Why continuous monitoring is gaining popularity

More and more agencies are gearing up to deploy continuous monitoring as a means of complying with FISMA. What is it, and will it come to your agency soon?

Continuous monitoring is gaining a lot of buzz, but what is it, exactly?

Eric Chabrow is executive editor at GovInfoSecurity.com and blogs about the federal government and privacy.

He says continuous monitoring is becoming a hot topic because, under FISMA, agencies have to report how they protect their information systems. The law, though, isn’t very specific, and this is where new concepts come in.

“[It’s] using tools to actually measure and observe what the computer systems are doing. Continuous monitoring doesn’t mean constant monitoring. It’s not being done constantly. The State Department, for example, does it about once a day — checking its servers and PCs through its international networks.”

Chabrow explains that it isn’t just a buzzword, either, or the latest trend. It’s the direction in which the Office of Management and Budget wants to go.

In April, OMB issued guidance regarding FISMA and is now requiring that agencies submit real-time data about the state of their networks.

Federal News Radio has been telling you that several agencies are already working to meet this goal.

“The difference between the traditional way of complying through FISMA — you would check off . . . an area [about doing] patches of IT systems to make sure that they’re updated with their security software. Well, with continuous monitoring the agency would be automatically alerted about whether a PC or a server has received the patch. So, it’s not as if they’re just saying, ‘Yes, we’re doing it,’ [OMB] can actually tell if it’s being done.”

The goal is to reduce the measurable risks that agencies are facing. When it comes to cybersecurity, many threats are out there that contain unknowns, which is why actions like continuous monitoring are seen as so important.

Why fight battles against known enemies while you are struggling to defend against unknowns, too?

For lessons learned and best practices, Chabrow cites the State Department as a good example of an agency that has really hit the ground running with continuous monitoring.

You can read all about it in his blog, but one thing he does emphasize is the financial aspect.

“One number that’s been mentioned a lot has been the amount of money that the State Department has spent on compliance under FISMA. They estimate that, over a six year period, they’ve spent $133 million on what they call the three-ring binders that they submit to show that they’re secure. In communicating with [State’s CISO], he didn’t give me a price tag on what [continuous monitoring] costs, but it’s not cheap. In fact, there’s a certain disruption that goes on. He said that, under FISMA they had something like 60 writers of these . . . Reports. Now they have a workforce of 4,100-plus technicians.”

So, continuous monitoring is more expensive and requires more manpower. Is it worth it?

Chabrow says he’s talked to several federal CIOs and CISOs who say, yes, it is a bit disruptive, but it is the job of the CIO to alleviate fears of both agency heads and their employees.

While the concept is still relatively new, Chabrow also notes that continuous monitoring is not a silver bullet, nor is it being regarded as one.

“It’s a step in the right direction. Actually seeing what your systems are doing, rather than having a human saying, ‘this is what we’re supposed to be doing’.”

Email the author of this post at dramienski@federalnewsradio.com


This story is part of the Federal News Radio Cybersecurity Update – Tune in weekdays at 30 minutes past the hour for the latest cybersecurity news on The Federal Drive with Tom Temin and Amy Morris (6-10 a.m.) and DorobekInsider with Chris Dorobek (3-5 p.m.).

        Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.