Revised SP800-37 not ideal, but an improvement

NIST has released for public comment a revision to its Special Publication 800-37, “Guide for Applying the Risk Management Framework to Federal Information Systems.” This document was formerly the “Guide for the Security Certification and Accreditation of Federal Information Systems,” so the first obvious change is in the title and corresponding focus of the publication. The change is most significantly seen is an explicit move away from the tri-annual certification and accreditation process under which federal information systems are authorized to operate, in favor of a continuous monitoring approach that seems to recognize the importance of achieving and maintaining awareness of current security status at any given point in time. While some of the more interesting revised elements may make their way into a future post, of equal interest at the moment is the question of how significant the altered approach in 800-37 may be for improving the security of federal information systems, and more generally of federal agency environments.

As noted by more than one expert (although few as forcefully, bluntly, or eloquently as Richard Bjetlich), continuous monitoring of security controls is a far cry from continuous threat monitoring, the latter of which demands more attention from the government in light of the dramatic rise in reported security incidents over the past three years. Among other things, FISMA has specific requirements that should result in agencies engaging in threat monitoring, such as “periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, to be performed with a frequency depending on risk, but no less than annually, of which such testing shall include testing of management, operational, and technical controls of every information system” identified in the agency system inventory required under OMB A-130 (§3544(b)(5)) and “procedures for detecting, reporting, and responding to security incidents” (§3544(b)(7)). Generally speaking, every agency has an incident response team or comparable capability, and threat monitoring using intrusion detection tools is one of several approaches many of the IR teams already implement. So more explicit guidance to agencies (from NIST or anyone else) on doing these things effectively on an enterprise-wide security basis could shore up a lot of the deficiencies that come from a system-level emphasis on controls alone.

Regardless of how all the pending proposals for revising or strengthening FISMA turn out or which ones pass, it’s not feasible to suggest that the government should completely abandon its current security practices in favor of a new approach emphasizing field testing of its controls (field testing being one of the ways that agencies could test and evaluate the effectiveness of their security controls). The revised 800-37 has to a least be considered a step in the right direction, because the current triannual documentation exercise does nothing to harden an agency’s security posture. A move to continuous monitoring narrows the gaping loophole that current system authorization policy leaves open, and is an explicit step towards achieving situational awareness. There’s a long history of ambitious and revolutionary initiatives failing in the federal government, and a corresponding (cynical yet accurate) view that “all successful change is incremental.” Let’s not characterize the failure on NIST’s part to recommend a wholesale replacement of current security program operations to mean that there couldn’t or shouldn’t be improvements sought within the sub-optimal control-driven model.

That’s not the same thing as intrusion detection or prevention, but any effort to mandate those activities had better be well thought out. Putting intrusion detection tools in place will yield no tangible security benefit if the agencies do not also have sufficiently expert security analysts to make sense of the alerts produced by the tools. So simply requiring threat monitoring activities can quickly become another compliance control or the source of a false sense of greater security. Where intrusion detection and prevention is concerned, it’s disingenuous to fault individual agencies for not moving to implement continuous threat monitoring when they have no current capability to make sense of the information. IDS or IPS is of no use (and may be counter-productive) without the corresponding experts to analyze the data produced by the tools, tailor detection rules, and tune operations to minimize false positives and separate noise from actual threats.

On the intrusion detection front, the government is moving headlong in this direction, but has no intention of leaving the management of such capabilities up to individual agencies. Under the Einstein program sponsored by DHS and to be run by the National Security Agency, all federal network traffic will be monitored centrally, not only for intrusion detection but also prevention in the form of blocking traffic or disabling network segments when malicious activity is detected. The technical feasibility of monitoring all federal networks is facilitated for Internet connectivity by the Trusted Internet Connections program — under which the entire federal government ostensibly will consolidate Internet points of presence down to fewer than 100 — and by plans under Einstein to place sensors within the physical environments of major providers of telecommunications infrastructure to the federal government.