The Office of Management and Budget has issued an updated guidance that outlines new Continuous Diagnostics and Mitigation program requirements for agencies to comply with the Federal Information Security Modernization Act of 2014, FedScoop reported Friday.
The memo now directs agencies to submit justification should they choose to buy continuous monitoring tools and capabilities outside of the General Services Administration’s IT Schedule 70 CDM tools special item number, CDM Dynamic and Evolving Federal Enterprise Network Defense and other contract vehicles.
The justification should be submitted to the CDM program management office at the Department of Homeland Security, OMB resource management office and the federal chief information officer’s cyber team, according to the document signed by OMB Director Mick Mulvaney.
Under the guidance, CDM PMO will pay for licensing and maintenance costs of agencies’ cyber tools under the program’s one-year base term and first option year.
After the two-year period, agencies will be asked to fund the maintenance and operation of their CDM capabilities.
The memo requires agencies to include CDM-specific line items in their budget plans for fiscal 2021 and beyond.
The document also states the deployment of a federal dashboard to facilitate sharing of cyber threat data among agencies; FISMA reporting requirements and deadlines; and implementation of the Federal Cybersecurity Risk Determination Report and Action Plan.