OMB Issues Agency Guidance on NIST Framework AdoptionMemorandum Emphasizes IT Risk Management for Federal Government
White House Office of Management and Budget Director Mick Mulvaney has issued a memorandum to executive branch agencies on how they must adopt the cybersecurity framework for critical infrastructure created by the National Institute of Standards and Technology.
"Agency heads are required to manage risk commensurate with the magnitude of harm that would result from unauthorized access, use, disclosure, disruption, modification or destruction of a federal information system or federal information," Mulvaney says in the memorandum dated May 19. President Donald Trump signed a cybersecurity executive order on May 11 that directed each federal agency to use the cybersecurity framework (see Trump Finally Signs Cybersecurity Executive Order).
The memorandum required each agency to notify OMB by May 26 about which official is responsible for its risk management as well as the implementation of the cybersecurity framework. Federal law designates each cabinet secretary or agency director as the official responsible for their organization's IT security, but the cybersecurity executive order allows the secretary or director to designate another official as long as they directly report to the departmental or agency head.
But implementing the framework won't necessarily be easy for departmental secretaries, agency directors or their designees.
"Attempting to implement it is enormously difficult and costly," says Steven Chabinsky, global chair of the data, privacy and cybersecurity practice at White & Case, who last year served on the White House Commission on Enhancing National Cybersecurity. "This is not because the NIST framework is poorly crafted, quite the opposite. The majority of security professionals appear to agree that the NIST framework is about as good as you can get. Its goals are certainly easy to understand, but they are operating in a complex risk environment."
Citing the cybersecurity executive order, the memorandum directs agency heads to produce a risk management report to Mulvaney and Homeland Security Secretary John Kelly within 90 days. "An effective enterprise risk management program promotes a common understanding for recognizing and describing potential risks that can impact an agency's mission and the delivery of services to the public," Mulvaney says.