Governance & Risk Management

OMB Issues Agency Guidance on NIST Framework Adoption

Memorandum Emphasizes IT Risk Management for Federal Government
OMB Issues Agency Guidance on NIST Framework Adoption
Office of Management and Budget Director Mick Mulvaney

White House Office of Management and Budget Director Mick Mulvaney has issued a memorandum to executive branch agencies on how they must adopt the cybersecurity framework for critical infrastructure created by the National Institute of Standards and Technology.

See Also: Live Webinar | The Role of Passwords in the Hybrid Workforce

"Agency heads are required to manage risk commensurate with the magnitude of harm that would result from unauthorized access, use, disclosure, disruption, modification or destruction of a federal information system or federal information," Mulvaney says in the memorandum dated May 19. President Donald Trump signed a cybersecurity executive order on May 11 that directed each federal agency to use the cybersecurity framework (see Trump Finally Signs Cybersecurity Executive Order).

The memorandum required each agency to notify OMB by May 26 about which official is responsible for its risk management as well as the implementation of the cybersecurity framework. Federal law designates each cabinet secretary or agency director as the official responsible for their organization's IT security, but the cybersecurity executive order allows the secretary or director to designate another official as long as they directly report to the departmental or agency head.

Implementation Challenges

But implementing the framework won't necessarily be easy for departmental secretaries, agency directors or their designees.

"Attempting to implement it is enormously difficult and costly," says Steven Chabinsky, global chair of the data, privacy and cybersecurity practice at White & Case, who last year served on the White House Commission on Enhancing National Cybersecurity. "This is not because the NIST framework is poorly crafted, quite the opposite. The majority of security professionals appear to agree that the NIST framework is about as good as you can get. Its goals are certainly easy to understand, but they are operating in a complex risk environment."

Citing the cybersecurity executive order, the memorandum directs agency heads to produce a risk management report to Mulvaney and Homeland Security Secretary John Kelly within 90 days. "An effective enterprise risk management program promotes a common understanding for recognizing and describing potential risks that can impact an agency's mission and the delivery of services to the public," Mulvaney says.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.