OMB Promotes Continuous MonitoringDeadlines Set for Agencies to Strengthen Cybersecurity
The White House is intensifying its effort to get federal agencies to adopt continuous monitoring and move away from the paper-based checklist compliance they've followed for a decade under the Federal Information Security Management Act.
See Also: 2020 User Risk Report
On Nov. 18, Sylvia Burwell, the director of the Office of Management and Budget, issued a memorandum, Enhancing the Security of Federal Information and Information Systems, which instructs executive-branch agencies on managing information security risk on a continuous basis.
"All strategies must address the agencies' plans for transitioning to and maintaining consistency with federal information security policies, standards and guidelines," Burwell says in the memo.
For most of the past decade, OMB had required agencies to follow a time-consuming, checklist process every three years to authorize the security of their IT systems. But with the growing sophistication of continuous monitoring tools and processes, OMB is migrating agencies to what the administration calls continuous diagnostics and mitigation to assure the security of government IT systems.
Burwell's memo builds on 2011 National Institute of Standards and Technology guidelines, Special Publication 800-173, to put in place a framework to manage information security risk continuously.
Emphasizing Risk Management
"Rather than enforcing a static, point-in-time reauthorization process, agencies shall conduct ongoing authorizations of their information systems and environments in which those systems operate, including common controls, through the implementation of their risk management programs," Burwell says.
OMB is requiring agencies to work with the Department of Homeland Security to implement information security continuous monitoring programs that provide a clear understanding of organizational risk and address how they will conduct continuous authorization of information systems, including the use of common security controls.
John Streufert, director of federal network resilience within the National Protection and Programs Directorate at DHS, says the transition to continuous monitoring won't be immediate. "You're seeing the beginning of the change, and it probably will take some time as we move through the very large numbers of systems that the government currently manages where these new methods could be applied," Streufert says in an interview with Information Security Media Group (see Feds Tackle Continuous Monitoring).
OMB set Feb. 28 as the deadline for agencies to develop a continuous monitoring strategy. By April 30, agencies must identify resources and skills as well as individuals to manage continuous monitoring programs. Agencies also must deploy continuous monitoring products and support and meet all federal security requirements by May 30.
The OMB memo also calls on agencies to establish plans to migrate to the General Service Administration's blanket purchase agreement to acquire IT wares as previous acquisition contracts expire.
In July, the government announced a $6 billion DHS initiative to be administered by GSA to help agencies acquire from 17 approved vendors discounted hardware, software and services to assess risk (see $6 Billion DHS IT Security Plan Advances).
"Many of the chief information security officers and CIOs appreciate the fact that Congress has set aside money ... to buy the tools that they currently don't have," Streufert says. "The fact that the contract arrangements are in place that can allow them savings to buy the tools ... at discounted prices [is] all very good news to the CISOs and CIOs."