Agency cybersecurity practices should move beyond the three year cycle of system authorizations into a state of continuous monitoring of security control implementation by the end of fiscal 2017, says a Nov. 18 memo from the Office of Management and Budget.
The General Services Administration, working on behalf of the Homeland Security Department's continuous diagnostics and mitigation program, unveiled Aug. 12 a blanket purchase agreement for continuous monitoring as a service. CMaaS, as it's being called by GSA, will be offered as a variety of related products and services at various price points.
Significant deficiencies in configuration management and identity management pervaded Veterans Affairs Department information technology during the last fiscal year, says an audit commissioned by the department's office of inspector general.
Weaknesses in Social Security Administration cybersecurity during the last fiscal year collectively amounted to a significant deficiency, says the agency's office of inspector general. They base their finding of a significant deficiency also on financial auditor's discovery of a material weakness in agency financial systems.
In an annual assessment (.pdf) dated Oct. 24 of the DHS information security program required under the Federal Information Security Management Act, auditors note several areas where DHS has yet to fully automate matters, including the tracking of network devices, external connections and software applications.
The Office of Management and Budget has "ample legal authority to adopt reforms," say authors of the report (.pdf)--who include former OMB executives, including Karen Evans who occupied the equivalent position of federal chief information officer during much of the Bush administration and cybersecurity experts including James Andrew Lewis of CSIS.
The Office of Management and Budget says agencies no longer need to conduct a security reauthorization every 3 years or when an information system has undergone what it considers a significant change under OMB Circular A-130. Agencies' continuous monitoring programs fulfill the security reauthorization requirement, making a separate reauthorization process unnecessary, according to an Oct. 2 OMB memo.
The department says it want to spend about $200 million in the coming fiscal year in the first of a three-year program to provide cybersecurity tools to federal agencies, including installation of continuous monitoring sensors that will look for unauthorized hardware and software, conduct configuration and vulnerability management and deploy anti-virus measures.
Continuous monitoring is employed at the Commerce Department in "pockets," but that will soon change, as the department now has a departmentwide strategy, said Simon Szykman, chief information officer of DOC.
A bill set for consideration on the House floor this week that would amend FISMA to explicitly include continuous monitoring would cost $710 million over 5 years, says CBO.