Reports that major federal departments are refusing to participate in a Homeland Security Department-led contract for continuous monitoring tools are untrue, said a DHS official Tuesday.
A paper co-authored by a former government executive who occupied the position now known as the federal chief information officer recommends greater integration of cybersecurity efforts with federal cloud adoption.
Components of the Homeland Security Department continue to have weak cybersecurity practices, particularly with the security authorization process, the departmental inspector general says.
Agency cybersecurity practices should move beyond the three year cycle of system authorizations into a state of continuous monitoring of security control implementation by the end of fiscal 2017, says a Nov. 18 memo from the Office of Management and Budget.
The General Services Administration, working on behalf of the Homeland Security Department's continuous diagnostics and mitigation program, unveiled Aug. 12 a blanket purchase agreement for continuous monitoring as a service. CMaaS, as it's being called by GSA, will be offered as a variety of related products and services at various price points.
Significant deficiencies in configuration management and identity management pervaded Veterans Affairs Department information technology during the last fiscal year, says an audit commissioned by the department's office of inspector general.
Weaknesses in Social Security Administration cybersecurity during the last fiscal year collectively amounted to a significant deficiency, says the agency's office of inspector general. They base their finding of a significant deficiency also on financial auditor's discovery of a material weakness in agency financial systems.
In an annual assessment (.pdf) dated Oct. 24 of the DHS information security program required under the Federal Information Security Management Act, auditors note several areas where DHS has yet to fully automate matters, including the tracking of network devices, external connections and software applications.
The Office of Management and Budget has "ample legal authority to adopt reforms," say authors of the report (.pdf)--who include former OMB executives, including Karen Evans who occupied the equivalent position of federal chief information officer during much of the Bush administration and cybersecurity experts including James Andrew Lewis of CSIS.
The Office of Management and Budget says agencies no longer need to conduct a security reauthorization every 3 years or when an information system has undergone what it considers a significant change under OMB Circular A-130. Agencies' continuous monitoring programs fulfill the security reauthorization requirement, making a separate reauthorization process unnecessary, according to an Oct. 2 OMB memo.