Agency directors can designate a subordinate to be accountable for ensuring the cybersecurity of agency networks rather than taking full responsibility themselves, according to recent White House guidance.
The guidance follows a mid-May executive order from President Donald Trump that declared agency heads “will be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from” digital theft or destruction of agency data.
Agency heads can delegate that accountability, but only to someone who reports directly to an agency director, such as a federal department’s undersecretary or management director, the White House’s Office of Management and Budget said.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
The accountable official must also “have vision into all areas of the organization, particularly those focused on risk management, possess authority for both funding and management of IT enterprise risk, and be able to represent the challenges and opportunities across the enterprise.”
The accountability requirements follow through on a pledge from early in the Trump administration that department heads and agency directors would be “totally accountable for the cybersecurity of their organizations, which we probably don’t have as much … as we need,” the president said.
Cyber analysts and former officials have generally applauded that pledge but said the test will be both following through on imposing the accountability and ensuring agencies have the resources to fully protect their networks.
The guidance, dated May 19, also gives agencies a break on some of the executive order’s reporting requirements. A mandated report on agencies’ enterprise risk management may be fulfilled by the agencies’ July 2017 report on cyber risks required by the Federal Information Security Management Act.
OMB and the Homeland Security Department will also use FISMA reports to draft a report to the president on agency-specific cyber priorities, the guidance states.
Agencies are still on the hook, however, for reporting to the White House by mid-July on how they will align their cybersecurity protections with a framework developed by the government’s cyber standards agency, the National Institute of Standards and Technology.
NIST initially developed its cybersecurity framework for the private sector but it’s broadly applicable elsewhere. The agency published guidance for how agencies can align the framework with their existing reporting requirements under FISMA earlier this month.