Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

FISMA Compliance and the Evolution to Continuous Monitoring

The U.S. Department of State developed a system for improving federal cybersecurity.

Historically, the cybersecurity protection activities associated with the Federal Information Security Management Act of 2002 (FISMA) hinged on security reviews of process and compliance in the form of hard copy documents contained within three-ring binders at a cost of $440 million per year across the federal government. By late 2009, $130 million had been spent at the Department of State alone (at a cost of $1,400 per page), with descriptions of overall technical risk for specific major systems that were rapidly out of date.

Though federal systems were being exploited at Internet speed, FISMA compliance and its applicable authorities required manual security testing at least every three years. The dichotomy between federal requirements and what was actually needed to provide cybersecurity spurred the evolution to continuous monitoring and mitigation.

Exploits use known cyber vulnerabilities and configuration setting weaknesses as the method of attack more than 80 percent of the time. In response, the U.S. Department of State automated scripts to scan its personal computers and servers at 260 embassies and consulates every one to three days. Commercial off-the-shelf sensors delivered details of unresolved security problems to an enterprise dashboard for attention to the worst problems first. By the end of July 2009, measured cyber risks were reduced by 89 percent across 24 time zones of department operations, using letter grades A to F and published daily to mark progress. In the second year, one-third of the remaining risk across the enterprise was reduced to the 94 percent level, an accomplishment that was sustained over time.

John Streufert

John Streufert
Director, National Cyber Security Division

Department of Homeland Security

In 2003, while deputy CIO for the U.S. Agency for International Development, created a technique to find and fix known vulnerabilities across 22 time zones for the U.S. Agency for International Development. Refined these techniques for scoring risk, which were later called Continuous Monitoring, while serving as Department of State CISO from 2006-2012.

Responsible for proposing revised FISMA practices which transition manual control testing to automated processes and hold promise for higher return on investment for $1.5 billion spent annually in this part of the federal cybersecurity portfolio

Created a Concept of Operations for a phased implementation of Continuous Monitoring for federal cloud computing as part of the Federal Risk and Authorization Management Program (FedRAMP).

Leads DHS effort to define and develop data metrics for evaluating results to improve federal civilian cybersecurity defenses in the CyberScope security reporting program

The Department of State scores every security problem it finds, but assigned the highest point value to critical risks. Using a dashboard called iPost, system administrators’ attention was focused on the worst threats of the day. Critical patch coverage at the Department of State was repeatedly accomplished at the 84 percent level in seven days and the 93 percent level in one month.

In January 2012, the Department of Homeland Security assembled a team to implement these cybersecurity strategies across the .gov network using funding set aside in the fiscal year 2013 federal budget. In August 2012, agreement in the House and the Senate signaled their support for a continuous cyber diagnosis and mitigation program.

The next generation of cyber defenses will combine appropriate dashboard software features and sensors based on the Center for Strategic and International Studies 20 Critical Security Controls for Effective Cyber Defense. In June, DHS announced specifications for the first phase of continuous monitoring and mitigation sensors, focused on hardware and software asset management, whitelisting/anti-malware defenses, and vulnerability and compliance setting management.

While plans for the future are still unfolding, the General Services Administration intends to issue multiple award contracts for the federal government to buy cybersecurity tools for implementing continuous monitoring and mitigation, with options available for other federal, state and local governments to make purchases for their separately operated defenses. The design of this acquisition aims for cybersecurity strategies that:

  • Organize defenses around sensors mapped to the 20 Critical Controls (in phases);
  • Inspect systems daily, diagnose and then mitigate security problems across all federal networks, applications and cloud-based services over time;
  • Prioritize attention on those risks with the most impact and potential for occurring; and,
  • Measure the results and report progress in dealing with known cyberthreats to technicians, managers, executives and the public.

Adequate cybersecurity is a problem of national significance that warrants attention. Utilizing the combined buying power of federal, state and local governments to receive quantity discounts for cybersecurity tools helps maximize benefits for the taxpayer.

Establishing a continuous diagnosis and mitigation (CDM) program for your state or local government or for your business is an opportunity within grasp. These concepts were developed at taxpayers’ expense for the protection of federal networks, but are available and adaptable for the public or private sector, on a strictly voluntary basis. Send requests for further information to the Department of Homeland Security at [email protected]

Information Security's 2012 Security 7 winners:

Wade Baker: Information Security Decisions: From Dogma to Data

Krishnan Chellakari: Developing a BYOD Strategy: Weigh the Risks, Challenges and Benefits

Ron Knode: Security Warrior for Cloud Transparency

Doug Powell: GRC Management and Critical Infrastructure Protection

David Seidl: Security Risk Assessment Process a Team Effort at Notre Dame

John Streufert: FISMA Compliance and the Evolution to Continuous Monitoring

Preston Wood: The new era of big data security analytics

This was last published in October 2012

Dig Deeper on Government information security management