Joe Ford brings more than 20 years of technical and leadership experience to his current role of solutions architect. Ford acts as a first responder to clients when they have complex network and information security challenges. He helps his federal government and enterprise clients quickly drill into solutions that address their emergent and future looking goals.
Continuous Monitoring and the Federal Government: Is There a Silver Bullet?
“Continuous monitoring” is the latest buzz word being used throughout the federal government. And depending on with whom you talk or what you read, the definition changes. The truth is there is no silver bullet to address this issue. There are a number of commercial off-the-shelf (COTS) and government off-the-shelf (GOTS) products that help achieve continuous monitoring goals. But, without the proper training, policies and procedures, federal agencies fall short of reaching those objectives.
The move to continuous monitoring narrows the gaping loophole that all current federal agencies’ system authorization policies leave open and is an explicit step towards achieving situational awareness. However, one thing that needs to be understood is that continuous monitoring programs are focused on risk and security controls, not actual threats. Yet, the development of these programs shows progress. With better visibility into agencies’ risk, leaders can start to make informed decisions to increase the security against threats. As federal agencies continue to mature their controls to include real-time threat detection systems such as intrusion prevention systems (IPS) and malware detection, this gap will decrease.
While there is no silver bullet to help achieve continuous monitoring, the closest way to do this is through another federal standard – Special Publication (SP) 800-37, the Guide for Applying the Risk Management Framework (RMF) to Federal Information Systems. The RMF was published by the National Institute of Standards and Technology (NIST) in partnership with the Department of Defense (DoD), the Office of the Director of National Intelligence (ODNI), and the Committee on National Security Systems (CNSS). This standard was created to help modernize the Certification and Accreditation (C&A) process by adopting a lifecycle methodology. With the adoption of an RMF, senior leaders within federal agencies will be able to make near real-time decisions based on the enterprise or system risk as it relates to their core mission.
Is moving to an RMF really going to improve IT security within federal agencies? The short answer is yes. By providing a lifecycle approach to security controls with real-time (or near real-time) monitoring, the security posture of the agencies will improve. The increased visibility into the security controls and automated systems tracking performance of the controls reduces risk. This is a great step forward for our federal systems, but it is only a step. To truly provide a real-time view of risk, we need to include other non-traditional data sources such as standards, training programs, and hiring practices. Some of this is addressed in the RMF, but there is no guidance on how to track it or factor it into an overall risk status. Once agencies expand their RMF to include these other data sources, they can use best practices built into SP 800-37 to help develop security, staffing, and training roadmaps. They can use this type of risk intelligence to show the gaps in security programs and help agency leaders make informed decisions on IT spending and initiatives. Agencies can also use the framework provided by NIST in SP 800-37 to develop a complete security program that leverages both threat and risk intelligence to improve the overall security posture.