The Office of Management and Budget has issued a memorandum requiring agencies to report at least 80 percent of their government-furnished equipment through the Continuous Diagnostics and Mitigation program by the end of fiscal year 2023.
CDM is a Cybersecurity and Infrastructure Security Agency-managed program that seeks to help agencies detect, monitor and counter cyber vulnerabilities using commercial off-the-shelf tools.
According to the memo, CISA should provide agencies with a list of software categories that meet the “critical software” definition no later than Jan. 15.
CISA should also provide OMB with information on scanning cadence and other performance data beginning in the third quarter of FY 2023 and work with OMB and the CISO Council FISMA Metrics Subcommittee to “identify future metrics for automation in FY 2024.”
The document directs agencies to submit information on assets in an automated manner starting in the current fiscal year’s first quarter and meet all reporting requirements of the CDM Federal Dashboard.
“Agencies are encouraged to provide the CDM PMO with feedback on existing tools and input on additional tools that may prove valuable for current or future CDM acquisition vehicles,” the memo states.
The OMB memo seeks to provide agencies with FY 2023 reporting guidance and deadlines in compliance with the Federal Information Security Modernization Act.