Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- Mission-critical Apps in the Cloud
- Mobile Device Management
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
Why continuous monitoring is gaining popularity
Friday - 6/25/2010, 3:38pm EDT
He says continuous monitoring is becoming a hot topic because, under FISMA, agencies have to report how they protect their information systems. The law, though, isn't very specific, and this is where new concepts come in.
"[It's] using tools to actually measure and observe what the computer systems are doing. Continuous monitoring doesn't mean constant monitoring. It's not being done constantly. The State Department, for example, does it about once a day -- checking its servers and PCs through its international networks."
Chabrow explains that it isn't just a buzzword, either, or the latest trend. It's the direction in which the Office of Management and Budget wants to go.
In April, OMB issued guidance regarding FISMA and is now requiring that agencies submit real-time data about the state of their networks.
Federal News Radio has been telling you that several agencies are already working to meet this goal.
"The difference between the traditional way of complying through FISMA -- you would check off . . . an area [about doing] patches of IT systems to make sure that they're updated with their security software. Well, with continuous monitoring the agency would be automatically alerted about whether a PC or a server has received the patch. So, it's not as if they're just saying, 'Yes, we're doing it,' [OMB] can actually tell if it's being done."
The goal is to reduce the measurable risks that agencies are facing. When it comes to cybersecurity, many threats are out there that contain unknowns, which is why actions like continuous monitoring are seen as so important.
Why fight battles against known enemies while you are struggling to defend against unknowns, too?
For lessons learned and best practices, Chabrow cites the State Department as a good example of an agency that has really hit the ground running with continuous monitoring.
You can read all about it in his blog, but one thing he does emphasize is the financial aspect.
"One number that's been mentioned a lot has been the amount of money that the State Department has spent on compliance under FISMA. They estimate that, over a six year period, they've spent $133 million on what they call the three-ring binders that they submit to show that they're secure. In communicating with [State's CISO], he didn't give me a price tag on what [continuous monitoring] costs, but it's not cheap. In fact, there's a certain disruption that goes on. He said that, under FISMA they had something like 60 writers of these . . . Reports. Now they have a workforce of 4,100-plus technicians."
So, continuous monitoring is more expensive and requires more manpower. Is it worth it?
Chabrow says he's talked to several federal CIOs and CISOs who say, yes, it is a bit disruptive, but it is the job of the CIO to alleviate fears of both agency heads and their employees.
While the concept is still relatively new, Chabrow also notes that continuous monitoring is not a silver bullet, nor is it being regarded as one.
"It's a step in the right direction. Actually seeing what your systems are doing, rather than having a human saying, 'this is what we're supposed to be doing'."
Email the author of this post at email@example.com
This story is part of the Federal News Radio Cybersecurity Update - Tune in weekdays at 30 minutes past the hour for the latest cybersecurity news on The Federal Drive with Tom Temin and Amy Morris (6-10 a.m.) and DorobekInsider with Chris Dorobek (3-5 p.m.). Listen live at FederalNewsRadio.com or on the radio at 1500 and 820 AM in the Washington, D.C. metro area.