MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES

By | November 23, 2011

Source: SANS

Yesterday, Mark Weatherford took over as Deputy Undersecretary for CyberSecurity at the U.S. Department of Homeland Security. For the first time in many years, the U.S. cybersecurity program will be run by a technologist rather than by a lawyer. There are good reasons to believe
that this change will herald an era of greater balance in national cybersecurity leadership between NSA and DHS. DHS has made five very
important advancements in cybersecurity leadership, driven by technologists.The most important one shifts over $400 million per year away from paper-based checklist security and toward technology-based, automated, continuous monitoring of security, providing continuous
situational awareness – a goal that DHS and NSA share. By combining the buying power of civilian agencies through DHS and of military agencies
through NSA/DISA, total situational awareness and rapid risk reduction can be made very inexpensive across the federal government. That
change, driven by DHS technologists, is in paragraph 28 of the directive posted at the White House site:

MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES

Paragraph 28 in this White House directive answers the question: “Is a security reauthorization still required every 3 years or when an
information system has undergone significant change as stated in OMB Circular A-130?” Answer: “No. Rather than enforcing a static, three-year
reauthorization process, agencies are expected to conduct ongoing authorizations of information systems through the implementation of
continuous monitoring programs. Continuous monitoring programs thus fulfill the three year security reauthorization requirement, so a
separate re-authorization process is not necessary.”

Leave a Reply