The Office of Management and Budget has released fiscal year 2021-2022 guidance to help agencies comply with the requirements of the Federal Information Security Modernization Act of 2014 and the recent cybersecurity executive order.
OMB outlined several tenets to guide performance management reform under FISMA and one of those is the transition to a zero-trust architecture, the office said in a memo published Monday.
The guidance states that agencies should implement zero trust-related security goals by the end of FY 2024 organized around the pillars of identity, devices, networks, applications and workloads and data. Other tenets listed are ground truth testing, observable security outcomes and automation.
The document calls on agencies to use the Cybersecurity and Infrastructure Security Agency’s standard incident response playbook to help improve the ability of CISA and other agencies to evaluate the risk of vulnerabilities and carry out incident response efforts.
OMB noted that CISA will review the Continuous Diagnostics and Mitigation program and integrate lessons learned to come up with a strategy to continue to improve CDM for FY 2022.
“This strategy will articulate challenges and opportunities for improving delivery, data quality, and support for automation,” the document reads.
To facilitate automated reporting, CISA will work with OMB and the National Institute of Standards and Technology by April to create a “strategy to continue to evolve machine-readable data standards for cybersecurity performance and compliance data through CDM.”
OMB also outlined the annual and quarterly FISMA reporting deadlines for FY 2021 and FY 2022, including those for annual and quarterly CIO metrics and senior agency officials for privacy metrics.