Background
The Federal Chief Information Security Officer (CISO) Handbook, last updated in 2019, requires modernization to reflect the evolving federal cybersecurity landscape. This project originates from a request by the Federal CISO Council and is aligned with new mandates and modernization priorities across government. The current version does not reflect recent developments such as the integration of artificial intelligence, Zero Trust architecture, and continuous authorization (cATO) practices.
The objective of this short-form project is not to rewrite or republish the handbook directly, but to provide a set of recommended updates and structural improvements. These recommendations will guide a subsequent full-scale effort to update and publish the next version of the handbook.
Overall Project Objective and Mission
The purpose of this project is to identify and recommend updates to the Federal CISO Handbook so that it remains actionable, relevant, and aligned with current federal cybersecurity frameworks, laws, and executive orders. The project will focus on identifying areas requiring modernization, improving usability, and aligning the handbook with updated standards such as NIST SP 800-161 (Supply Chain Risk Management), NIST SP 800-160 (Systems Security Engineering and Shift-Left Practices), and the Secure Software Development Framework (SSDF), among others that reflect current federal priorities.
The scope includes all areas within the handbook where an update is needed. In addition to recommending content revisions, the project will consider how the handbook is presented and accessed on CIO.gov, including its organization, navigation, and overall usability for federal CISOs and their staff.
Project Approach
The project will perform a full content review of the current Federal CISO Handbook to identify areas requiring modernization and improvement. Given the eight-week project duration, the team will use efficient methods to collect and validate input rather than relying solely on interviews. If direct interviews with federal CISOs are not feasible, alternative approaches such as structured feedback requests or focused working sessions will be used to ensure input remains aligned with federal needs.
This effort will be conducted under the ACT-IAC framework and will include both government and industry members. While the work is being performed for the Federal CISO Council, the project will also consider how recommendations can support efficiency and scalability for small agencies, ensuring that resources are applied effectively and without waste.
Duration and Timeline
The project will begin as soon as possible following approval and is expected to run for a total of eight weeks from kickoff to delivery, consistent with ACT-IAC short-form project requirements. There are no known dependencies on other ongoing ACT-IAC or federal initiatives that would affect the project’s schedule or sequencing.
Outcomes
The project will produce a written report detailing recommended updates to the Federal CISO Handbook, along with a presentation to the Federal CISO Council summarizing key findings and proposed revisions. These materials will serve as the foundation for a follow-on effort to implement the recommended updates in a future version of the handbook.
In addition to the report and presentation, the project team will prepare a short executive briefing or summary deck to support communication and decision-making within the Council.
Membership
Project membership will include both government and industry participants under the ACT-IAC framework. Members should have experience or expertise relevant to federal cybersecurity leadership, including CISO operations, policy development, governance, and security program implementation.
Deadline to apply: December 12, 2025
This call for volunteers is now closed.
For questions, send an email to [email protected].