FISMA, OMB and the Risk Management Framework

Cyber-Supply Chain Risk Management (C-SCRM) is an objective of the United States Government in response to numerous and significant cyber-attacks.  Cyberattacks that have increase in complexity, severity and number from 2020.  GAO, FISMA, and Inspector General reports predicted that these attacks would increase.  Even though the Federal government has been working to resolve cybersecurity (Information) since the passing by Congress of the Federal Information Security Management Act (FISMA) in 2002 and modified in 2014 (Modernization), these laws have not been effective in reducing the impact from cyber events.

C-SCRM is not a new issue.  It has been a  focus of Congress since they enacted FISMA in 2002. FISMA requires the adoption of Risk Management Framework (RMF, NIST SP 800 - 37R2) by all Federal Agencies and their contractors.  The RMF requires organizations to develop a C-SCRM policy and address C-SCRM goals and objectives in their strategic plans, missions, business functions, and organizational roles and responsibilities.  The development of C-SCRM policies applies risk management practices that align with both FISMA and Office of Management and Budget (OMB) A-130.  Prioritizing C-SCRM and cybersecurity risk management across Federal Agencies is critical to identifying and mitigating the risk that cyber threats pose to those agencies and the potential impact on their systems.

By example, the Department of Defense (DoD) issued DoDI 8510.01 (under the authority of the DoD CIO - DoDD 5144.02), requiring the implementation of the RMF in any authorization decisions that allow a system to be placed on its networks.  The DoD issued 5000.90 in December 2020 to address the application of the RMF within the Defense procurement life cycle.  Addressing the FISMA Congressional mandate applicable to all Federal Agencies.  In addition to using DFARS 252.204 - 7012, - 7019, - 7020, and - 7021, requiring defense contractors to apply NIST SP 800 - 171R2 cyber security practices and CMMC (interim ruling)

We contend that Federal Government has the necessary cybersecurity regulation in place to manage cybersecurity risk.  FISMA places the onus on Federal Agencies and contractors to manage cybersecurity risks. To that end, FISMA already requires the oversight and assurance of cyber risk across the design, manufacturing, and support of products and services supplied to those agencies.  Federal Government needs to refocus its efforts on delivering FISMA and NIST SP 800 - 37R2. Along with evaluating the potential reciprocity offered by other control frameworks, such as Trust Service Criteria (TSC) and the integration of Cybersecurity Framework (CSF) Profiles in Cyber Supply Chain Risk management (C-SCRM).