The Office of Management and Budget is drafting a memo to come out by the end of the year that will give agencies greater flexibility when it comes to monitoring and authorizing information systems as secure, according to agency officials.
The memo will allow agencies to move away from having to reauthorize an information system every three years as mandated by the Federal Information Security Management Act, according to Ron Ross, senior computer scientist at the National Institute of Standards and Technology.
Instead, continuous monitoring will allow agencies to spend time and resources where they are most needed to authorize programs in a timely manner, Ross said Wednesday at the Cyber Security Brainstorm in Washington hosted by public-private partnership Meritalk.
“Our organizations are going to be empowered like never before,” Ross said.
The memo will update OMB Circular A-130, which was first crafted in 1980 to help agencies manage information resources, and it will build on an Oct. 2 OMB memo that encouraged agencies to develop continuous monitoring programs.
Jeff Eisensmith, chief information security officer at the Department of Homeland Security, said he hopes any new memo will give agency managers the flexibility to manage risk and send resources where they think are needed instead of having to focus on all information systems equally.
“As an executive I should have the power and authority and freedom to make a risk-based decision to focus where I need to and to defocus where I need to,” he said. “That is what I hope is coming in the rewrite of A-130.”