“It’s almost that time again. Every fall agencies wait for the Office of Management and Budget to release instructions on how they should shape annual reports they have to make on the state of their information security. But this time the process is happening after two massive intrusions compromised several government agencies and there will be some important changes.
Federal Chief Information Security Officer Chris DeRusha told Nextgov’s Critical Update the biggest thing agencies can expect going forward is an understanding of how demanding the current reporting process is and an appropriate narrowing of the scope of things they have to focus on at any given time…”
“DeRusha believes paring down the list of things agencies are reviewing to the most essential functions satisfied by practices like continuous monitoring will yield better results than previous years’ efforts on that front.
‘It’s been a goal for a while, but we’re doubling down on that and making sure that we’re giving agencies some space to be able to focus on that,’ he said. ‘And that’s going to mean maybe asking them less often about all of their control implementations … We won’t necessarily review all controls every year. We’re going to focus on a subset.’…”
“To address the fact that agencies are in very different places along the road to implementing modern cybersecurity practices, DeRusha said, ‘One of the things you can do is you can leverage capability, maturity models. I’m a big believer in that.’…” Read the full article here.
Source: Critical Update: The Federal CISO Is Prioritizing Flexibility for Agencies – By Mariam Baksh, October 26, 2021. Nextgov.