FISMA and OMB A-130 set the foundations for U.S Cyber Supply Chain Risk Management regulation
Cyberattacks have increased in complexity, severity and frequency in 2021 and 2022, as predicted by several Government Accountability Office, Federal Information Security Management Act and Inspector General reports. Cyber attacks that have raised Cyber-Supply Chain Risk Management (C-SCRM) concerns across U.S Federal Government. Helped prioritize C-SCRM, cybersecurity risk management and focus Federal Agencies on identifying and mitigating the risks that cyber threats pose, and mitigating impact to their systems and their supply chains.
Federal government has been working to resolve cybersecurity since the passing by Congress of FISMA in 2002, modified in 2014 and 2022. FISMA requires the adoption of Risk Management Framework (RMF) and NIST SP 800-37 by Federal Agencies and their contractors. The RMF requires organizations to develop a C-SCRM policy and address C-SCRM goals and objectives in their strategic plans, missions, business functions, and organizational roles and responsibilities. The development of C-SCRM policies and apply risk management practices that align with both FISMA and Office of Management and Budget (OMB) A-130.
By example the Department of Defense (DoD) issued DoDI 8510.01 (under the authority of the DoD CIO – DoDD 5144.02), requiring the implementation of the RMF in any authorization decisions that allow a system to be placed on its networks. The DoD issued 5000.90 in December 2020 to address the application of the RMF within the Defense procurement life cycle. Addressing the FISMA Congressional mandate applicable to all Federal Agencies. In addition to using DFARS 252.204 – 7012, – 7019, – 7020, and – 7021, requiring defense contractors to apply NIST SP 800 – 171R2 cyber security practices and CMMC (interim ruling). We contend that Federal Government has the necessary cybersecurity regulation in place to manage cybersecurity risk. FISMA places the onus on Federal Agencies and contractors to manage cybersecurity risks. To that end, FISMA already requires the oversight and assurance of cyber risk across the design, manufacturing, and support of products and services supplied to those agencies. Federal Government needs to refocus its efforts on delivering FISMA and NIST SP 800 – 37R2. Along with evaluating the potential reciprocity offered by other control frameworks, such as Trust Service Criteria (TSC) and the integration of Cybersecurity Framework (CSF) Profiles in Cyber Supply Chain Risk management
The cyber risk regulatory elephant in the room
A review of OMB-A130, FISMA and the application of the Risk Management Framework (RMF) for the management, oversight, assurance and attestation of cyber-risk