At the 2010 RSA Conference, I issued a rallying call for the cybersecurity community to collectively evolve from previous static, compliance-based metrics programs to a more dynamic approach that utilizes continuous monitoring. Since then, we’ve seen the public and private sector respond with innovative approaches to this challenge.
In line with that call, recently the Office of Management and Budget released its reporting instructions for agencies under FISMA. In that memorandum, the federal government takes a significant step forward in our efforts to use continuous monitoring to more effectively and efficiently ensure the security of federal systems and networks:
Rather than enforcing a static, three-year reauthorization process, agencies are expected to conduct ongoing authorizations of information systems through the implementation of continuous monitoring programs. Continuous monitoring programs thus fulfill the three year security reauthorization requirement, so a separate re-authorization process is not necessary.
Fonte: White House