Continuous monitoring: It's a process, not a goal

 

Connecting state and local government leaders

The new approach to FISMA makes the three-year snapshot a thing of the past, but monitoring for security is just getting started.

“Continuous monitoring” is a growing buzzword in the federal IT security community, and it is a central focus of the Federal Information Security Management Act reporting requirements for federal chief information security officers this year.

To some, continuous monitoring is the long-awaited alternative to compliance audits and the mounds of paperwork that are typically used to satisfy FISMA reporting requirements. To others, it offers great promise in that automated tools can provide much of the information needed to make informed risk decisions and provide the documentation that will meet audit requirements.

Continuous monitoring may be all of that, eventually, but the instructions provided in this year's FISMA guidelines are not quite that ambitious. They hew to the National Institute of Standards and Technology’s definition of the term, whereby continuous monitoring is viewed as a tactic, not a strategic goal.


Related coverage:

Light at the end of the continuous monitoring tunnel

NIST unveils specs for continuous security monitoring


Nonetheless, the inclusion of continuous monitoring in the 2012 FISMA reporting guidelines does set the stage for agencies to establish “continuous authorization” programs that will end the infamous "three-year cycle" for Certification and Accreditation  activities, a cycle enthroned in the Office of Management and Budget Circular A-130, which provided implementation guidance on the 2002 FISMA legislation and required agencies to reauthorize systems at least that often.

This cyclical requirement was most easily met by hiring contractors to reproduce voluminous documentation that would support a paper-based reauthorization process — at great financial cost to the taxpayer and little benefit to the security of the authorized systems.

In 2009, an OMB task force addressed this problem, and Congress made the first step in breaking the C&A cycle when it transferred FISMA reporting responsibility from OMB to the Federal Network Security branch division of the Homeland Security Department, tasking FNS with providing operational support in making FISMA reporting effective and efficient.

This occurred at about the same time that NIST issued Special Publication 800-137, “Information Security Continuous Monitoring for Federal Information Systems and Organizations”. The NIST guidance states that a robust ISCM program, “enables organizations to move from compliance-driven risk management to data-driven risk management” and adds that “monitoring tools can be readily deployed in support of near-real-time, risk-based decision-making.”

The NIST guidance is clear that continuous monitoring is not a goal in and of itself, but it is a component of the NIST Risk Management Framework that ultimately supports the objective of “continuous authorization” of IT systems. If federal agencies are going to be relieved of the burden of checklist-style audit response, there must be a consensus on what it means to have IT systems in a state of continuous authorization and an understanding of the role continuous monitoring plays in that process.

This is where the 2012 FISMA guidance from DHS comes into the picture. Instructions to an agency’s inspector general include verification of whether the organization has “established an enterprisewide continuous monitoring program that assesses the security state of information systems that is consistent with FISMA requirements, OMB policy and applicable NIST guidelines.” It goes on to ask whether the monitoring strategy and program provide authorizing officials with updates to security plans, assessment reports, and Programs of Action and Milestones with the frequency defined in the plan.

These components identified — security plan, risk assessment and POAMs — are the required elements of an authority to operate. If an agency can demonstrate that a combination of instrumented (tool-based) reports and documented processes support the risk management decisions of the system owner and the authorizing official, then the agency systems are in a state of continuous authorization.

Absent from this guidance is any specification of the required frequency of update to the authorization package. If a system can demonstrate that its baseline controls are being monitored at some frequency, through automated reports or repeatable processes that assure configuration management, the need for cyclical snapshots is gone.

John Streufert, former CISO of the State Department, told Congress that his agency had spent millions of dollars reauthorizing their systems, document by document, every three years. He and his staff, with the support of their internal auditors, set out to break the cycle and concentrate on managing system configurations and documenting that activity in a continuous manner. They accomplished this, at a great reduction in cost, by developing a reporting system that assessed instrumentable vulnerabilities across a global network and showed system officials how to “solve their worst problem first,” A record of the actions taken by system administrators was the basis for authorizing the system — continuously.

The State system did not address all the elements of a FISMA-compliant authorization decision, but it was a dramatic improvement over the checklist-based auditing used to evaluate security reauthorization decisions in large federal environments and satisfied the IG’s requirement for the CISO to provide the risk assessments necessary to authorize systems without costly updates to security system documentation.

The latest FISMA reporting guidance from DHS reflects the lessons learned from this and other experiments in implementing the Risk Management Framework supported by continuous monitoring. It sets a new threshold for understanding and complying with the FISMA statute.

From the beginning, FISMA and the FISMA Implementation Project at NIST have been oriented toward building a risk-based structure that can allow oversight agencies or organizations to determine whether the risks that are inherent in networked computing environments are being managed appropriately.

Continuous monitoring, as it is outlined in the NIST guidance and expected in the latest FISMA guidance from DHS, allows agencies to achieve that goal. This year’s FISMA reporting guidance makes it clear that the three-year snapshot process is a thing of the past.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.