The Office of Management and Budget (OMB) has released a new “progress report” on the state of cybersecurity across Federal agencies, just in time for the 15th edition of the FITARA Scorecard issued today by the House Oversight and Reform Committee.
The progress report – published to Performance.gov on Dec. 14 – provides the public and key stakeholders, including Congress, with new cyber metrics derived from the Federal Information Security Modernization Act (FISMA) metrics.
Notably, the cyber progress report may become a future category for the FITARA Scorecard and represent an evolution of sorts from the current FISMA-centric cyber category. The committee’s latest scorecard includes the brand new cybersecurity progress report category as a “preview,” meaning it is not included as a contributing factor to the latest set of grades.
The category assigns each agency a percentage value for its cybersecurity progress, ranging on the latest scorecard from 68 percent for the Department of the Interior to 94 percent for the General Services Administration (GSA).
Aligning with the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, the category’s metrics are grouped into five categories: Identify, Protect, Detect, Respond, and Recover.
The percentage value is the total result of each category weighted at 15 points, with the exception of the “Protect” category – which is weighted at 40 points. OMB said the Protect category has more weight because it includes more metrics than other categories, such as the use of multi-factor authentication and encryption of data.
As always, the easiest way to make sense of the House Oversight committee’s multicolored scorecard is to view the results on MeriTalk’s FITARA Dashboard.
Is the New Cybersecurity Category Enough?
At the House Government Operations Subcommittee hearing today to discuss the new FITARA Scorecard, Jason Gray, the chief information officer (CIO) at the U.S. Agency for International Development, said the preview of the new cyber category is “a good start,” but called for “more than one metric.”
“The FISMA scores that we get every year are great, but they’re dated,” Gray said. “So, I am certainly an advocate for more metrics in terms of capturing the cybersecurity risk that agencies are able to manage.”
Gray said he hopes to work with OMB and the Federal CIO Council to look for additional cyber metrics that could be used “to capture the holistic risk that agencies are managing every day.”
Nevertheless, Federal Chief Information Security Officer (CISO) Chris DeRusha noted that OMB plans to evolve the new cyber metrics going forward.
“We are very open to continuing to evolve those [cyber metrics] – that is our plan,” DeRusha told the House Government Operations Subcommittee at its hearing today. “We’ve adjusted some of our metrics… we’re open to continued conversations with the committee on other focus areas. So, our view is that it’s important that we got the metrics out in public, and we’re going to continue to evolve this as we go.”
In a blog post posted to Performance.gov on Dec. 14, DeRusha goes into more detail on the new progress report and calls the cyber metrics “a starting point.”
“Overall, the progress report underscored that agencies are ready to assess and respond to cyber incidents,” he wrote. “Starting next year, we will raise the bar in several areas by requiring agencies to provide more details on their endpoint detection and response toolsets, log management capabilities, and more.”
DeRusha also told the subcommittee that the metrics serve as a “good representative sample” to see agencies’ progress toward implementing the Biden administration’s cybersecurity executive order.