In updated guidance for the Federal Information Security Modernization Act (FISMA) released Friday, the Office of Management and Budget sets forth new requirements for federal agencies’ participation in the Continuous Diagnostics and Mitigation program.
The fiscal 2019 guidance for FISMA reporting is much of the same from years past. However, in a new section, it mandates that federal agencies of all sizes share information with the Department of Homeland Security’s governmentwide CDM dashboard and that going forward, they must provide “sufficient justification” to buy non-CDM continuous monitoring tools.
CDM is a DHS cybersecurity program that provides agencies with the tools to monitor suspicious activity on their networks in near real-time.
“Both CFO and non-CFO Act agencies shall establish the information exchange between their respective agency dashboards and the Federal Dashboard according to the timeline set forth by the CDM PMO,” says the guidance signed by OMB Director Mick Mulvaney.
It doesn’t lay out exactly what information agencies must share but says that DHS will “specify the data attributes agencies are required to supply to the Federal Dashboard in the CDM Technical Requirements Document, and will circulate updates to the document by Q3 of each Fiscal Year.”
With the new guidance, agencies are now prohibited from shopping for continuing monitoring tools outside of the CDM acquisition vehicles — CDM DEFEND and the General Services Administration’s IT Schedule 70 CDM Tools special item number — without a valid reason.
“Prior to purchasing these tools, a justification memorandum must be sent from the agency CISO to the CDM PMO, the respective OMB Resource Management Office (RMO), and the Office of the Federal Chief Information Officer (OFCIO) Cybersecurity Team,” the guidance says.
Agencies, however, can continue using their existing non-CDM continuous monitoring tools, the guidance says. But, they “will need to ensure the agency meets all CDM reporting requirements to the Federal Dashboard” and “are encouraged to provide the CDM PMO feedback on existing tools and input on additional tools that may prove valuable for current or future CDM acquisition vehicles.”
Ultimately, it says, “agencies retain sole responsibility to respond to risks identified through the CDM program and/or its agency’s dashboard.”
Finally, the new guidance puts the onus on agencies, after two years of help from DHS, to fund their CDM implementations. “Agencies are then responsible for funding long-term operations and maintenance (e.g., licensing costs) of their CDM-related tools and capabilities.”
DHS’s CDM program management office will handle the license and maintenance of the base year and first option year of operation, but then it’s up to agencies to figure it out.
To ensure agencies don’t let DHS’s work dwindle when it hands funding responsibility over, OMB requires agencies to submit “CDM-specific line items” in their fiscal 2021 budget proposals and beyond.
This year has been a big one for the CDM program. DHS has awarded a number of massive contracts under the DEFEND vehicle. Earlier this month, the program also reached a milestone with all 23 CFO Act agencies — minus the Department of Defense, which doesn’t participate —feeding into DHS’s federal dashboard.
In addition to CDM requirements, OMB’s guidance also mandates agencies’ consolidation of security operations centers and directs agencies to implement the Director of National Intelligence’s Cyber Threat Framework.