Every day, sophisticated adversaries challenge the digital defenses of federal IT systems and networks. To safeguard critical infrastructure and national security, federal agencies need to adopt a risk management framework for cybersecurity that efficiently identifies, prioritizes and mitigates cyber risks.
The pivot to a more risk management-based approach to cybersecurity will align the federal government with broader industry initiatives to focus on risk tolerance. To that end, the Office of Management and Budget, or OMB, continues a shift away from an emphasis on compliance in favor of risk management.
FISMA compliance
The OMB released FY 2024 guidance and requirements (memo M-24-04) for agencies that report Federal Information Security Modernization Act, or FISMA, information. The guidance tells agencies how to start zero-trust programs, make continuous diagnostics and mitigation tools easier to use and more visible, and how to allow automated reporting of more metrics even when full automation is not available. OMB is directing agencies to focus and prioritize their limited resources on collection efforts for data elements that provide critical insight into their security…
