FDIC Has Yet to Implement an Effective Continuous Monitoring Program

As part of its auditing of financial statements of funds administered by FDIC, GAO “assessed the effectiveness of the corporation’s controls in protecting the confidentiality, integrity, and availability of its financial systems and information.”  GAO found that although “FDIC had implemented numerous controls in its systems, it had not always implemented access and other controls to protect the confidentiality, integrity, and availability of its financial systems and information.”

FedRAMP will be ready by November

From: FierceGovernmentIT

By Molly Bernhart Walker

The Federal Risk and Authorization Management Program, or FedRAMP, will launch before November, according to Fred Whiteside, project manager for the National Institute of Science and Technology’s cloud computing working group.

“These projects have been underway for quite sometime, I think as most of you know. FedRAMP is due to be sort of commissioned, I want to say at the end of October–sometime around the end of October,” said Whiteside Aug. 23 while speaking at a MeriTalk event in Washington, D.C. “[Its launch will] coincide, of course, with the release of the NIST technology roadmap and completion of the assessment models. So, we’re very close to seeing all these things be put in place,” Whiteside added. 

Revised FISMA Implementation Schedule

NIST’s revised FISMA Implementation Schedule, attached below, does not mention the status of their continuous monitoring guidance document SP 800-137 that is currently in draft.  It is not evident why some SP 800-series documents are included in the schedule and some are not.



SP 800-128 Final Publication: Guide for Security-Focused Configuration Management of Information Systems

NIST is pleased to announce the final publication of Special Publication 800-128, Guide for Security-Focused Configuration Management of Information Systems. Special Publication 800-128 provides guidelines for implementation of a security-focused configuration management (SecCM) process as well as supporting information for NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations. The fundamental concepts associated with SecCM and the process of applying SecCM practices to information systems are described.

SP 800-128 is attached below.



OMB Redefines CIO Authorities to Emphasize Continuous Monitoring

OMB has issued a Memorandum, M-11-29 – Chief Information Officer Authorities (attached below) which re-defines the “changing the role of Agency Chief Information Officers (CIOs) away from just policymaking and infrastructure maintenance, to encompass true portfolio management for all IT.”

Continuous monitoring was singled out in the two-page document as a key CIO mandate. In the memo, OMB Director Lew states that CIO security responsibilities:

will include well-designed, well-managed continuous monitoring and standardized risk assessment processes, to be supported by “CyberStat” sessions run by the Department ofHomeland Security to examine implementation. Taken together, continuous monitoring and CyberStats will provide essential, near real-time security status information to organizational officials and allow for the development of immediate remediation plans to address any vulnerabilities.”