The Office of Management and Budget released its updated guidance for complying with the Federal Information Security Modernization Act of 2014 (FISMA), setting the timeline for Federal agencies to assess their cybersecurity posture.
The guidance, dated November 19 and addressed to agency leaders, notes that FISMA audits will be required by October 31, 2020, and annual FISMA reports must be submitted to Congress by March 2, 2020.
“Agency heads must maintain awareness of their agency’s information security programs and direct CIOs and Chief Information Security Officers to implement appropriate security measures and, where necessary, take remedial actions to address known vulnerabilities and threats,” the memo states.
Outside of the changed dates, the memo does not differ much from the Fiscal Year 2018 memo, making few substantive policy changes. The memo sets the same seven-day reporting requirement for major incidents for inspectors general and congressional committees, requires agency heads to sign off on FISMA reporting, and defines major incidents.
The FY2020 memo continues its emphasis on the Continuing Diagnostics and Mitigation (CDM) program, requiring agencies to acquire new continuous monitoring capabilities through approved acquisition vehicles or receive approval from the CDM program management office and OMB.
One change is that OMB states the requirement for the Cybersecurity and Infrastructure Security Agency (CISA) to provide a monthly summary report of medium priority-level or higher-level incidents in addition to a broad report on all incident details. In general, CISA replaces references to the Department of Homeland Security at large or the National Cybersecurity and Communication Integration Center (NCCIC) throughout the document.