OMB's CyberStat program is 'evolving'

The Office of Management and Budget's process for reviewing the cybersecurity postures of federal agencies is "evolving," Federal Chief Information Security Officer Grant Schneider told FCW on the sidelines of the Billington Cybersecurity Summit in Washington, D.C.

The reviews, dubbed CyberStat, are meant to function as one-on-one, in-depth analyses between OMB, which sets civilian governmentwide policy under the Federal Information Security Management Act, and federal agencies that may be struggling with compliance to identify root causes of security vulnerabilities and correct course. The number of such reviews jumped as high as 24 per year in 2016 under the Obama administration, but a Government Accountability Office report this year found that reviews have plummeted since then, with just eight being conducted in the past three years and zero so far in 2019.

Schneider told FCW that his agency is taking "a hard look" at the current program with the aim of revamping the process ahead of next fiscal year. "What do we want the CyberStat program to look like and achieve," he asked, "and what are those numbers going to be?"

While he declined to provide further details on potential changes, Schneider said older iterations of CyberStat were "higher level and really more about management attention" around hitting certain legal compliance metrics and discussing overall implementation challenges. He described the reviews conducted over the past three years as a shifting toward a more holistic analysis of the technical challenges preventing a particular agency from meeting baseline standards for cybersecurity.

Auditors at the GAO urged OMB to find ways to make better use of CyberStat, saying multiple agencies have reported that they found the review sessions useful and effective at improving cybersecurity practices. One change detailed in the audit has been increased engagement by the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency, which has steadily taken on a larger role in advising civilian agencies on managing and protecting their systems and networks. Such engagement, conducted more persistently at a lower level, may not be captured as a CyberStat review, though OMB officials have argued it fulfills many of the same functions.

The characterization that the previous OMB CyberStat review process represented "a checklist" approach has been disputed by at least one former OMB cybersecurity official. However, Schneider's predecessor as federal CISO, Retired Air Force Brig. Gen. Greg Touhill, told FCW at the same event that older versions of CyberStat didn't have the benefit of regular network monitoring data from programs like Continuous Diagnostics and Mitigation, which were less mature at the time.

"As you roll out those technologies and CDM, it makes sense you're going to pivot on CyberStat from instead of just … sampling a given period of time and sitting down with the deputy secretary, [to] having that information continuously available and quantified," said Touhill. "So I do think it's important to make sure you have those management reviews but don't necessarily rely on the way it used to be. We need to continue using the information that's current and relevant."

While there have been no reviews scheduled for this year, Schneider said that he doesn't expect that to be the norm in the future.

"I don't have an answer on numbers or schedules, but … there will definitely be CyberStats next year," he said.