The new guidance also requires agencies to justify buying cyber monitoring tools that aren’t vetted by Homeland Security.
The Homeland Security Department has until April next year to develop a tool that maps lapses in federal agencies’ cybersecurity capabilities, and until October to help agencies assess their ability to protect their highest value digital assets, according to White House guidance released Thursday.
Homeland Security has until the end of 2019 to be up and running with a governmentwide cybersecurity program that allocates resources based on the risks facing particular systems and puts special emphasis on high-value assets, according to the guidance from the White House’s Office of Management and Budget.
The term ‘high-value assets’ generally refers to hardware and software systems that contain classified or sensitive information or citizens or employees’ personal information.
Homeland Security is trying to refocus its cyber operations from protecting all assets equally to putting special emphasis on protecting systems and information that would cause the most damage if they were compromised or present the greatest value to U.S. adversaries.
The Office of Management and Budget guidance follows a May report, which found that roughly three-quarters of federal agencies’ cybersecurity programs were “at risk” or “at high risk” of a breach. The report also found that many agencies didn’t know how hackers were targeting them and wouldn’t necessarily notice if hackers compromised large amounts of their data.
The report itself was called for in a 2017 executive order from President Donald Trump.
Thursday’s guidance includes additional deadlines for an action plan that was included in the May report.
The guidance requires agencies to submit a plan to mature their cybersecurity operations by April. That plan must include a timeline for how to achieve the mature state and the funding necessary to get there.
By September 2020, agencies must submit a plan for how to either mature and consolidate their security operations centers, known as SOCs, or to outsource those operations elsewhere, which the report calls SOC as a service.
The Office of Management and Budget guidance is issued each year and focuses broadly on agencies’ cybersecurity and privacy responsibilities under the Federal Information Security Management Act. Thursday’s guidance is six pages longer than the previous year’s report with those additional pages focused mainly on the new action items and deadlines.
The guidance also expresses White House approval for Homeland Security’s Continuous Diagnostics and Mitigation program, or CDM, which offers suites of pre-vetted cybersecurity tools to federal agencies.
In the future, agencies that want to buy continuous cyber monitoring tools that are not authorized parts of the CDM program must first send memos justifying their decisions to the Homeland Security office that manages CDM and to the federal chief information officer, the guidance states.