While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
Automate what you can when it comes to keeping watch over your agency’s networks.
That’s the message from the National Institute of Standards and Technology and the Homeland Security Department’s National Cyber Security Division, which has been passed the mantle of overseeing federal network security and FISMA efforts from the Office of Management and Budget.
Automated monitoring is Step 1 in improving the security posture of the government, says Matt Coose, the division’s director of federal network security, who spoke this week during a panel discussion at the Management of Change Conference in Philadelphia.
To help agencies, NIST soon will issue continuous monitoring guidance that calls for a three-tiered approach, says Marianne Swanson, senior adviser for information security at the standards agency. Agencies need to monitor at the enterprise, mission and system levels to be successful, she advises.
Admittedly, notes Coose, there’s no single agreed-upon way to categorize all security variables. Nonetheless, agencies should automate what they can, and he points to four categories for which decent tools are available: inventory management, configuration management, vulnerability management and patch management.
“The standards are mature and the tools are out there,” he says, adding that agencies, at minimum, need to get these foundational pieces in place.
“Create a list, and do what’s on the list,” he recommends. Most important, don’t get overwhelmed by what needs to be done.
For that reason, his office has set a short list for itself as well:
Meanwhile, retooled FISMA regulations are making their way through the legislative process on Capitol Hill. Although the systems certification and accreditation process remains intact, the main thrust of the updated law is its focus on data, says Erik Hopkins, staff member on the Senate Homeland Security and Governmental Affairs Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security.
“What we care about is the protection of the information,” Hopkins says.
That’s where the emphasis should be, says Devon Bryan, deputy associate CIO for cybersecurity at the Internal Revenue Service. There’s no reason to buck these directives coming from the administration, NIST and Congress, Bryan says. “It’s foundational to what we should have been doing all along,” he says.
Ultimately, the question has to be: Are agencies reducing risk by doing the things they are doing? “At the end of the day, that’s really what matters,” Coose says.