The Office of Management and Budget is reemphasizing that agencies must reauthorize the security of all their systems at least annually, if not on a continual basis.
The Homeland Security Department detailed the requirements for continuous monitoring in June, and now OMB is ensuring agencies move away from reviewing their systems every three years as has been the case for the last decade.
Acting OMB Director Jeff Zients issued the annual Federal Information Security Management Act (FISMA) guidance to agencies Oct. 2 detailing the updated requirements.
OMB seems to have changed little in the 2012 reporting guidance, which is based on Feb. 2012 FISMA metrics from DHS.
“These priorities focus federal agency efforts to identity who is on their networks, what is on their networks and when network security posture changes, and what is entering and existing on their networks,” Zients wrote to agency secretaries. “The FY 2012 FISMA metrics issued by the Department of Homeland Security established minimum and target levels of performance for these priorities, as well as metrics for other key performance areas.”
The guidance includes 57 questions and answers addressing everything from testing and training to contractor monitoring and controls.
OMB still wants agencies to report their annual FISMA data through the Cyberscope tool by Nov. 15 and to submit metrics for the first three quarters of 2013 by the 15th of January, April and July.
In addition to the typical FISMA progress report, OMB wants agencies to provide their:
Breach notification policy if it has changed since last year.
Progress update on eliminating unnecessary use of Social Security numbers.
Progress update on the review and reduction of retaining unnecessary personally identifiable information.
The reemphasis on continuous monitoring in the FISMA guidance follows the National Institute of Standards and Technology’s Special Publication 800-37, which focuses on helping agencies use a risk-based approach to cybersecurity.
“Continuous monitoring programs thus fulfill the three-year security reauthorization requirement, so a separate re-authorization process is not necessary,” the guidance stated. “Agencies should develop and implement continuous monitoring strategies for all information systems which address all security controls implemented, including the frequency and degree of rigor associated with the monitoring process. Continuous monitoring strategies should also include all common controls inherited by organizational information systems.”
In addition to not having to authorize systems every three years, OMB told agencies that they don’t have to report every significant deficiency in their FISMA reports.
“[A] gencies must maintain all documentation supporting a finding of a significant deficiency and make it available in a timely manner upon request by OMB or other oversight authorities,” the guidance stated. “FISMA requires agencies to report a significant deficiency as a material weakness under the Federal Managers Financial Integrity Act and as an instance of a lack of substantial compliance under FFMIA, if related to financial management systems.”
Additionally, OMB clarified FISMA does apply to mobile devices and cloud-as-a-service options.
“We encourage agencies to seek out and leverage private sector, market-driven solutions resulting in cost savings and performance improvements — provided agency information is protected to the degree required by FISMA, FISMA implementation standards, and associated policy and guidance. As with other contractor services and relationships, agencies should include these software solutions and subscriptions as they complete their annual security reviews,” the guidance stated.