The latest FISMA guidance sets a new deadline for agencies to report most of their IT systems through CISA's CDM program.
The White House has set a deadline for agencies to track most of their IT systems through the Continuous Diagnostics and Mitigation program, as new guidance continues a shift toward using automation to track cyber metrics across government.
The Office of Management and Budget released the fiscal 2023 Federal Information Security Modernization Act (FISMA) guidance on Dec. 2. The memo comes as Congress is still considering the first big update to FISMA in nearly a decade.
The latest guidance, picking up on a theme from last year’s FISMA memo, continues to shift agencies away from manual reporting.
The memo directs agencies to report at least 80% of their government-owned IT systems through the Cybersecurity and Infrastructure Security Agency’s Continuous Diagnostics and Mitigation (CDM) program by the end of fiscal 2023.
The FISMA memo follows on an October binding operational directive from CISA that directs agencies to routinely scan their networks for both assets and vulnerabilities, with an emphasis on using CDM.
The CDM program provides agencies with tools for monitoring their IT assets, users and activities, including automated capabilities for identifying systems. The program also provides agencies with dashboard for tracking IT data, while also feeding it into a “Federal Dashboard” that gives CISA and OMB visibility across agency networks.
“Even where full automation is not yet achievable, this memorandum requires CISA to provide performance and incident data to OMB in an automated manner and machine-readable format,” the FISMA memo states. “Collecting and reviewing data consumes time that could be spent on security outcomes. OMB intends for agencies to collect only data that provides critical insight into their security stance.”
The memo also directs agencies to “provide data on assets in an automated manner to the maximum extent feasible.”
Meanwhile, CISA and a newly formed “FISMA Metrics Subcommittee,” situated under the federal chief information security council, will work with OMB to “identify future metrics on automation” for next year and beyond, the memo continues.
“Fully automated identification of certain assets through CDM may not be feasible,” the memo states, adding that those systems can still be reported through the Department of Homeland Security’s CyberScope website.
Agencies should also be on the lookout for a list of software categories that meet the definition of “critical software.” CISA will provide that list to agencies by Jan. 15, according to OMB’s memo. “CISA will include examples of software products in each category so that FISMA reporting on this metric remains consistent,” it adds.
OMB also highlights how it will align FISMA metrics with zero trust architecture to help measure agency progress toward the goals outlined in the federal zero trust strategy.
“The Federal Government no longer considers any Federal system or network to be ‘trusted’ unless that confidence is justified by clear data; this means internal traffic and data must be considered at risk,” the memo states. “Historically, FISMA metrics have not focused enough on defense measures beyond the perimeter. Because modern cyber threat campaigns have continued to find success in breaching perimeters, it is essential to evaluate cybersecurity measures throughout the entire ecosystem.”
CISA is also updating the CDM program to align with zero trust principles.
Ross Nodurft, the former chief of OMB’s cyber team and current executive director at the Alliance for Digital Innovation, applauded OMB’s focus on zero trust and increased automation through the CDM program.
“Specifically, ADI supports OMB’s efforts to drive zero trust implementation and IT modernization across agencies through its metrics,” Nodurft told Federal News Network. “Additionally, ADI appreciates the FISMA metrics’ emphasis on outcome-focused data as well as its alignment with other programs including CISA’s CDM program. As OMB continues to push for modern, secure architectures and environments at agencies, ADI urges the administration to ask Congress for the necessary resources to meet the numerous policy requirements that will be measured by the fiscal 2023 FISMA metrics.”
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Follow @jdoubledayWFED