The National Institute of Standards and Technology has released guidance for federal agencies transitioning to ongoing authorization as part of the Office of Management and Budget‘s information system continuous monitoring requirement, Federal News Radio reported Friday.
The guide supplements OMB’s 2013 memo on ISCM, a systems and data security approach all agencies are required to implement by 2017, writes Stephanie Wasko.
The office tasked NIST to establish the process and criteria for the information system authorization upgrade, including metrics to assess security controls, reporting of identified threats and vulnerabilities and authorization frequency.
The ISCM process must have “the appropriate rigor and assessment frequencies to support the organization’s mission/business requirements, risk tolerance and security categorization,” NIST said, according to the report.
Wasko writes the guidance also differentiated between a time-driven and event-driven frequency to assess risk, both requiring the authorization officer to review the gathered information and adjust the ISCM process if needed.
Overall, NIST recommends a gradual transition to ongoing authorization, which it expects to help make “risk-based decision-making” more timely and efficient, the report said.