Cybersecurity Performance Management

The Federal Network Security Branch (FNS) Cybersecurity Performance Management (CPM) Program was established to work with key government cybersecurity partners to improve the quality of security measures by leveraging FISMA requirements and, in general, advance the security posture of the federal civilian enterprise. The FNS Branch is mandated by the Office of Management and Budget (OMB) via Memoranda M-10-15 and M-10-28 to provide guidance and operational oversight for the Federal Information Security Management Act (FISMA).

Mission

The CPM champions a number of cross-agency activities that contribute to creating a secure and resilient cyber environment:

• Driving the evolution of the FISMA security metrics with a focus on capability outcomes that have a direct impact on cybersecurity.

• Empowering federal civilian agency Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) to manage risks to their cyber environments through the analysis of enterprise-wide capabilities and individual Agency Information Security Program data.

• Collaborating with federal civilian agencies to assess cyber capability performance and direct IT investments in a prioritized manner.

• Increasing awareness in relevant stakeholder groups, (OMB, Congress, Inspector General (IG)), of the progress and challenges agencies encounter in the implementation of cybersecurity capabilities.

Leadership

Douglas Andre, CISSP, SSSCP, is the Program Manager (PM) for the FNS CPM program. The program currently has three sub-program areas that support critical overall program objectives.

• Federal Agency Cybersecurity Program Reviews: Develops agency-specific information security program profiles that inform a strengthened federal cybersecurity posture, conducts annual CIO interviews, and supports the OMB CyberStat review process.

• FISMA Reporting Operational Support and Oversight: Coordinates the development of security capabilities that feed the FISMA security metrics and reporting guidance for federal agencies. Manages requirements for and provides training and non-technical customer support for the Cyberscope Reporting System.

• CPM Analytics: Compiles input for the annual FISMA report to Congress and provides input to agency-specific and enterprise-wide cybersecurity posture assessments.