Is Anyone Really Doing Continuous Monitoring?Finding the Right Definition Would Help
An Internet image search on "You're doing it wrong" produces many funny images. Fortunately, I haven't found one to depict the federal government's approach to implementing continuous monitoring. But based on the way things are going, one is bound to appear soon, and it wouldn't be funny.
There is no longer any reasonable argument regarding whether or not continuous monitoring is the right move for federal departments and agencies. Nearly a decade of the Federal Information Security Management Act - the law, its oversight and its implementation - did very little to improve security among executive branch agencies. Instead, a culture of paper-based compliance drills, checklists and scorecards enriched the vendor community and generated executive bonuses, but the security of our federal networks and systems did not appreciably improve.
But what exactly is continuous monitoring? We first caught a glimpse of the new concept in one of the earliest of many bills over the past two years (none of which was enacted), drafted by the staff of Sen. Thomas Carper, D-Del., on the Senate Homeland Security and Governmental Affairs Committee. The measure, S. 3480, contained an attempt at a legal definition for continuous monitoring:
"The term 'automated and continuous monitoring' means monitoring at a frequency and sufficiency such that the data exchange requires little to no human involvement and is not interrupted."
The Office of Management and Budget followed, anticipating new legislation by issuing the reporting requirements that will begin the transition away from the paper-based compliance and meaningless scorecards that characterized the former FISMA process. The new OMB reporting requirements are contained in OMB Memorandum 10-15, signed on April 21, which specifically states:
"Agencies need to be able to continuously monitor security-related information from across the enterprise in a manageable and actionable way."
As agencies scratched their collective heads to figure out continuous monitoring, the Department of Homeland Security followed with its Continuous Asset Evaluation, Situational Awareness and Risk Scoring (CAESARS) Reference Architecture Report, which came out in September. DHS decided to examine the programs emerging at the Departments of State and Justice and the Internal Revenue Service. Unfortunately, CAESARS did not consider the most mature and robust of the federal continuous monitoring programs, over at the House of Representatives. While it may be difficult to appreciate why the House has the best example of continuous monitoring in government, one of the obvious reasons, other than a deep understanding of real security, is that the House is exempt from the distractions and resource drains of the FISMA albatross.
Then came NIST Special Publication 800-137, released in December and in public comment period until March. It currently defines information security continuous monitoring as:
"... maintaining ongoing awareness of information security, vulnerabilities and threats to support organizational risk decisions."
So there we have it. A legal definition of continuous monitoring does not yet exist, no two other definitions of continuous monitoring precisely match, DHS's review of existing continuous monitoring programs disregarded the only one really doing it right, and every agency thinks they are doing continuous monitoring today based on their misunderstanding of the "monitor phase" of the archaic system-authorization process. Nobody quite knows how to implement continuous monitoring, notwithstanding the obstacle in most agencies where the CIO and CISO have no authority to do so because FISMA never authorized them. "You're doing it wrong."
What's missing is something practical that can be implemented within a large federal enterprise. At the heart of the FISMA reform movement that started all of this progress are three very important concepts that, if they can be implemented correctly by federal departments and agencies, will significantly improve the status of information security throughout the federal enterprise. To put it simply, federal agencies will be required to put in place risk-based security controls, and perform continuous monitoring of them against measures of effectiveness.
But continuous monitoring against measures of effectiveness is a whole new challenge for almost every department and agency. Measures of effectiveness require an assessment that the security controls are not just in place, but they are operating effectively. No longer can an agency check to see if one-third of its controls every year are merely in place; from now on, all controls, at all times, are to be in place and operating effectively in the context of the risk profile of the department or agency. This reality is a huge leap from where most departments and agencies are today. This huge leap will also require a complete reassessment of the agency's workforce, skill sets, contractor support and overall security posture.
Yet to be exposed in all of this will be the agencies who previously misrepresented their security posture with absurd or meaningless metrics, or failed to verify adequately the false reporting of subordinate components, or a myriad of other disingenuous activities that were allowed to exist under the previous FISMA processes. The real power of the continuous monitoring processes is its focus on the true security posture of the enterprise with little human involvement to tamper with the results. That result alone is a good thing.
In the end, federal information security is all about protecting our nation's systems and networks from those who wish to do them harm. Risk-based continuous monitoring against measures of effectiveness will go much farther than FISMA in achieving this noble goal. This time, let's do it right.
Bruce Brody, chief executive officer of the IT security consultancy New Cyber Partners, is the former chief information security officer at the departments of Energy and Veterans Affairs.