NIST SP 800-137

From: FCW

By Derek B. Johnson

***

In an Oct. 25 memo, Mulvaney, the director of the Office of Management and Budget, lays down the law, saying, “agencies are solely responsible for the state of their cybersecurity posture and must work closely with DHS in order to accomplish CDM program goals at the agency level.”

The memo instructs agencies that they are responsible for setting up information sharing capabilities to connect to the federal dashboard established by DHS. They are also expected to be accountable for any security problems identified. If agencies want to buy or implement continuous monitoring capabilities outside of those offered through CDM DEFEND, the latest task order contract vehicle, they must first justify the decision to the program office, OMB and the federal CIO.

From: Nextgov

The new guidance also requires agencies to justify buying cyber monitoring tools that aren’t vetted by Homeland Security.

By Joseph Marks, Senior Correspondent

***

The guidance also expresses White House approval for Homeland Security’s Continuous Diagnostics and Mitigation program, or CDM, which offers suites of pre-vetted cybersecurity tools to federal agencies.

In the future, agencies that want to buy continuous cyber monitoring tools that are not authorized parts of the CDM program must first send memos justifying their decisions to the Homeland Security office that manages CDM and to the federal chief information officer, the guidance states.