What ever happened to CyberStat?
Government auditors and a former top cyber official are concerned, but OMB says the numbers reflect a more substantive and collaborative cybersecurity review process.
The Office of Management and Budget has all but stopped audit reviews of federal agencies to ensure they are complying with information security law.
Under the Federal Information Security Management Act, OMB is responsible for overseeing agency compliance on range of cybersecurity requirements designed to protect federal information systems. For years, one of OMB's main tools for fulfilling that obligation was a series of intensive, data-driven review meetings, which federal agencies dubbed "CyberStat."
A Government Accountability Office report released in July found that the number of such reviews has fallen off a cliff since the beginning of the Trump administration, from 24 in 2016 to zero thus far in 2019.
In the report, officials at OMB cited a number of internal changes to the reviews in 2016 that made such them longer but more substantive. According to Greg Wilshusen, director of information services at GAO, OMB officials described the legacy CyberStat process they inherited as "a checklist approach" for various performance metrics. They described the new process as a more in-depth, collaborative process whereby representatives from OMB, the Department of Homeland Security and the targeted agency meet multiple times over four to six weeks to focus on a specific cybersecurity issue.
However, a longer revamped CyberStat process alone wouldn't explain the drop in number of reviews held over the past three years. OMB could have conducted between eight to 12 expanded reviews annually. Instead, it has conducted just eight since 2017, plus three in 2018. None have been scheduled for 2019.
Wilshusen told FCW that OMB should still be holding more CyberStat meetings, saying agencies that did undergo such reviews reported they were effective and useful at improving their cybersecurity posture.
"What we're taking away from that is these meetings are a good thing," Wilshusen said. "It would be very helpful for OMB to arrange these meetings with more agencies, rather than fewer, in order to provide the level of service and support to agencies that may need [it] to address some of these significant security deficiencies that the agencies have outlined throughout our report."
A senior administration official told FCW in response to emailed questions that feedback from agencies in 2017 indicated that the legacy CyberStat review "wasn't helpful in helping them tackle some of their systemic IT challenges" and that the retooled process was "more of an assist visit centered around sprints to clear roadblocks in addressing cybersecurity gaps."
The official attributed the dearth of such reviews over the past three years as stemming from a shift in focus from compliance to addressing critical vulnerabilities in federal IT, especially in high value assets, while much of the lower level compliance work has been "naturally integrated into DHS' regular engagement with agencies as [Cybersecurity and Infrastructure Security Agency] has continued to mature in its processes."
There's also some confusion as to whether, under the new process, OMB is selecting agencies for review or waiting for agencies to volunteer. Former OMB officials have described the review process as mandatory, with agencies selected by OMB.
However, GAO auditors were told that the three agencies that participated in CyberStat reviews in 2018 "volunteered" to do so after discussing their cybersecurity implementation issues with OMB. Further adding to the confusion, an unnamed official in the Federal Network Resilience Office at DHS told auditors that it uses internal information security reports and other resources to make recommendations to OMB about which agencies need a CyberStat review.
Wilshusen said there are "very specific guidelines and criteria" for selecting agencies to undergo a CyberStat review, but "it wasn't exactly clear" after the audit how OMB was selecting or prioritizing agencies for review.
When asked by FCW if OMB taps agencies for mandatory reviews or leaves it up to them to request one, an official at the agency said that "the answer is both."
"The new approach allowed agencies to raise their hand and request assistance from OMB and DHS," the official said. "However, OMB and DHS are also able to call CyberStats if there is a critical issue which we know needs to be address through that mechanism."
The official said OMB and DHS "continue to evaluate" whether any agencies will require a CyberStat review in 2019.
Trevor Rudolph, former chief of the Cyber and National Security Unit Office at OMB during the Obama administration, told FCW that the volume of CyberStat reviews began rising shortly before the 2015 Office of Personnel Management hack and jumped significantly after, from half a dozen in 2014 to 24 in 2016.
Rudolph told FCW during an exit interview in 2016 that OMB had already revamped CyberStat under his watch to ensure it did more than "check a box" on cybersecurity compliance. Those changes were largely implemented because agencies were "blatantly ignoring critical vulnerabilities" or refusing to implement simple but effective techniques like multifactor authentication under the older process.
Following the 2015 revelation of the OPM hack, Rudolph and others at OMB viewed CyberStat reviews as a key tool to hold agencies accountable for following existing cybersecurity laws and identifying future weak points in the federal network. He described the process in place in 2016 as an evidence-based program review of agency IT programs, typically led by then-Federal CIO Tony Scott, with an agency's CIO or higher leadership in attendance. The reviews were designed to link up with the federal government's cybersecurity sprint and represented "a critical operational component" for connecting the two actions.
While there's no magic number for the "correct" number of reviews to conduct each year, Rudolph said he found the sheer size of the drop over the past three years to be "suspicious."
"When you see that drop, it's an indication that strategic priorities have likely changed, or they have shifted accountability," said Rudolph, who currently works as vice president of global digital public policy at Schneider Electric.
Both Rudolph and GAO auditors maintain that OMB could be holding more sessions than it is now. Rudolph said the Obama administration also went through a similar fallow period for CyberStat reviews during its first term, but he said he believes to this day that doing so helped in part to lay the groundwork for the theft of millions of personnel records from OPM as well as other incidents.
"We saw the Obama administration do the exact same thing at the beginning of Obama's first term, where OMB essentially … abdicated its cybersecurity responsibilities to the National Security Council and Department of Homeland Security, and then it was only a matter of years later where the federal system had atrophied to a certain degree that the conditions for the OPM incident were ripe," said Rudolph. "And then it popped."