OMB has issued guidance for managing information security risk on a continuous basis that is part of a wider cybersecurity cross-agency priority – CAP, goal.
The guidance introduces requirements for agencies to implement continuous monitoring of security controls. That will be facilitated in part through a blanket purchase agreement for various cyber security tools forinformation security continuous monitoring – ISCM, that GSA established in August (in consultation with DHS).
According to the guidance, M-14-03, agencies must take the following steps to fully implement continuous monitoring:
– Develop and maintain an ISCM strategy and program that provides clear understanding of organizational risk and helps officials set priorities and manage risk consistently, and addresses how the agency will conduct ongoing authorizations of information systems and the environments in which they operate;
– Establish plans in coordination with DHS to implement an agency ISCM program;
– Standardize the requirements to establish ISCM as an agency-wide solution as opposed to a fragmented approach across components and programs;
– Establish plans to migrate to the GSA BPA as existing contract terms expire;
– Submit security-related information to the federal ISCM dashboard maintained byDHS;
– Require that external service providers hosting federal information meet federal information security requirements for ISCM (including FedRAMP requirements for cloud computing);
– Upgrade and deploy systems for continuous monitoring, and ensure sufficient personnel are in place to carry out requirements (see below).