Federal CIO: Expect New Cybersecurity Reporting Metrics by Year’s End

Changes are coming to how agencies report on their cybersecurity posture as FISMA guidelines are updated to better reflect the administration’s focus and priorities, a top tech official said.

The reports—named for the Federal Information Security Management Act of 2002 that established the reporting requirement—detail the cyber incidents captured by an agency’s information security teams within a given year and categorize them using standards set by the National Institute for Standards and Technology. The frequency and breadth of the reports have changed over the years due to additional legislation but now the Trump administration is putting its mark on the process to match its priorities.

The Office of Management and Budget and Homeland Security Department “are updating the FISMA metrics to align with the report to the president on federal IT and the [President’s Management Agenda],” Federal Chief Information Officer Suzette Kent, the government’s top IT executive, said during a Digital Government Institute event Tuesday.

Kent has been speaking about the need to update federal IT policy all summer. On Tuesday, Kent reiterated a question she put to a federal audience earlier this month: Who in the room is still using a cell phone from 2008? Once again, she noted, no hands went up.

“Our technology is advancing much more quickly than that,” she said Tuesday. “We shouldn’t have policies that are that old.”

Earlier in her talk, Kent said the administration would be going over several policy documents starting next month with the goal to update them all before the end of the year. An administration official confirmed the new guidance should be out this fall.

“We expect to see improvement in Q3 on [the current] metrics,” Kent said during her talk. “I’m excited about those. I’ll be excited when we get to the point where we can finally talk about them.”

Kent also noted progress with two major initiatives: interagency information sharing and implementing continuous monitoring through the program known as CDM DEFEND.

“We have 20 of 23 federal CFO Act agencies [that] are actually sharing cybersecurity data between their agency-level and DHS dashboard,” she said. “That is a critical focus. We have plans to get the rest in.”

As for CDM DEFEND, Kent said more than half of the agencies are moving to procure and implement those tools, which will “continue to raise the bar” on federal cybersecurity.

Editor's Note: This story has been updated to include timeline information from administration officials.