NASA implements policy to suspend C&A in favor of continuous monitoring

Taking the latest information security guidance from OMB to heart, NASA Deputy CIO for Information Security Jerry Davis issued a directive this week to all NASA ISSOs, system owners, authorizing officials, and IT manager and operators that suspends certification and accreditation activity for existing systems, in favor of a streamlined, risk-based approach that focuses on continuous monitoring. The decision, hailed as a bold move in the press, comes in advance of any federal standards or guidelines as to just how agencies should effect the sort of shift called for by OMB, and is notable at least in part for its candid acknowledgment that C&A processes to date “have proven largely ineffective and do not ensure a system’s security, or a true understanding of the system’s risk posture.” Davis acknowledges in the memo that OMB allows and expects different agencies to make their own decisions about how to apply security guidance and requirements, and clearly believes that the new approach complies with the spirit and real intent of the NIST security guidelines agencies are obligated to follow under FISMA, even if it departs from the FISMA reporting requirements that remain in force. NASA will use current standard C&A processes only for new systems seeking their initial authorization to operate, and even that use is intended to be temporary “until a more effective security authorization process is established.

NASA is not the first or even highest profile agency to move forward aggressively on continuous monitoring, but it may be the first one to do so with the explicit goal of improving its security posture. The State Department has implemented a well-regarded program under CISO John Streufert that frequently and regularly scans all the systems and devices in the State computing environment for vulnerabilities and correct software configurations, assigning risk scores to the results of those scans. While highlighting the improvements seen in those risk scores since the monitoring and assessment initiative began, Streufert also suggests a real economic benefit comes from State’s risk-based methods, often citing the tens of millions of dollars State has spent in the recent past producing thousands of pages of security accreditation documentation. For its part, NASA’s change in information security focus is likely in part driven by recommendations from a GAO report issued last October that found significant weaknesses in many aspects of the agency’s information security program. State and NASA (and many other agencies and members of Congress) agree that following conventional FISMA compliance-focused security processes is not the most effective approach to security, State emphasizes the wasted time, money, and operational resources devoted to compliance as a reason to take a different approach, while NASA seems primarily interested in finding ways to improve its security posture.

What’s most interesting (dare we say exciting?) to us is the extent to which decisions like NASA’s represent might represent a harbinger of a permanent and substantive shift in federal information security management practices. It’s hard to know where the tipping point is, or even whether the changes at individual agencies can achieve the critical mass necessary to abandon compliance-based security without coordinated action from OMB, or Congress, or both. It is certainly helpful for agencies that have not yet made this shift in their information security programs to have multiple examples or models to consider when seeking successful approaches to continuous monitoring.