Agencies have until fiscal 2017 to implement continuous monitoring of information systems, according to guidance released Monday by the Office of Management and Budget.
Sylvia Burwell, director of OMB, said in a memo to agency executives continuous monitoring of systems will help agencies maintain an ongoing awareness of their security and vulnerabilities instead of undergoing periodic security assessments.
“Rather than enforcing a static, point-in-time re-authorization process, agencies shall conduct ongoing authorizations of their information systems and environments in which those systems operate, including common controls, through the implementation of their risk management programs,” Burwell said.
She also said agencies will need to develop an information security continuous monitoring (ISCM) strategy to help identify what agencies will need to do to respond to cyber threats in real time. By April 30 agencies are required to identify specific individuals to manage those programs.
Burwell also said agency inspectors general will monitor agencies for compliance with the deadlines and to identify whether agencies have the tools in place to engage in continuous monitoring of systems.