From: GCN
By William Jackson
Agencies will have to up their cybersecurity games under a recent memo from the Office of Management and Budget that requires formal plans for Information Security Continuous Monitoring (ISCM) by Feb. 28.
OMB Memo M-14-03, Enhancing the Security of Federal Information and Information Systems, released in November, includes requirements to move to standardized technology and the use of automated feeds to a yet-to-be-developed dashboard for showing the status of government IT systems.
The focus on continuous monitoring — or continuous diagnostics and mitigation, or continuous measurement and management — is not new in government. But the latest guidelines introduce new elements, says Patrick Howard of Kratos Defense and Security Solutions.
“I’m sure most agencies have a documented plan in place,” said Howard, formerly chief information security officer at the Nuclear Regulatory Commission and the Department of Housing and Urban Development. “But they need to look at it again in light of these new requirements.”
Fully continuous monitoring of federal IT systems is an ideal that is unlikely to be realized because of the complexity of real-time scanning of all aspects of system security. Nor is such monitoring necessary for every element. But the trend in government is to shrink the period of security assessments from years to months, days or even hours where appropriate.
Leave a Reply