Welcome!

Agile Computing Authors: LeanTaaS Blog, Yeshim Deniz, Elizabeth White, Larry Alton, Pat Romanski

Related Topics: @CloudExpo, Agile Computing, Cloud Security

@CloudExpo: Blog Post

Keys to Success for Continuous Monitoring in Government | @CloudExpo [#Cloud]

Though it’s become a popular concept, continuous monitoring wasn’t always in vogue

Three Keys to Success for Continuous Monitoring in Government

In recent years, the US government has become a leading advocate for continuous monitoring of security threats and vulnerabilities. But how effectively are departments and agencies in implementing these programs? And how do we measure success?

Moving Towards Continuous Monitoring
Though it's become a popular concept, continuous monitoring wasn't always in vogue. When the Federal Information Security Management Act (FISMA) was enacted in 2002, the law required agencies to document security practices, including taking inventory of information systems and writing security plans. External firms would audit the plans and grade departments and agencies based on their efforts.

This approach earned two main critiques. First, though agencies may have had well documented security programs, they weren't necessarily implementing those programs effectively. In fact, during the mid-2000s, security experts showed that agencies could achieve good grades in these audits but still be the victims of significant data breaches. Second, the focus on documentation usually meant that agencies were spending more time writing their policies than implementing the actual security controls.

In recent years, Congress expressed bipartisan, bicameral disapproval of the way that government was approaching cybersecurity. In 2009, Senator Tom Carper of Delaware said, "Too often we have agencies who manage what we call paper compliance rather than really addressing the security of their networks. We want to go beyond paper compliance." Congressmen Darrell Issa and Elijah Cummings echoed this sentiment, stating, "A check-the-box mentality will never be a match for the creativity of a hacker attempting to fly under the radar and access that agency's secrets."

In 2014, after years of oversight and investigation, a new FISMA law was enacted. This law shifts the focus of agencies away from policy-based reporting to reporting of specific threat, incident, and compliance information. The new law also seeks to eliminate inefficient or wasteful reporting requirements that would allow federal agencies to allocate more resources for protection, rather than paperwork.

Last month, the Office of Management and Budget (OMB) issued an annual report to Congress describing agency efforts in implementing FISMA. The report reveals that continuous monitoring systems are being widely adopted throughout the government: 19 agencies now have programs in place. This is a big step in the right direction; however, there are three key areas for improvement.

Keys to Future Success
First, to truly evaluate continuous monitoring programs, the OMB must move towards automated reporting of agency data. For instance, the OMB asked departments about the percentage of email systems with anti-spoofing technologies when sending and receiving messages. Several departments, as shown in the figure below from the OMB's annual report on FISMA, stated that they are implementing anti-spoofing technologies on 100% of inbound and outbound traffic during FY 2014:

Percentage of Email Systems Implementing Anti-Spoofing Technologies

Second, quantifiable metrics are needed to measure the effectiveness of continuous monitoring programs. The OMB reported that on average, 92% of government assets are under continuous monitoring programs. While this is an impressive number, it doesn't tell us much about the effectiveness of continuous monitoring in reducing threats and vulnerabilities to government networks.

For starters, measuring the average amount of time taken to resolve security incidents would provide valuable insight into these programs. In February, the Obama administration listed breach detection and incident response time as one of its five priorities for cybersecurity. Future OMB reports should incorporate these and other "timeliness" metrics in order to truly evaluate the effectiveness of a continuous monitoring program. In order to report these metrics, departments and agencies need to adopt continuous performance monitoring that will allow them to measure and benchmark their effectiveness in key areas.

Last, the current definition of "continuous monitoring" in FISMA is limited to departments and agencies and does not include third parties. As we learned in the cyber attack against Target, third-party vendors can pose significant risk to organizational security. The government's continuous monitoring metrics for FISMA include "automated asset, configuration, and vulnerability management... of the assets connected to the organization." But tens of thousands of third parties hold sensitive data or perform services on behalf of the government. Establishing continuous assessment of critical vendors is an important initiative for the government to get a better handle on its own data risk.

Thanks to tremendous leadership from the executive and legislative branches, FISMA has progressed significantly from a "check-the-box" exercise. While more work is left to fully implement continuous monitoring solutions, the eventual outcome will be a more secure, resilient federal cyber ecosystem.

More Stories By Jacob Olcott

Jacob Olcott is Vice President of Business Development at BitSight Technologies. He previously managed the cybersecurity consulting practice at Good Harbor Security Risk Management. Prior to Good Harbor, he served as legal advisor to the Senate Commerce Committee, and also served as counsel to the House of Representatives Homeland Security Committee.

He completed his education at the University of Texas at Austin and the University of Virginia School of Law.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, whic...
Cloud Expo | DXWorld Expo have announced the conference tracks for Cloud Expo 2018. Cloud Expo will be held June 5-7, 2018, at the Javits Center in New York City, and November 6-8, 2018, at the Santa Clara Convention Center, Santa Clara, CA. Digital Transformation (DX) is a major focus with the introduction of DX Expo within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive ov...
Smart cities have the potential to change our lives at so many levels for citizens: less pollution, reduced parking obstacles, better health, education and more energy savings. Real-time data streaming and the Internet of Things (IoT) possess the power to turn this vision into a reality. However, most organizations today are building their data infrastructure to focus solely on addressing immediate business needs vs. a platform capable of quickly adapting emerging technologies to address future ...
With tough new regulations coming to Europe on data privacy in May 2018, Calligo will explain why in reality the effect is global and transforms how you consider critical data. EU GDPR fundamentally rewrites the rules for cloud, Big Data and IoT. In his session at 21st Cloud Expo, Adam Ryan, Vice President and General Manager EMEA at Calligo, examined the regulations and provided insight on how it affects technology, challenges the established rules and will usher in new levels of diligence arou...
In his session at 21st Cloud Expo, Raju Shreewastava, founder of Big Data Trunk, provided a fun and simple way to introduce Machine Leaning to anyone and everyone. He solved a machine learning problem and demonstrated an easy way to be able to do machine learning without even coding. Raju Shreewastava is the founder of Big Data Trunk (www.BigDataTrunk.com), a Big Data Training and consulting firm with offices in the United States. He previously led the data warehouse/business intelligence and B...
"Digital transformation - what we knew about it in the past has been redefined. Automation is going to play such a huge role in that because the culture, the technology, and the business operations are being shifted now," stated Brian Boeggeman, VP of Alliances & Partnerships at Ayehu, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that Synametrics Technologies will exhibit at SYS-CON's 22nd International Cloud Expo®, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Synametrics Technologies is a privately held company based in Plainsboro, New Jersey that has been providing solutions for the developer community since 1997. Based on the success of its initial product offerings such as WinSQL, Xeams, SynaMan and Syncrify, Synametrics continues to create and hone inn...
"Evatronix provides design services to companies that need to integrate the IoT technology in their products but they don't necessarily have the expertise, knowledge and design team to do so," explained Adam Morawiec, VP of Business Development at Evatronix, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
The 22nd International Cloud Expo | 1st DXWorld Expo has announced that its Call for Papers is open. Cloud Expo | DXWorld Expo, to be held June 5-7, 2018, at the Javits Center in New York, NY, brings together Cloud Computing, Digital Transformation, Big Data, Internet of Things, DevOps, Machine Learning and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding busin...
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, led attendees through the exciting evolution of the cloud. He looked at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering m...
Nordstrom is transforming the way that they do business and the cloud is the key to enabling speed and hyper personalized customer experiences. In his session at 21st Cloud Expo, Ken Schow, VP of Engineering at Nordstrom, discussed some of the key learnings and common pitfalls of large enterprises moving to the cloud. This includes strategies around choosing a cloud provider(s), architecture, and lessons learned. In addition, he covered some of the best practices for structured team migration an...
No hype cycles or predictions of a gazillion things here. IoT is here. You get it. You know your business and have great ideas for a business transformation strategy. What comes next? Time to make it happen. In his session at @ThingsExpo, Jay Mason, an Associate Partner of Analytics, IoT & Cybersecurity at M&S Consulting, presented a step-by-step plan to develop your technology implementation strategy. He also discussed the evaluation of communication standards and IoT messaging protocols, data...
Recently, REAN Cloud built a digital concierge for a North Carolina hospital that had observed that most patient call button questions were repetitive. In addition, the paper-based process used to measure patient health metrics was laborious, not in real-time and sometimes error-prone. In their session at 21st Cloud Expo, Sean Finnerty, Executive Director, Practice Lead, Health Care & Life Science at REAN Cloud, and Dr. S.P.T. Krishnan, Principal Architect at REAN Cloud, discussed how they built...
SYS-CON Events announced today that Evatronix will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Evatronix SA offers comprehensive solutions in the design and implementation of electronic systems, in CAD / CAM deployment, and also is a designer and manufacturer of advanced 3D scanners for professional applications.
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...
DevOps at Cloud Expo – being held June 5-7, 2018, at the Javits Center in New York, NY – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real results. Among the proven benefits,...
@DevOpsSummit at Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, is co-located with 22nd Cloud Expo | 1st DXWorld Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait...
SYS-CON Events announced today that T-Mobile exhibited at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. As America's Un-carrier, T-Mobile US, Inc., is redefining the way consumers and businesses buy wireless services through leading product and service innovation. The Company's advanced nationwide 4G LTE network delivers outstanding wireless experiences to 67.4 million customers who are unwilling to compromise on qua...