By Antonina McAvoy, CISA, CISM, QSA, PCIP

Summary

The Office of Management and Budget (OMB) recently issued on April 22, 2024 revisions to the Uniform Guidance, with a notable emphasis on cybersecurity. Federal agencies and their partners will be required to integrate cybersecurity measures into recipient and subrecipient internal controls.  OMB is expected to provide more clarification soon regarding the effective date of the changes to the Uniform Guidance, many of which are effective for grants after October 1, 2024.

This update underscores the growing recognition of cybersecurity as a paramount concern in federal grant management. By formalizing this requirement, OMB aims to enhance the protection of government information assets from evolving cyber threats.

Federal agencies should proactively assess their cybersecurity posture and take steps to align with the revised guidance. Early adoption of cybersecurity measures will not only ensure compliance but also bolster resilience against cyber threats.

As the regulatory landscape continues to evolve, staying ahead of cybersecurity challenges is paramount. Organizations can leverage the expertise of cybersecurity professionals to navigate these changes effectively and safeguard sensitive information.

For further guidance on implementing cybersecurity measures in compliance with the revised Uniform Guidance, continue reading and connect with PBMares’ experienced cybersecurity team for tailored solutions and support.

Understanding the Importance of Cybersecurity

In today’s digital age, cybersecurity has emerged as a critical concern for organizations across all sectors. The threat landscape is constantly evolving, with cyberattacks becoming increasingly sophisticated and pervasive. Federal agencies, entrusted with vast amounts of sensitive data, are prime targets for malicious actors seeking to exploit vulnerabilities and compromise security.

The Role of Uniform Guidance

The Uniform Guidance serves as a framework for federal grant management, providing guidelines and standards to ensure the proper stewardship of taxpayer dollars. The recent revision underscores the importance of integrating cybersecurity into recipient and subrecipient internal controls. By formalizing this requirement, the Office of Management and Budget (OMB) acknowledges the imperative of protecting government information assets from cyber threats.

Implications for Federal Agencies

The updated guidance places a renewed emphasis on cybersecurity readiness and resilience. Federal agencies must proactively assess their current cybersecurity posture and implement measures to mitigate risks effectively. This entails not only adopting robust technical controls but also cultivating a culture of security awareness and compliance throughout the organization.

Early Adoption Opportunities

While the changes to the Uniform Guidance are slated to take effect on October 1, 2024, federal agencies can seize the opportunity to implement cybersecurity measures ahead of schedule. By taking proactive steps to align with the revised requirements, agencies can enhance their cybersecurity posture and mitigate potential vulnerabilities. Early adoption not only demonstrates a commitment to compliance but also positions agencies to effectively navigate the evolving threat landscape.

Connecting with Our Cybersecurity Team

At PBMares, we understand the complexities of cybersecurity compliance within the federal sector. Our dedicated team of cybersecurity experts possesses the knowledge and expertise to assist federal agencies in navigating the changing regulatory landscape. Whether you require assistance with risk assessments, compliance audits, or cybersecurity strategy development, we stand ready to support your organization’s cybersecurity initiatives.

Conclusion

As federal agencies prepare to implement the revised Uniform Guidance, cybersecurity emerges as a focal point in ensuring the integrity and security of government operations. By embracing the principles outlined in the guidance and proactively addressing cybersecurity concerns, agencies can strengthen their resilience against cyber threats and uphold public trust. We encourage readers to connect with our cybersecurity team to learn more about how we can assist in enhancing your organization’s cybersecurity posture.

APPENDIX A – Relevant Extracted OMB Revisions Relevant to Cyber (Posted April 22, 2024)

In the proposed guidance, in section 200.206 OMB revised the section regarding risk evaluation by using the term risk assessment as a standard term and clarifying agency requirements to appropriately review eligibility qualifications and financial integrity information. OMB also clarified that agency processes may consider any risk criteria pertinent to a program, such as cybersecurity risk or impacts on local jobs and the community. OMB further clarified that an agency may modify its risk assessment at any time during the lifecycle of an award.

In the proposed guidance, OMB added a requirement in paragraph (e) of section 200.303 that recipient and subrecipient internal controls include cybersecurity and other measures to safeguard information. For the purposes of this update, OMB disagrees with commenters on requiring a specific framework for cybersecurity and other measures used to safeguard information. OMB did not propose changes to establish a specific framework in the guidance and generally maintains the guidance in paragraph (e) as proposed. However, OMB will continue to evaluate whether to implement a specific framework on a government-wide basis in the future. OMB agrees with commenters that this is a topic worthy of consideration for future updates. In the interim, Federal agencies may consider providing more specific guidance on this topic as appropriate for their Federal financial assistance programs

(b) Risk Assessment. (1) The Federal agency must establish and maintain policies and procedures for conducting a risk assessment to evaluate the risks posed by applicants before issuing Federal awards. This assessment helps identify risks that may affect the advancement toward or the achievement of a project’s goals and objectives. Risk assessments assist Federal managers in determining appropriate resources and time to devote to project oversight and monitor recipient progress. This assessment may incorporate elements such as the quality of the application, award amount, risk associated with the program, cybersecurity risks, fraud risks, and impacts on local jobs and the community. If the Federal agency determines that the Federal award will be made, specific conditions that address the assessed risk may be implemented in the Federal award. The risk criteria to be evaluated must be described in the announcement of the funding opportunity described in § 200.204. (2) In evaluating risks posed by applicants, the Federal agency should consider the following items: (i) Financial stability. The applicant’s record of effectively managing financial risks, assets, and resources; (ii) Management systems and standards. Quality of management systems and ability to meet the management standards prescribed in this part; (iii) History of performance. The applicant’s record of managing previous and current Federal awards, including compliance with reporting requirements and conformance to the terms and conditions of Federal awards, if applicable; (iv) Audit reports and findings. Reports and findings from audits performed under subpart F or the reports and findings of any other available audits, if applicable; and (v) Ability to effectively implement requirements. The applicant’s ability to effectively implement statutory, regulatory, or other requirements imposed on recipients of Federal awards. (c) Adjustments to the Risk Assessment. The Federal agency may modify the risk assessment at any time during the period of performance, which may justify changes to the terms and conditions of the Federal award. See § 200.208. (d) Suspension and debarment compliance. The Federal agency must comply with the government-wide suspension and debarment guidance in 2 CFR part 180 and individual Federal agency suspension and debarment requirements in title 2 of the Code of Federal Regulations. Federal agencies must also require recipients to comply with these requirements. These requirements restrict making Federal awards, subawards, and contracts with certain parties that are debarred, suspended, or otherwise excluded from receiving Federal awards or participating in Federal awards

The recipient and subrecipient must: (a) Establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in ‘‘Standards for Internal Control in the Federal Government’’ issued by the Comptroller General of the United States or the ‘‘Internal Control Integrated Framework’’ issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). (b) Comply with the U.S. Constitution, Federal statutes, regulations, and the terms and conditions of the Federal award. (c) Evaluate and monitor the recipient’s or subrecipient’s compliance with statutes, regulations, and the terms and conditions of Federal awards. (d) Take prompt action when instances of noncompliance are identified. (e) Take reasonable cybersecurity and other measures to safeguard information including protected personally identifiable information (PII) and other types of information. This also includes information the Federal agency or pass-through entity designates as sensitive or other information the recipient or subrecipient considers sensitive and is consistent with applicable Federal, State, local, and tribal laws regarding privacy and responsibility over confidentiality.