As with any discussion about cybersecurity, let’s start with the good news.
The Office of Management and Budget continues to live up to its promise to keep new requirements under the Federal Information Security Management Act (FISMA) at a minimum to ensure consistent measurement from year-to-year.
The latest memo from OMB Director Russ Vought outlining requirements for fiscal 2021 is exactly the same as the 2019-2020 memo except for a section about the continuous diagnostics and mitigation (CDM) program.
“At a minimum, Chief Financial Officer (CFO) Act agencies must update their CIO metrics quarterly and non-CFO Act agencies must update their CIO metrics on a semiannual basis,” Vought wrote. “Reflecting the administration’s shift from compliance to risk management, as well as the guidance and requirements outlined in OMB Memorandum M-19-03, Strengthening the Cybersecurity o(Federal Agencies by Enhancing the High Value Asset Program, and Binding Operational Directive 18-02, Securing High Value Assets, CIO metrics are not limited to assessments and capabilities within National Institute of…