A central point for collection of information that relates to computer security. Including, but not limited to, security advisories from the major vendors, major data breaches, “phishing” alerts, commentary regarding staffing levels. etc. etc.
FISMA and Continous Monitoring
October 10, 2012 at 10:32 am #170783
FY 2012 Reporting Instructions for the Federal Information Security Management
Act and Agency Privacy Management
The attached memorandum provides instructions for meeting your agency’s FY 2012 reporting requirements under the Federal Information Security Management Act of2002 (FISMA) (Title III, Pub. L. No. 107-347). It also includes reporting instructions on your agency’s privacy management program.
This year, agencies have continued to focus on implementing the Administration’s three cybersecurity priorities established in fiscal year (FY) 2011: 1) Continuous Monitoring; 2) Trusted Internet Connection capabilities and traffic consolidation; and 3) strong authentication using HSPD-12 Personal Identity Verification cards for logical access. These priorities focus Federal agency efforts to identity who is on their networks, what is on their networks and when network security posture changes, and what is entering and existing on their networks. The FY 2012 FISMA metrics issued by the Department of Homeland Security established minimum and target levels of performance for these priorities, as well as metrics for other key performance areas.
As discussed in OMB Memorandum 10-28, “Clarifying Cybersecurity Responsibilities and Activities ofthe Executive Office ofthe President and the Department ofHomeland Security (DHS), “DHS is exercising primary responsibility within the Executive Branch for the operational aspects of Federal agency cybersecurity with respect to the Federal infOlmation systems that fall within FISMA under 44 U.S.C. §3543. As stated in previous FISMA guidance, agencies are required to adhere to DHS, direction to report data through CyberScope.
I ask for your help in overseeing your agency’s implementation of the reporting guidance outlined in the attachments.
October 10, 2012 at 10:35 am #170786
Commentary and additional information from FierceGovernment IT;
OMB waives 3-year security reauthorization in favor of continuous monitoring
October 8, 2012 | By Molly Bernhart Walker
The Office of Management and Budget says agencies no longer need to conduct a security reauthorization every 3 years or when an information system has undergone what it considers a significant change under OMB Circular A-130. Agencies’ continuous monitoring programs fulfill the security reauthorization requirement, making a separate reauthorization process unnecessary, according to OMB’s yearly guidance on reporting requirements under the Federal Information Security Management Act.
“Rather than enforcing a static, 3-year reauthorization process, agencies are expected to conduct ongoing authorizations of information systems through the implementation of continuous monitoring programs,” says an Oct. 2 memo (.pdf) from Jeffrey Zients, deputy director for management at the Office of Management and Budget.
Alan Paller, director of research at the SANS Institute, notes that the change only requires more–and more frequent–reporting, but not better reporting. The policy change does not encourage instantaneous reporting. It also does nothing to actually improve security, as reporting is channeled to CyberScope and not through IT administrators who can secure systems dynamically, he says.
You must be logged in to reply to this topic.