Shows & Panels
- Accelerate and Streamline for Better Customer Service
- Ask the CIO
- The Big Data Dilemma
- Carrying On with Continuity of Operations
- Client Virtualization Solutions
- Data Protection in a Virtual World
- Expert Voices
- Federal Executive Forum
- Federal IT Challenge
- Federal Tech Talk
- Feds in the Cloud
- Health IT: A Policy Change Agent
- Improving Healthcare Outcomes through IT Policy
- IT Innovation in the New Era of Government
- Making Dollars And Sense Out of Data Center Consolidation
- Navigating the Private Cloud
- One Step to the Cloud, Two Steps Toward Innovation
- Path to FDCCI Compliance
- Take Command of Your Mobility Initiative
Shows & Panels
Continuous monitoring requires strong leadership — and software
Tuesday - 10/25/2011, 9:22am EDT
Federal News Radio
For federal agencies, staying compliant with FISMA — the Federal Information Security Management Act — can feel like an endless process.
And in the ever-shifting world of federal IT and cybersecurity, to some extent, it is never-ending.
However, there's a new guide to help agencies meet their continuous monitoring requirements.
Bruce Levinson, the editor of FISMA Focus at the Center for Regulatory Effectiveness, joined the Federal Drive with Tom Temin and Amy Morris to discuss the center's recent survey on agency FISMA compliance.
That report focused on FISMA best practices, through the lens of one agency's use of continuous monitoring to combat cyber threats.
NASA's Earth Observing System and its security team used continuous monitoring to prevent breaches of its systems following the high-profile hack of government contractor RSA, which provides authentication systems to the government.
"Through a combination of initiative and creativity by the NASA EOS Security Team and their use of sophisticated software for continuous monitoring which could adapt to changing needs on-the-fly, the team prevented the agency's information system security from being breached," CRE's report found.
The center, using standards and guidance from the National Institute of Standards and Technology and the Homeland Security Department, points to three broad principles of FISMA compliance:
- Leadership, from both agency leaders and guidance emanating from the Office of Management and Budget.
- The human element. "You need both the human element and the software capabilities together," Levinson said. NASA used a software package known as Splunk, which analyzes machine data from a variety of systems in real time.
- Real-time continuous monitoring. "You need to be able to analyze the data coming in and address it — change your queries, change what you're looking for — and deal with it on a real-time basis," he added.
Levinson said responsibility for agency cybersecurity extends beyond only agency chief information officers and chief information security officers. While those officials set priorities and direction, "we also need to look at the working-level staff," Levinson said. "These are the people who make it all possible."
And despite the focus on high-tech fixes and software patches, it's important to remember not everything can be automated, he added.
This story is part of Federal News Radio's daily Cybersecurity Update. For more cybersecurity news, click here.