The Federal Network Resilience (FNR) Cybersecurity Performance Management (CPM) branch was established to collaborate with key government cybersecurity partners to improve the Federal Information Security Management Act of 2002 (FISMA; 44 U.S.C. §§ 3541-3549) reporting process. CPM continually works to improve the quality of security measures and advance the security posture of the federal civilian enterprise.
The established FISMA reporting process defined by the Office of Management and Budget (OMB) has been delegated to DHS's Federal Network Resilience division. OMB M-10-28 Clarifying Cybersecurity Responsibilities and Activities states that “DHS will exercise primary responsibility within the executive branch for the operational aspects of Federal agency cybersecurity with respect to the Federal information systems that fall within FISMA under 44 U.S.C. §3543.
CPM champions a number of cross-agency activities that contribute to creating a secure and resilient cyber environment, including:
- driving the evolution of the FISMA security metrics with a focus on capability outcomes that have a direct impact on cybersecurity;
- empowering federal civilian agency Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) to manage risks posed to their cyber environments through the analysis of enterprise-wide capabilities and individual agency information security program data;
- collaborating with federal civilian agencies to assess cyber capability performance and direct Information Technology investments in a prioritized manner; and
- Increasing awareness in relevant stakeholder groups (OMB, Congress, Inspector General), of the progress and challenges agencies encounter in the implementation of cybersecurity capabilities.
Dave Otto leads the FNR CPM branch. CPM branch organization is strategically configured to ensure execution of its mandated responsibilities. To date, the organization has established three sections: Cybersecurity Performance Reviews, Cybersecurity Performance Analytics, and Cybersecurity Performance Metrics Guidance. All three sections are supervised by Mr. Otto via the overarching Management and Operations program entity.
- Cybersecurity Program Reviews (CPR): A comprehensive review of an agency’s information security program that provides insight into the posture and maturity of the agency’s cybersecurity program operations. The CPR team develops agency-specific information security program profiles that inform a strengthened federal cybersecurity posture. These project activities and evaluations are not an agency audit or inspection. The CPR project area is comprised of three additional sub-projects : annual interviews with agency CIOs and CISOs, independent evaluations of agencies’ information security program operations, and facilitation of OMB’s CyberStat reviews--which is intended to assist an agency in implementation of key strategic enterprise cybersecurity capabilities.
- Cybersecurity Performance Analytics (CPA): An internal function that conducts analysis on cybersecurity data from across the federal enterprise, transforms it into useful and meaningful information, and provides it to various groups. CPA receives cybersecurity data from the following sources:
- Automated data feeds submitted by Agencies to CyberScope,
- CIO and IG FISMA reporting response data,
- Cybersecurity Capability Validation assessment results,
- US-CERT incident data.
Cybersecurity Performance Metrics Guidance (CPMG): A collaborative effort with appropriate stakeholders that seeks to improve the overall government-wide FISMA reporting process, including the development of a common set of FISMA reporting criteria, annual reporting guidance, the the quality of FISMA security performance measures, and customer support services. A single point of contact for non-technical customer support for agency representatives to access personnel with the expertise, resources, and knowledge base to answer questions regarding FISMA performance measures and FISMA reporting.
Dave Otto, Branch Chief: Cybersecurity Performance Management, Federal Network Resilience