New FISMA Regs Roll Back Three-Year Reauthorizations

The Obama administration has rescinded a much-maligned, paper-intensive requirement that agencies test the security controls on computer systems every three years or when upgraded.

This year, the annual instructions for complying with the 2002 Federal Information Security Act, or FISMA, say that new governmentwide procedures for automatically testing and tracking security, called continuous monitoring, fulfill the antiquated 3-year reauthorization policy. So, chief information officers can skip that lengthy, expensive step this fall when they report to Congress on fiscal 2011 cyber incidents.

Here's a snippet from the Sept. 14 FAQ:

"Is a security reauthorization still required every 3 years or when an information system has undergone significant change as stated in OMB Circular A-130? No.

Rather than enforcing a static, three-year reauthorization process, agencies are expected to conduct ongoing authorizations of information systems through the implementation of continuous monitoring programs. Continuous monitoring programs thus fulfill the three year security reauthorization requirement, so a separate re-authorization process is not necessary."

CIOs, you may rejoice.

All you have to do is install software and sensors that can execute the following:

"Continuous monitoring programs and strategies should address: (i) the effectiveness of deployed security controls; (ii) changes to information systems and the environments in which those systems operate; and (iii) compliance to federal legislation, directives, policies, standards, and guidance with regard to information security and risk management. Agencies will be required to report the security state of their information systems and results of their ongoing authorizations through [the data collection application] CyberScope in accordance with the data feeds defined by DHS."