OMB Waves Triennial Security Reauthorization Rule
Continuous Monitoring Programs Will Fulfill FISMA RequirementFederal departments and agencies that continuously monitor their IT systems no longer will be required to seek security reauthorization every three years as provided for in an Office of Management and Budget circular.
See Also: How to Take the Complexity Out of Cybersecurity
In a memo to agency and departmental heads, dated Oct. 2, Office of Management and Budget Deputy Director for Management Jeffrey Zients said agencies are expected to conduct ongoing authorizations of information systems through the implementation of continuous monitoring programs rather than enforcing a static, three-year reauthorization process.
"Continuous monitoring programs thus fulfill the three-year security reauthorization requirement, so a separate reauthorization process is not necessary," Zients said.
According to OMB, agency officials should monitor the security state of their information systems on a continuous basis with a frequency sufficient to make ongoing risk-based decisions on whether to continue to operate the systems within their organizations. OMB says continuous monitoring programs and strategies should:
- Establish metrics to be monitored;
- Institute frequent schedules for monitoring/assessments;
- Develop continuing security control assessments to determine the effectiveness of deployed security controls;
- Monitor ongoing security status;
- Correlate and analyze security-related information generated by assessments and monitoring;
- Respond to actions to address the results of the analysis; and
- Report on the security status of the organization and information system to senior managers consistent with guidance in the National Institute of Standards and Technology Special Publication 800-137: Information Security Continuous Monitoring for Federal Information Systems and Organizations [see Continuous Monitoring Guidance Issued].
Agencies will be required to report the security state of their information systems and results of their ongoing authorizations through the automated reporting tool CyberScope [see OMB: Agencies Must File Monthly Infosec Reports] in accordance with the data feeds defined by the Department of Homeland Security.
"These priorities focus federal agency efforts to identity who is on their networks, what is on their networks and when network security posture changes and what is entering and existing on their networks," Zients said.
Correction: An earlier version of this story incorrectly stated that the three-year re-authorization of IT systems security was a requirement of the Federal Information Security Management Act. The requirement for three-year re-authorization comes from a 2000 OMB issued instruction known as a circular.