Congress established the Continous Diagnostics and Migitation program to provide adequate, risk-based, and cost-effective cybersecurity and more efficiently allocate cybersecurity resources.[1] Hence the Department of Homeland Security and Government Service Administration work together to address the task.

OMB Memorandum M-14-03, directs National Institute of Standards and Technology  to publish guidance criteria for Federal agencies to conduct ongoing assessment and authorization. [2]

Ongoing assessment is desired to be a real-time view into the security posture of information systems across the civilian Federal agencies. Data-feeds from the CDM program will provide the information security officials a current security posture of their systems and be better informed on where to focus their efforts to minimize the impacts of cyber compromises.

Ultimately the goal of OA is a noted in SP 800-53, [3] " authorization and decisions are made made based on the degree to which the desired security capabilities have been effectively achieved and are meeting the security requirements defined by an organization. These risk based decisions are directly related to organizational risk tolerance that is defined as part of an organization's risk management strategy."

REFERENCES:

1. CDM Resources

2. Enhancing the Security of Federal Information and IS

3. NIST.SP.800-53r4: Security and Privacy Controls for FED IS

4. CDM: The Future of Cybersecurity

5. NIST.IR.8011-1: Automation Support for Security Control Assessments

SUPPLEMENTAL READING:

NIST.800-37r2: Risk Management Framework for IS and Organizations

NIST.800-115: Technical Guide to Information Security Testing and Assessment

NIST.800-39: Managing Information Security Risk

What is CDM and Why do you Need it?