memo states. In carrying out its duties, the DHS will be subject to oversight by OMB. Additionally, the cybersecurity coordinator will have visibility into DHS' efforts relating to FISMA and will coordinate interagency cooperation with the DHS.
More broadly, the DHS also will be charged with overseeing the government-wide implementation of cybersecurity policies, in addition to assisting in agency efforts to provide risk-based and cost-effective cybersecurity, according to the memo.
Other DHS responsibilities will include overseeing federal agency cybersecurity operations and incident response capabilities, and annually reviewing agencies' cybersecurity programs.
Alan Paller, director of research at the SANS Institute, told SCMagazineUS.com on Monday that the memo is “a huge step forward” because it erases confusion that FISMA compliance involves the writing of pricey, cumbersome reports.
This mindset stemmed from a separate memo issued by OMB on April 21, stating that automated, continuous cybersecurity monitoring was a new requirement under FISMA and that the DHS would provide operational support to federal agencies in securing their systems.
“What happened was that the people making $300 million a year writing reports told customers that OMB still had rule that you had to do expensive reports,” Paller said. “DHS was demanding continuous data flows and the [report] contractors were saying that's extra.”
Handing over FISMA oversight to the DHS is the OMB's way of saying it wants agencies to follow the department's guidance and spend their money on automated, continuous monitoring instead of lengthy reports, Paller said.
"This is a little memo with a big impact," he added.
As it currently stands, DHS also operates the U.S. Computer Emergency Readiness Team (US-CERT) and oversees critical infrastructure protection, in addition to the Trusted Internet Connection Initiative, the purpose of which is to reduce and consolidate of external internet connections in use by the federal government.
OMB, meanwhile, is in charge of developing and approving the cybersecurity portions of the president's budget, and overseeing agencies' use of funds. The cybersecurity coordinator is responsible for leading the cybersecurity strategy and policy development across agencies.