The Office of Management and Budget (OMB) released its updated fiscal year 2019 guidance and deadlines for the Federal Information Security Modernization Act of 2014 (FISMA), containing similar deadlines and requirements to the prior year but featuring new language on using Continuous Diagnostics and Mitigation (CDM) vehicles for acquisitions of monitoring tools.
The report sets requirements for DHS, with the requirements based on the Office of the Director of National Intelligence’s Cyber Threat Framework. DHS must implement a solution that leverages threat intelligence, enables agencies to use the solution to prioritize cyber investments, and supports agencies in assessing their coverage of high value assets. ?
New to FY2019 guidance is a section that pushes agencies to use CDM acquisition vehicles. The guidance requires agencies to provide “sufficient justification” to purchase tools outside of CDM’s acquisition vehicles, which include CDM Dynamic and Evolving Federal Enterprise Network Defense (DEFEND) and the General Services Administration’s IT Schedule 70. Justification for outside buys must be sent to the CDM program management office, the OMB resource management office, and the Federal CIO cybersecurity team. Agencies can continue using products already purchased outside of these contracts, as long as the agency can meet all reporting requirements to the Federal CDM Dashboard.
“CDM currently provides agencies with a cost-effective and efficient strategy for achieving government-wide information security continuous monitoring goals,” the memorandum states.
However, the door is not closed on tools that have not been approved for CDM use.
“Agencies are encouraged to provide the CDM PMO feedback on existing tools and input on additional tools that may prove valuable for current or future CDM acquisition vehicles,” the guidance states.
The memorandum also includes requirements for agencies to follow the Federal Cybersecurity Risk Determination Report and Action Plan released in May. OMB requires agency CISOs to develop an enterprise level Cybersecurity Operations Maturation Plan by April, to be sent to OMB and the Department of Homeland Security. The memorandum also requires agencies to complete security operation center consolidation by September 2020.
The report sets requirements for DHS, with the requirements based on the Office of the Director of National Intelligence’s Cyber Threat Framework. DHS must implement a solution that leverages threat intelligence, enables agencies to use the solution to prioritize cyber investments, and supports agencies in assessing their coverage of high value assets. ?