Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- Mission-critical Apps in the Cloud
- Mobile Device Management
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
Are you ready for the next big cyber deadline?
Friday - 1/31/2014, 12:08pm EST
By the time you read this, hopefully, you're confident in your agency's information security continuous monitoring (ISCM) strategy required for the Feb. 28 deadline from the Office of Management and Budget.
Or are you?
It's easy to grumble about what appears to be another paper-pushing exercise in light of so many others. But let's keep in mind, the Department of Homeland Security's CDM program is about far more than compliance: it swings the pendulum toward near real-time, proactive security, doing away with reliance on static infrequent, paper-bound reporting that can provide false notions of security.
A well-considered strategy that includes an objective self-audit will help set the agency's transition course for which CDM products and services offered through the CDM blanket purchase agreement make the most sense for closing agency gaps and deficiencies. While any self-assessment can be tricky, an incisive and honest evaluation (self-conducted or through a third party assessor), can define the roadmap and the resources the agency should take advantage of — whether all of DHS' resources, none, or some hybrid approach to effect the best CDM program.
In light of these latest requirements, the following should be considered in solidifying your ISCM strategy:
- How will you implement ongoing authorization of information systems?
Detail your plan for moving from static, three-year reauthorization to
operate on an ongoing basis. Consider any changes from the perspective of an
authorizing official, such as modifications in his/her role and responsibilities,
changes in authorization support documentation and impacts of automation on the
authorization process. An important aspect of the description is to define the
types of incidents, events and actions that require reevaluation of a system's
authorization (for example, the compromise of personally identifiable information,
change in operating system, etc.)
- How will continuous monitoring impact security control assessments?
Although the ISCM strategy need not specify how every control is going to be
tested for every system, it must at least document all controls that will be
assessed by automated means, such as access enforcement, protection of audit
information, etc. Describe how you will assess security controls, including
controls common to multiple information systems, for effectiveness, including how
security controls will be assessed, the assessment type and frequency for all
system specific, common and hybrid controls in all control families, and how
results will be documented.
- How will you employ standardized products for continuous monitoring?
How will hardware and software asset management, configuration management, and
vulnerability management tools be deployed across the enterprise? Describe in
this ISCM strategy how the agency will migrate to the DHS Continuous Diagnostics and
Monitoring (CDM) BPA for the acquisition of continuous monitoring products and
services. In particular, the plan must cover the phase out of existing contracts
and how resources will be transitioned to the BPA. Perhaps as important as
defining how various divisions and offices will adopt these products and processes
is the act of defining milestones to drive decision making in resolving this
potentially contentious issue.
- How to implement continuous monitoring across the enterprise? Document
how the agency will implement ISCM agencywide including plans for transitioning
various organizational elements to standardized products and processes along with
actions to be taken, responsibilities for their execution and milestones for their
completion. For example, the plan should list when each office and division will
meet agency standards for asset management, configuration management,
vulnerability scanning and incident response.
- How will your continuous monitoring systems interface with the governmentwide dashboard? Even though DHS has not yet identified specific metrics, the agency ISCM strategy should address how those defined in the fiscal 2013 FISMA reporting Instructions will be collected and fed to the government dashboard, cyberscope. This must include a description of processes currently in place for cyberscope submissions as well as a notional idea of how data from agency sensor data will be aggregated, analyzed and transmitted to the federal dashboard once DHS has provided definition of data requirements.
Finally, agencies must consider how ISCM pertains to its information and the systems owned or operated by contractors. The strategy must explain how third parties will comply with ISCM requirements. This section must describe the process the agency will use to collect compliance data from external service providers on an ongoing basis and how assessments will be conducted of their operations. FedRAMP provides agencies a mechanism for ensuring contractors and third parties employ ISCM to protect agency data.
The OMB memo recognizes that CDM is complicated with many moving parts, hence, the importance of the ISCM strategy, and the emphasis on this milestone. Rather than merely appeasing a requirement that can withstand Inspector General scrutiny, the strategy should truly function as a CDM roadmap and migration path — one that takes into account the agency's security maturation and existing capabilities, capitalize on what it has and does well, and close the gaps with DHS' security resources to effect the best return on investment with least amount of disruption.
Patrick Howard is a senior information security consultant for Kratos/SecureInfo, and is the former chief information security officer at the Nuclear Regulatory Commission and the Department of Housing and Urban Development. He can be reached at Patrick.email@example.com.