Modernization

CISA ordered to automate collection of cybersecurity metrics by April 2022

OMB expects to begin grading agencies with a compliance scorecard based on the data by the end of 2022.

December 7, 2021

The White House and Eisenhower Executive Office Building in October 2021. (Kevin Dietsch/Getty Images)

The White House is calling on the Cybersecurity and Infrastructure Security Agency to establish a strategy for automating the collection of federal agencies’ cybersecurity metrics by April of next year.

In new FISMA guidance issued Monday, the Office of Management and Budget also orders CISA to set timelines for collecting the data. By December 2022, OMB expects to begin grading agencies with a compliance scorecard based on the data.

The system will include machine-readable automatic cybersecurity incident reporting, which is part of the bedrock of zero-trust IT architecture. OMB and the National Institute of Standards and Technology will assist CISA with the project.

The guidance comes amid a push to improve the transparency of agencies’ cybersecurity posture and the speed of incident reporting that began with President Biden’s cybersecurity executive order in May.

“OMB’s updated FISMA guidance is designed to help agencies focus on practical security outcomes by measuring the use of rigorous multi-layered security testing, automation of security and compliance controls, and progress in adopting a zero trust architecture,” Federal CISO Chris DeRusha said.

CISA’s strategy must include “a set of metrics (supplementing the existing CIO metrics) based on NIST Standards (e.g., NIST SP 800-53) for controls that can be reported in an automated manner, and will set forth a timeline for when these metrics will be collected automatically,” OMB said.

According to OMB, an estimated 47% of incidents reported in the fiscal 2020 annual FISMA report were reported by agencies through a webform on the CISA-managed US-CERT website. Historically, agencies have needed to manually compare their incidents with accounts on US-CERT in order to ensure the accurate reporting of information.

OMB’s memo gives CISA and agencies some flexibility in meeting the requirements under the existing Continuous Diagnostics and Mitigation (CDM) program, which monitors threats and vulnerabilities on federal networks. Those tools are generally acquired under General Services Administration’s IT Schedule 70, but OMB is allowing for exceptions if agencies can provide “significant justification.”