Federal agencies have a window of opportunity to move on continuous monitoring

The call now seems to coming from all sides that federal government agencies need to fully embrace risk-based approaches to information security and move towards continuous monitoring and enterprise situational awareness. OMB, in coordination with the Departments of Justice and Homeland Security, is pushing executive agencies to change the way they report security program information under FISMA, first by going to online submission via Cyberscope, and then moving to monthly reporting as a step towards “continuous” monitoring of federal IT systems. There is little question this should be an improvement (from a security standpoint) over the current approach of producing hundreds of pages of documentation to certify IT systems and accredit them so they can run in production, then basically ignore them for as long as three years unless something significant changes about the systems or the environment they run in. However, unless and until the information reported by agencies actually represents meaningful security metrics, it’s hard to see how upping the frequency of reporting is going to help that much. Monthly compliance verification may be better than annual (or less often), but it’s still just compliance, and compliance does not equal security. There appears to be a lot of thinking going on about what sort of metrics or operational activities are most appropriate to deliver continuous monitoring, but to date, there aren’t a lot of concrete recommendations.

This is a risky position for federal agencies to be in, because there are also bills working through both houses of Congress that aim to strengthen and improve FISMA and that could potentially end up dictating what agencies need to do to improve security. Given the other priorities in Congress and the looming mid-term elections, it’s anyone’s guess whether a new security bill will make it through to enactment during this 111th Congress; we suspect none will. This gives federal agencies of window of opportunity to propose approaches or metrics or processes that would help realize the objectives sought in the draft House and Senate legislation, without waiting to be on the receiving end of legislative mandates that agency CISOs may not be that happy about. For all its good intentions, this really seems to be an area that OMB is ill-prepared to address effectively, but there are enough agencies (State and VA come to mind among larger agencies) making significant inroads into continuous monitoring that it would be feasible to carve out some common ground for potential government-wide security approaches. NIST’s new Risk Management Framework and the corresponding guidance resulting from the Joint Task Force Transformation Initiative would also seem to be a step in the right direction here, but despite the apparent executive agreement among NIST, DoD, the Intelligence Community, and CNSS to adopt a common security control framework and risk management process, the message has yet to reach the program and project teams working to accredit systems, or their authorizing authorities. There seems to be a lot of business as usual, with DoD folks following DIACAP and civilian agencies still producing more documentation than evidence of effective security control implementation and usage. Before the sort of common risk-based approach advocated by the Joint Task Force can become pervasive, it seems a stronger business case needs to be made (or different governance criteria need to be put in place) to evolve the process to match the new guidance. One way this sort of governance could happen is by giving the cybersecurity czar budgetary approval authority (as the draft House FISA bill would do), but presumably most federal CISOs would rather avoid going to that extreme if they could avoid it. Proactivity is not a strong suit for many agencies or their information security programs, but if they act now, agencies just might be able to obviate the need for such oversight.