BSATheSoftwareAlliance
commented
9 years ago BSA|The Software Alliance Comments on Continuous Monitoring
Continuous monitoring. Many companies already have their own continuous monitoring process in place which is evaluated by Third Party Assessment Organizations (3PAOs). 3PAOs are neutral and pre-approved through screening conducted by FedRAMP. If each agency were permitted and/or encouraged to perform their own monitoring in addition to what companies already have in place to satisfy FedRAMP, this practice would represent an extremely heavy burden on contractors without increasing cybersecurity. We urge OMB to reconsider this approach and to make reference to FedRAMP procedures regarding continuous monitoring.
Under Section 4, "Information Security Continuous Monitoring", it states "if providing the DHS CDM capabilities to a contractor operating information systems on behalf of the Government is not feasible, the contract must ensure at a minimum:
*The agency may elect to perform information security continuous monitoring and IT security scanning of contractor systems with tools and infrastructure of its choosing."
This clause will likely be unacceptable to many contractors. We request that OMB consider modifying this statement to include the possibility that, upon mutual agreement and concurrence on tool selection, the contractor can use its own tools and infrastructure to conduct security scanning and deliver the results to the agency.
In addition, we recommend that beyond receiving scanning reports from contractors, agencies should gain assurance that contractors have mature continuous monitoring and vulnerability management programs through the usage of independent 3rd party audits (e.g. 3PAO assessments used in the FedRAMP program). Once this assurance has been established, agencies should rely on these 3rd party audits, and limited contractor self-reporting, versus a near constant stream of contractor scanning reports.