Continuous monitoring requires strong leadership and software

Tuesday - 10/25/2011, 9:22am EDT

Bruce Levinson, Center for Regulatory Effectiveness

Download mp3

By Jack Moore
Federal News Radio

For federal agencies, staying compliant with FISMA — the Federal Information Security Management Act — can feel like an endless process.

And in the ever-shifting world of federal IT and cybersecurity, to some extent, it is never-ending.

However, there's a new guide to help agencies meet their continuous monitoring requirements.

Bruce Levinson, the editor of FISMA Focus at the Center for Regulatory Effectiveness, joined the Federal Drive with Tom Temin and Amy Morris to discuss the center's recent survey on agency FISMA compliance.

That report focused on FISMA best practices, through the lens of one agency's use of continuous monitoring to combat cyber threats.

NASA's Earth Observing System and its security team used continuous monitoring to prevent breaches of its systems following the high-profile hack of government contractor RSA, which provides authentication systems to the government.

"Through a combination of initiative and creativity by the NASA EOS Security Team and their use of sophisticated software for continuous monitoring which could adapt to changing needs on-the-fly, the team prevented the agency's information system security from being breached," CRE's report found.

The center, using standards and guidance from the National Institute of Standards and Technology and the Homeland Security Department, points to three broad principles of FISMA compliance:

  • Leadership, from both agency leaders and guidance emanating from the Office of Management and Budget.

  • The human element. "You need both the human element and the software capabilities together," Levinson said. NASA used a software package known as Splunk, which analyzes machine data from a variety of systems in real time.

  • Real-time continuous monitoring. "You need to be able to analyze the data coming in and address it — change your queries, change what you're looking for — and deal with it on a real-time basis," he added.

Levinson said responsibility for agency cybersecurity extends beyond only agency chief information officers and chief information security officers. While those officials set priorities and direction, "we also need to look at the working-level staff," Levinson said. "These are the people who make it all possible."

And despite the focus on high-tech fixes and software patches, it's important to remember not everything can be automated, he added.

CRE's Federal Cyber Security Best Practices

This story is part of Federal News Radio's daily Cybersecurity Update. For more cybersecurity news, click here.