Continuous monitoring strategy for government security managers

Richard W. Walker, Contributor

Federal managers know the drill. New security laws, mandates or policies are handed down from on high. Then they have to scramble to comply. But, this game of catch-up doesn’t ensure their systems are any safer than before.

    Requires Free Membership to View

The idea that we can we create policies and comply with them and achieve secured systems that stay secured is a complete fallacy, and we all know that.

Peter Nell

“Compliance is my worst nightmare,” said David Stender, associate chief information officer for cybersecurity and chief information security officer at the Internal Revenue Service, speaking recently in Washington D.C. at a panel of government security experts.

Added Peter Mell, a senior computer scientist at the National Institute of Standards and Technology, “We need policies that will help secure our systems but the idea that we can create policies and comply with them and achieve secured systems that stay secured is a complete fallacy, and we all know that. That’s the nightmare we’ve been living in.”

But a big change is in the air as government leaders intensify an effort to move from a compliance-based security model to a continuous monitoring strategy for security. While the idea of continuous monitoring has been floating around for years and incorporated almost desultorily in legislation such as the Federal Information Security Act of 2002, the Office of Management and Budget has in the last year ramped up a big push toward continuous monitoring through a series of memoranda to agency officials.

The National Institute of Standards and Technology (NIST) has issued guidance, “Information Security Continuous Monitoring for Federal Information Systems and Organizations”, to help managers develop a continuous monitoring strategy and implement a program.

The government will soon take a major step forward when NIST and the Homeland Security Department release an enterprise continuous monitoring technical reference architecture called the CAESARS Framework Extension. A final version of the architecture will be unveiled at NIST’s IT Security Automation Conference in Crystal City, Virginia, later this year.

The architecture will provide agency managers with the technical framework that has been missing from the continuous monitoring effort. “How do we genuinely support operations as opposed to just doing compliance?” Mell asked. “We need a technical framework to do that.”

“In the world we have today, throwing more money at [security] problems isn’t necessarily going to solve them,” he said. “But when we get to the idea of a foundational technical framework that allows you to support operations and provide data to comply with many different policy requests, there’s promise here.”

According to security experts, the key to successful continuous monitoring will be more fully automating security operations across the government enterprises, supported by new tools, such as NIST’s Standard Content Automation Protocol (SCAP), which was created to provide an automated, standardized approach to maintaining the security of enterprise systems -- being able to determine the security posture of systems at any given time.

Standards like SCAP, if widely adopted by vendors of security tools, will help overcome barriers to fully automated continuous monitoring, according to Mell.

“With continuous monitoring, we’re trying to go a level higher,” he said. “We’re not talking one way communication with security tools anymore. We’re talking about orchestrating workflow between tools in order to collect data, analyze it, score it and aggregate up to different levels.”

Next: What managers need to do to prepare for a continuous monitoring posture.

This was first published in October 2011

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.