The Office of Management and Budget announced that agencies no longer need to do a three-year security reauthorization for information systems, Fierce Government IT reports.
Jeff Zients, OMB’s acting director, told agencies in a memo they should instead just enforce more frequent reporting of ongoing authorizations of information systems through continuous monitoring programs.
In the Oct. 2 memo, OMB said that agencies should submit monthly reports that follow the National Institute for Standards and Technology‘s guide on applying a risk management framework to information systems.
Zients noted that small and micro agencies are not required to send the monthly reports but are encouraged to do so.
The reports should also follow FISMA reporting guidance and be submitted to CyberScope every fifth day of the month, the memo said.
Agency chief information officers are required to respond to quarterly security posture questions while inspector generals will do so annually.
Continuous monitoring was part of a proposed update to the Federal Information Systems Management Act passed in April.