Continuous monitoring: It's a process, not a goal
Connecting state and local government leaders
The new approach to FISMA makes the three-year snapshot a thing of the past, but monitoring for security is just getting started.
“Continuous monitoring” is a growing buzzword in the federal IT security community, and it is a central focus of the Federal Information Security Management Act reporting requirements for federal chief information security officers this year.
To some, continuous monitoring is the long-awaited alternative to compliance audits and the mounds of paperwork that are typically used to satisfy FISMA reporting requirements. To others, it offers great promise in that automated tools can provide much of the information needed to make informed risk decisions and provide the documentation that will meet audit requirements.
Continuous monitoring may be all of that, eventually, but the instructions provided in this year's FISMA guidelines are not quite that ambitious. They hew to the National Institute of Standards and Technology’s definition of the term, whereby continuous monitoring is viewed as a tactic, not a strategic goal.
Related coverage:
Light at the end of the continuous monitoring tunnel
NIST unveils specs for continuous security monitoring
Nonetheless, the inclusion of continuous monitoring in the 2012 FISMA reporting guidelines does set the stage for agencies to establish “continuous authorization” programs that will end the infamous "three-year cycle" for Certification and Accreditation activities, a cycle enthroned in the Office of Management and Budget Circular A-130, which provided implementation guidance on the 2002 FISMA legislation and required agencies to reauthorize systems at least that often.
This cyclical requirement was most easily met by hiring contractors to reproduce voluminous documentation that would support a paper-based reauthorization process — at great financial cost to the taxpayer and little benefit to the security of the authorized systems.
In 2009, an OMB task force addressed this problem, and Congress made the first step in breaking the C&A cycle when it transferred FISMA reporting responsibility from OMB to the Federal Network Security branch division of the Homeland Security Department, tasking FNS with providing operational support in making FISMA reporting effective and efficient.
This occurred at about the same time that NIST issued Special Publication 800-137, “Information Security Continuous Monitoring for Federal Information Systems and Organizations”. The NIST guidance states that a robust ISCM program, “enables organizations to move from compliance-driven risk management to data-driven risk management” and adds that “monitoring tools can be readily deployed in support of near-real-time, risk-based decision-making.”
The NIST guidance is clear that continuous monitoring is not a goal in and of itself, but it is a component of the NIST Risk Management Framework that ultimately supports the objective of “continuous authorization” of IT systems. If federal agencies are going to be relieved of the burden of checklist-style audit response, there must be a consensus on what it means to have IT systems in a state of continuous authorization and an understanding of the role continuous monitoring plays in that process.
This is where the 2012 FISMA guidance from DHS comes into the picture. Instructions to an agency’s inspector general include verification of whether the organization has “established an enterprisewide continuous monitoring program that assesses the security state of information systems that is consistent with FISMA requirements, OMB policy and applicable NIST guidelines.” It goes on to ask whether the monitoring strategy and program provide authorizing officials with updates to security plans, assessment reports, and Programs of Action and Milestones with the frequency defined in the plan.
These components identified — security plan, risk assessment and POAMs — are the required elements of an authority to operate. If an agency can demonstrate that a combination of instrumented (tool-based) reports and documented processes support the risk management decisions of the system owner and the authorizing official, then the agency systems are in a state of continuous authorization.
Absent from this guidance is any specification of the required frequency of update to the authorization package. If a system can demonstrate that its baseline controls are being monitored at some frequency, through automated reports or repeatable processes that assure configuration management, the need for cyclical snapshots is gone.
John Streufert, former CISO of the State Department, told Congress that his agency had spent millions of dollars reauthorizing their systems, document by document, every three years. He and his staff, with the support of their internal auditors, set out to break the cycle and concentrate on managing system configurations and documenting that activity in a continuous manner. They accomplished this, at a great reduction in cost, by developing a reporting system that assessed instrumentable vulnerabilities across a global network and showed system officials how to “solve their worst problem first,” A record of the actions taken by system administrators was the basis for authorizing the system — continuously.
The State system did not address all the elements of a FISMA-compliant authorization decision, but it was a dramatic improvement over the checklist-based auditing used to evaluate security reauthorization decisions in large federal environments and satisfied the IG’s requirement for the CISO to provide the risk assessments necessary to authorize systems without costly updates to security system documentation.
The latest FISMA reporting guidance from DHS reflects the lessons learned from this and other experiments in implementing the Risk Management Framework supported by continuous monitoring. It sets a new threshold for understanding and complying with the FISMA statute.
From the beginning, FISMA and the FISMA Implementation Project at NIST have been oriented toward building a risk-based structure that can allow oversight agencies or organizations to determine whether the risks that are inherent in networked computing environments are being managed appropriately.
Continuous monitoring, as it is outlined in the NIST guidance and expected in the latest FISMA guidance from DHS, allows agencies to achieve that goal. This year’s FISMA reporting guidance makes it clear that the three-year snapshot process is a thing of the past.
NEXT STORY: The path to outsmarting advanced cyberattacks