Shows & Panels
- AFCEA Answers
- Ask the CIO
- The Big Data Dilemma
- Carrying On with Continuity of Operations
- Connected Government
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Cyber Imperative
- Cyber Solutions for 2013 and Beyond
- Expert Voices
- Federal Executive Forum
- Federal IT Challenge
- Federal Tech Talk
- Mission-critical Apps in the Cloud
- The Path from Legacy Systems
- The Real Deal on Digital Government
- The Reality of Continuous Monitoring... Is Your Agency Secure?
- Veterans in Private Sector: Making the Transition
Shows & Panels
Monday - Friday, 4-7 p.m.
In Depth with Francis Rose features daily interviews with top government executives and contractors. Listen live from 4 to 7 p.m. or download his archived interviews on our daily show blogs.
OMB reemphasizes move to continuous monitoring in FISMA guidance
Thursday - 10/4/2012, 3:48pm EDT
The Homeland Security Department detailed the requirements for continuous monitoring in June, and now OMB is ensuring agencies move away from reviewing their systems every three years as has been the case for the last decade.
Acting OMB Director Jeff Zients issued the annual Federal Information Security Management Act (FISMA) guidance to agencies Oct. 2 detailing the updated requirements.
OMB seems to have changed little in the 2012 reporting guidance, which is based on Feb. 2012 FISMA metrics from DHS.
"These priorities focus federal agency efforts to identity who is on their networks, what is on their networks and when network security posture changes, and what is entering and existing on their networks," Zients wrote to agency secretaries. "The FY 2012 FISMA metrics issued by the Department of Homeland Security established minimum and target levels of performance for these priorities, as well as metrics for other key performance areas."
The guidance includes 57 questions and answers addressing everything from testing and training to contractor monitoring and controls.
OMB still wants agencies to report their annual FISMA data through the Cyberscope tool by Nov. 15 and to submit metrics for the first three quarters of 2013 by the 15th of January, April and July.
In addition to the typical FISMA progress report, OMB wants agencies to provide their:
- Breach notification policy if it has changed since last year.
- Progress update on eliminating unnecessary use of Social Security numbers.
- Progress update on the review and reduction of retaining unnecessary personally identifiable information.
"Continuous monitoring programs thus fulfill the three-year security reauthorization requirement, so a separate re-authorization process is not necessary," the guidance stated. "Agencies should develop and implement continuous monitoring strategies for all information systems which address all security controls implemented, including the frequency and degree of rigor associated with the monitoring process. Continuous monitoring strategies should also include all common controls inherited by organizational information systems."
In addition to not having to authorize systems every three years, OMB told agencies that they don't have to report every significant deficiency in their FISMA reports.
"[A] gencies must maintain all documentation supporting a finding of a significant deficiency and make it available in a timely manner upon request by OMB or other oversight authorities," the guidance stated. "FISMA requires agencies to report a significant deficiency as a material weakness under the Federal Managers Financial Integrity Act and as an instance of a lack of substantial compliance under FFMIA, if related to financial management systems."
Additionally, OMB clarified FISMA does apply to mobile devices and cloud-as-a-service options.
"We encourage agencies to seek out and leverage private sector, market-driven solutions resulting in cost savings and performance improvements — provided agency information is protected to the degree required by FISMA, FISMA implementation standards, and associated policy and guidance. As with other contractor services and relationships, agencies should include these software solutions and subscriptions as they complete their annual security reviews," the guidance stated.