OMB waives 3-year security reauthorization in favor of continuous monitoring
The Office of Management and Budget says agencies no longer need to conduct a security reauthorization every 3 years or when an information system has undergone what it considers a significant change under OMB Circular A-130. Agencies' continuous monitoring programs fulfill the security reauthorization requirement, making a separate reauthorization process unnecessary, according to OMB's yearly guidance on reporting requirements under the Federal Information Security Management Act.
"Rather than enforcing a static, 3-year reauthorization process, agencies are expected to conduct ongoing authorizations of information systems through the implementation of continuous monitoring programs," says an Oct. 2 memo (.pdf) from Jeffrey Zients, deputy director for management at the Office of Management and Budget.
Alan Paller, director of research at the SANS Institute, notes that the change only requires more--and more frequent--reporting, but not better reporting. The policy change does not encourage instantaneous reporting. It also does nothing to actually improve security, as reporting is channeled to CyberScope and not through IT administrators who can secure systems dynamically, he says.
Agency continuous monitoring efforts should follow the guidance laid out in the National Institute of Standards and Technology's Special Publication 800-37 (.pdf) and NIST SP 800-137 (.pdf), says the memo. Agencies are also required, under the fiscal 2012 FISMA reporting guidance, to report on these ongoing authorizations through CyberScope data feeds.
According to the memo, this requires agencies to submit information security data to CyberScope by close of business on the fifth day of each month. "Small and micro agencies are not required to submit monthly reports, although they are highly encouraged to do so," adds Zients.
Agency chief information officers are also required to respond to security posture questions found in CyberScope quarterly, while inspectors general and privacy officials must respond annually, says the OMB memo. The questions are designed to assess security implementation and measure effectiveness, it adds. From there, the Homeland Security Department assesses each response and, where deficiencies exist, asks agencies to complete a plan of action for improving cybersecurity capabilities, says Zients.
Rather than submit fourth quarter responses, agencies can simply include the last quarter's report in their comprehensive, end of year CyberScope report, says OMB. The due date for annual fiscal 2012 FISMA reporting through CyberScope is Nov. 15, 2012, adds the memo.
The memo--which includes a 26-page attachment with 57 "frequently asked questions" on FISMA reporting requirements--also addresses emerging technology. The memo encourages agencies to use cloud technology that employs software as a service, platform as a service and infrastructure as a service models but to make sure appropriate security controls are implemented, tested and reviewed.
Cloud-computing solutions are encouraged, "provided agency information is protected to the degree required by FISMA, FISMA implementation standards, and associated policy and guidance," adds the memo.
Smartphones and tablets are also held to the same federal requirements for data protection and remote access as other technologies, reminds OMB.
- download the memo (.pdf)