Senators Ron Johnson (R-Wis.) and Tom Carper (D-Del.), Chairman and Ranking Member of the Senate Homeland Security and Government Affairs Committee, respectively, sent a letter on Wednesday to the Director of the Office of Management and Budget (OMB) requesting an update on efforts to complete and issue revisions to federal cybersecurity guidance.
The senators inquired into revisions to Circular A-130, which establishes OMB’s official policy and guidance on information technology (IT) management and cybersecurity for federal agencies. First issued in the 1980s, Circular-A-130 has not been revised in over 15 years. The Federal Information Security Modernization Act of 2014 (FISMA) required OBM to update Appendix III of the circular by December 2015 to remove wasteful or inefficient reporting and required OMB to provide quarterly briefings to Congress on the status of the amendment or revision.
“Continuous, automated monitoring of cybersecurity controls is a primary component of an organization’s cybersecurity program. Indeed, OMB, the Department of Homeland Security (DHS), and the National Institute of Standards and Technology (NIST) have all indicated that continuous monitoring is a top priority,” the senators wrote.
However, the not updated version of Circular A-130 “remains an obstacle to the full adoption of this modern, automated approach to cybersecurity across government,” Johnson and Carper said.
The senators highlighted that Appendix III of the circular requires an agency to audit the security controls for general support systems and major applications at least once every three years and to also produce a large volume of paperwork to report the audits. Although some documentation is essential, the three-year assessments are not cost-effective or consistent with best-practices as understood under FISMA, Johnson and Carper said.
Although the senators appreciated OMB’s work to update the provision after seeing that in the most recent FISMA annual report that “OMB is currently in the process of significantly revising Circular A-130 and has asked for public comment on the proposed revisions,” they also “emphasize the importance of completing this revision in a timely matter.”
Johnson and Carper requested OMB provide them with a date by which the agency plans to issue revisions and that OMB briefs the senators’ staffs on the status of the update within 30 days of the letter as well as quarterly thereafter until update completion.