From: FederalNewsRadio.com
By Jason Miller
The Office of Management and Budget is giving agencies the playbook to move to a dynamic, proactive cybersecurity environment after more than a decade of reacting to threats and vulnerabilities.
More than a year after making continuous diagnostics and monitoring (CDM) the new standard by which agencies should secure their systems, OMB issued a memo late Monday outlining specific deadlines they must meet to implement what many believe is a better approach to cybersecurity.
The Homeland Security Department, which is leading the operations effort, issued a new policy calling for agencies to move to CDM in June 2012. Since then, DHS and OMB have been putting the pieces in place for agencies to move to dynamic cybersecurity on a full-time basis.
“The requirement to manage information security risk on a continuous basis includes the requirement to monitor the security controls in federal information systems and the environments in which those systems operate on an ongoing basis-one of six steps in the National Institute of Standards and Technology (NIST) Risk Management Framework,” wrote Sylvia Burwell, OMB director, in the memo to agency heads. “This allows agencies to maintain ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.”
3 years to fully implementation
Burwell said agencies will undertake a phased approach to fully implement, what now OMB is calling information security continuous monitoring (ISCM), instead of continuous diagnostics and monitoring, by 2017. Many expected OMB to issue this memo earlier in the fall, but Burwell pulled the memo back in late September to clarify which systems will be continuously monitored.
In the memo, agencies are required to develop a ISCM strategy by Feb. 28, addressing “all security controls selected and implemented by agencies, including the frequency of and degree of rigor associated with the monitoring process.”
Leave a Reply