Both the chairman and the ranking member of the House Government Operations Subcommittee complained today – to varying degrees – about a lack of new and detailed information on Federal agency cybersecurity performance data to inform the 15th version of the biannual FITARA Scorecard released today by the House Oversight and Reform Committee.
The concern expressed over the lack of agency-level cybersecurity data by subcommittee Chairman Gerry Connolly, D-Va., and Ranking Member Jody Hice, R-Ga., carried over from the subcommittee’s hearing in late July on the 14th edition of the scorecard, and left neither member of Congress entirely satisfied that the committee had gotten the best data available for their purposes of grading agencies on security.
Rep. Connolly pointed hopefully to a brand-new release of agency-level cybersecurity metrics by the Office of Management and Budget (OMB) that will fill the gap on cyber data, while Rep. Hice complained vigorously that a lack of agency cyber data from OMB tied to Cross-Agency Priority (CAP) goals stands in violation of law.
According to Carol Harris, a director of information technology and cybersecurity at the Government Accountability Office (GAO) who helps the committee sort through data that goes into the FITARA scores, the cybersecurity data in the latest version of the scorecard was based on Fiscal Year 2021 FISMA (Federal Information Security Management Act) data generated by agencies.
Harris said that FISMA data is useful for grading, but explained that data from CAP goals that derive from the President’s Management Agenda (PMA) is necessary to get a better handle on agencies’ cybersecurity picture. Harris said it was “very troubling” that OMB had not taken action to produce that data, and insisted that it needed to do so under law.
Rep. Hice in particular voiced strong objections to the lack of CAP goal-derived cybersecurity data. He argued that the use of FISMA-derived data has not allowed the committee to make progress on cybersecurity grades.
Federal Chief Information Security Officer (CISO) Chris DeRusha, who was a witness at today’s subcommittee hearing, pointed to a newly released OMB progress report that provides metrics to track Federal agency progress on cybersecurity. And he said that OMB has taken pains to weave numerous cybersecurity measures throughout the PMA, and throughout OMB’s guidance to Federal agencies as they implement President Biden’s 2021 cybersecurity executive order.
Rep. Connolly called the new OMB progress report – which he characterized as a “first draft version” – an “exciting update” and “an endeavor that every member on this dais can get behind.”
“This previewed data is one step closer to our goal to shine a spotlight on cyber and underscores the importance of administering a rigorous cybersecurity oversight regime,” Rep. Connolly said.
“The subcommittee plans to continue to work with stakeholders over the next six months to finalize a modernized cyber score using the IG reports and these new metrics for the FITARA 16.0 Scorecard,” he continued.
“In the meantime, after soliciting feedback from cyber experts and multiple discussions with community stakeholders, the subcommittee has decided to keep previous cyber data from the July IG reports on the Scorecard, but grades will reflect an adjusted maturity model methodology,” he said of the current version of the scorecard.
For his part, Rep. Hice insisted repeatedly that OMB is obligated under law to provide cybersecurity-related CAP goals, and questioned the focus in DeRusha’s written testimony on aspects of the cybersecurity executive order, and not on CAP goals.
The focus on the executive order, rather than the CAP goals, is “a bit confusing to me,” Rep. Hice said.
“Is this administration, in your opinion, prioritizing an executive order over the Federal law that requires CAP goals, number one, and number two, what is Congress supposed to do with this? Are we supposed to now prioritize an executive order over Federal law,” the congressman asked.
“The answer is they’re both important,” DeRusha replied.
“OMB’s position is that we are complying with the law, and we made a decision to weave in cybersecurity throughout the President’s Management Agenda and several CAP goals,” the Federal CISO said.
“We had a very aggressive executive order, which we needed to measure our progress on,” he continued. “So we repurposed our FISMA metrics to really align with all of the goals and objectives that we laid out there.”
He added that OMB has issued nine policy memos on cybersecurity since the executive order was published, and said, “so we’re very active and busy here, and there’s just a whole body of work that we feel needs to be managed through that other process, but they’re both extremely important.”
Rep. Hice, who is leaving Congress early next year, again returned to the issue of cybersecurity CAP goals, saying, “just because there’s an executive order does not give you nor anybody else the right to ignore the Federal law, including the administration. And it’s time this stuff gets cleared up. The law is the law and it means something and it does not mean that we can ignore it.”
At the conclusion of the subcommittee hearing, Rep. Connolly said that by the time the subcommittee holds its next FITARA hearing in mid-2023, hopefully DeRusha and GAO “can reconcile these approaches, and make sure that they are consonant with the law.”
“The end goal here is to be able to accurately to measure progress, and that’s why it’s in the law,” Rep. Connolly said, adding, “we want to make sure that works.”
Rep. Connolly, who will be handing over the gavel on the subcommittee early next month when Republicans take over control of the House, wound up the hearing by assuring that today’s session “will not be our last.”