May 27 2010

Cybersecurity: Continuous Monitoring Is a Must

As NIST prepares to issue draft monitoring guidance, agencies are urged to apply automated tools wherever possible.

Automate what you can when it comes to keeping watch over your agency’s networks.

That’s the message from the National Institute of Standards and Technology and the Homeland Security Department’s National Cyber Security Division, which has been passed the mantle of overseeing federal network security and FISMA efforts from the Office of Management and Budget.

Automated monitoring is Step 1 in improving the security posture of the government, says Matt Coose, the division’s director of federal network security, who spoke this week during a panel discussion at the Management of Change Conference in Philadelphia.

To help agencies, NIST soon will issue continuous monitoring guidance that calls for a three-tiered approach, says Marianne Swanson, senior adviser for information security at the standards agency. Agencies need to monitor at the enterprise, mission and system levels to be successful, she advises.

Admittedly, notes Coose, there’s no single agreed-upon way to categorize all security variables. Nonetheless, agencies should automate what they can, and he points to four categories for which decent tools are available: inventory management, configuration management, vulnerability management and patch management.

“The standards are mature and the tools are out there,” he says, adding that agencies, at minimum, need to get these foundational pieces in place.

“Create a list, and do what’s on the list,” he recommends. Most important, don’t get overwhelmed by what needs to be done.

For that reason, his office has set a short list for itself as well:

  • Assess: That means answering a few questions. What are the threats? What are they doing? How are they getting in?
  • Influence policy: The DHS team will work within existing frameworks to drive needed changes, Coose says. For now, the Federal Information Security Management Act remains the “uber cybersecurity policy,” he points out, “because whatever gets measured gets done.”
  • Drive (and enable) agencies to improve their security posture: What can the division do to help agencies get programs, policies and tools in place? Some things include identifying best-of-breed approaches and sharing them as reference architectures, defining requirements for tools and services, and even standing up shared service centers to provide cybersecurity services where needed.
  • Measure and monitor how it’s going: The division will need to know if it’s driving the right capabilities and determine “who’s doing what well” so it can push out best practices governmentwide, Coose says.

Meanwhile, retooled FISMA regulations are making their way through the legislative process on Capitol Hill. Although the systems certification and accreditation process remains intact, the main thrust of the updated law is its focus on data, says Erik Hopkins, staff member on the Senate Homeland Security and Governmental Affairs Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security.

“What we care about is the protection of the information,” Hopkins says.

That’s where the emphasis should be, says Devon Bryan, deputy associate CIO for cybersecurity at the Internal Revenue Service. There’s no reason to buck these directives coming from the administration, NIST and Congress, Bryan says. “It’s foundational to what we should have been doing all along,” he says.

Ultimately, the question has to be: Are agencies reducing risk by doing the things they are doing? “At the end of the day, that’s really what matters,” Coose says.