Federal managers know the drill. New security laws, mandates or policies are handed down from on high. Then they have to scramble to comply. But, this game of catch-up doesn’t ensure their systems are any safer than before.
The idea that we can we create policies and comply with them and achieve secured systems that stay secured is a complete fallacy, and we all know that.
“Compliance is my worst nightmare,” said David Stender, associate chief information officer for cybersecurity and chief information security officer at the Internal Revenue Service, speaking recently in Washington D.C. at a panel of government security experts.
Added Peter Mell, a senior computer scientist at the National Institute of Standards and Technology, “We need policies that will help secure our systems but the idea that we can create policies and comply with them and achieve secured systems that stay secured is a complete fallacy, and we all know that. That’s the nightmare we’ve been living in.”
But a big change is in the air as government leaders intensify an effort to move from a compliance-based security model to a continuous monitoring strategy for security. While the idea of continuous monitoring has been floating around for years and incorporated almost desultorily in legislation such as the Federal Information Security Act of 2002, the Office of Management and Budget has in the last year ramped up a big push toward continuous monitoring through a series of memoranda to agency officials.
The National Institute of Standards and Technology (NIST) has issued guidance, “Information Security Continuous Monitoring for Federal Information Systems and Organizations”, to help managers develop a continuous monitoring strategy and implement a program.
The government will soon take a major step forward when NIST and the Homeland Security Department release an enterprise continuous monitoring technical reference architecture called the CAESARS Framework Extension. A final version of the architecture will be unveiled at NIST’s IT Security Automation Conference in Crystal City, Virginia, later this year.
The architecture will provide agency managers with the technical framework that has been missing from the continuous monitoring effort. “How do we genuinely support operations as opposed to just doing compliance?” Mell asked. “We need a technical framework to do that.”
“In the world we have today, throwing more money at [security] problems isn’t necessarily going to solve them,” he said. “But when we get to the idea of a foundational technical framework that allows you to support operations and provide data to comply with many different policy requests, there’s promise here.”
According to security experts, the key to successful continuous monitoring will be more fully automating security operations across the government enterprises, supported by new tools, such as NIST’s Standard Content Automation Protocol (SCAP), which was created to provide an automated, standardized approach to maintaining the security of enterprise systems -- being able to determine the security posture of systems at any given time.
Standards like SCAP, if widely adopted by vendors of security tools, will help overcome barriers to fully automated continuous monitoring, according to Mell.
“With continuous monitoring, we’re trying to go a level higher,” he said. “We’re not talking one way communication with security tools anymore. We’re talking about orchestrating workflow between tools in order to collect data, analyze it, score it and aggregate up to different levels.”
Next: What managers need to do to prepare for a continuous monitoring posture.
This was first published in October 2011