OMB has issued a memo providing agencies with guidance for managing information security risk on a continuous basis andbuilding on efforts toward achieving a cybersecurity cross-agency priority goal.
Agencies are required to implement continuous monitoring of security controls as part of a phased approach to through fiscal 2017. GSA established a blanket purchase agreement in August through which agencies can acquire a consistent, government-wide set of information security continuous monitoring (ISCM) tools. OMB wants agencies to use that as much as possible to enhance the federal government’s ability to identify and respond, in real-time or near real-time, to the risk of emerging cyber threats.
To fully implement ISCM across government, agencies take the following steps:
Develop and maintain an ISCM strategy and program that provides clear understanding of organizational risk and helps officials set priorities and manage risk consistently, and addresses how the agency will conduct ongoing authorizations of information systems and the environments in which they operate;
Establish plans in coordination with DHS to implement an agency ISCM program;
Standardize the requirements to establish ISCM as an agency-wide solution rather than a more fragmented approach;
Establish plans to migrate to the GSA BPA as contract terms expire;
Submit specified security-related information to the federal ISCM dashboard maintained byDHS;
Evaluate and upgrade information systems and deploy new products, as needed, including agency and component ISCM dashboards early in 2014;
Require that external service providers hosting federal information meet federal information security requirements for ISCM (including FedRAMP requirements for cloud computing);
Ensure adequate staff and training to meet the objectives ofthe ISCM program by April 30.
