Government first-movers looking to get a jump on continuous monitoring

With new federal agency FISMA reporting requirements taking effect in November, several agencies are taking steps now to get ahead of the requirements and anticipate some additional security metrics likely to be added in the near future. As reported by Federal News Radio, the Department of Veterans Affairs expects to have monitoring capabilities in place for all desktop computers by September 30, in addition to ongoing efforts to augment network, server, and systems monitoring capabilities. In a widely reported shift in policy and practice, NASA announced its intention to abandon conventional system re-authorization processes in favor of focusing on the new reporting requirements.  In addition, the Nuclear Regulatory Commission is evaluating its current tools and monitoring functions to try to determine how to meet the new monitoring requirements. As these and other agencies explore alternative methods and mechanisms for meeting new monitoring requirements, many look to the State Department’s risk scorecard model, which draws data from vulnerability scans, configuration checks, and network management sensors to produce and frequently update an overall score for State’s security posture.

Instructions in a memo sent on April 21 from OMB to all heads of executive departments and agencies gave notice about the new FISMA reporting approach, which in addition to requiring electronic submission of data feeds from agency FISMA tools to the government-wide Cyberscope online application, also will involve the establishment of government-wide benchmarks on security and agency-specific interviews with officials responsible for security management. Should the administration’s Cybersecurity Coordinator be given budgetary approval authority over agency investments — as proposed in several pieces of security legislation introduced in Congress — these benchmarks may take center stage as agencies not only report on systems security, but also try to justify the effectiveness their information security management programs. Continuous monitoring is among the many new provisions called for in the House of Representative’s proposed Federal Information Security Amendments (FISA) Act that were included via amendment in the defense authorization bill the House passed on May 28, and is a core process in the revised Risk Management Framework and system certification and accreditation process detailed in NIST Special Publication 800-37 Rev. 1.