Welcome!

Agile Computing Authors: Liz McMillan, Yeshim Deniz, Elizabeth White, William Schmarzo, Pat Romanski

Related Topics: @CloudExpo, Agile Computing, Cloud Security

@CloudExpo: Blog Post

Keys to Success for Continuous Monitoring in Government | @CloudExpo [#Cloud]

Though it’s become a popular concept, continuous monitoring wasn’t always in vogue

Three Keys to Success for Continuous Monitoring in Government

In recent years, the US government has become a leading advocate for continuous monitoring of security threats and vulnerabilities. But how effectively are departments and agencies in implementing these programs? And how do we measure success?

Moving Towards Continuous Monitoring
Though it's become a popular concept, continuous monitoring wasn't always in vogue. When the Federal Information Security Management Act (FISMA) was enacted in 2002, the law required agencies to document security practices, including taking inventory of information systems and writing security plans. External firms would audit the plans and grade departments and agencies based on their efforts.

This approach earned two main critiques. First, though agencies may have had well documented security programs, they weren't necessarily implementing those programs effectively. In fact, during the mid-2000s, security experts showed that agencies could achieve good grades in these audits but still be the victims of significant data breaches. Second, the focus on documentation usually meant that agencies were spending more time writing their policies than implementing the actual security controls.

In recent years, Congress expressed bipartisan, bicameral disapproval of the way that government was approaching cybersecurity. In 2009, Senator Tom Carper of Delaware said, "Too often we have agencies who manage what we call paper compliance rather than really addressing the security of their networks. We want to go beyond paper compliance." Congressmen Darrell Issa and Elijah Cummings echoed this sentiment, stating, "A check-the-box mentality will never be a match for the creativity of a hacker attempting to fly under the radar and access that agency's secrets."

In 2014, after years of oversight and investigation, a new FISMA law was enacted. This law shifts the focus of agencies away from policy-based reporting to reporting of specific threat, incident, and compliance information. The new law also seeks to eliminate inefficient or wasteful reporting requirements that would allow federal agencies to allocate more resources for protection, rather than paperwork.

Last month, the Office of Management and Budget (OMB) issued an annual report to Congress describing agency efforts in implementing FISMA. The report reveals that continuous monitoring systems are being widely adopted throughout the government: 19 agencies now have programs in place. This is a big step in the right direction; however, there are three key areas for improvement.

Keys to Future Success
First, to truly evaluate continuous monitoring programs, the OMB must move towards automated reporting of agency data. For instance, the OMB asked departments about the percentage of email systems with anti-spoofing technologies when sending and receiving messages. Several departments, as shown in the figure below from the OMB's annual report on FISMA, stated that they are implementing anti-spoofing technologies on 100% of inbound and outbound traffic during FY 2014:

Percentage of Email Systems Implementing Anti-Spoofing Technologies

Second, quantifiable metrics are needed to measure the effectiveness of continuous monitoring programs. The OMB reported that on average, 92% of government assets are under continuous monitoring programs. While this is an impressive number, it doesn't tell us much about the effectiveness of continuous monitoring in reducing threats and vulnerabilities to government networks.

For starters, measuring the average amount of time taken to resolve security incidents would provide valuable insight into these programs. In February, the Obama administration listed breach detection and incident response time as one of its five priorities for cybersecurity. Future OMB reports should incorporate these and other "timeliness" metrics in order to truly evaluate the effectiveness of a continuous monitoring program. In order to report these metrics, departments and agencies need to adopt continuous performance monitoring that will allow them to measure and benchmark their effectiveness in key areas.

Last, the current definition of "continuous monitoring" in FISMA is limited to departments and agencies and does not include third parties. As we learned in the cyber attack against Target, third-party vendors can pose significant risk to organizational security. The government's continuous monitoring metrics for FISMA include "automated asset, configuration, and vulnerability management... of the assets connected to the organization." But tens of thousands of third parties hold sensitive data or perform services on behalf of the government. Establishing continuous assessment of critical vendors is an important initiative for the government to get a better handle on its own data risk.

Thanks to tremendous leadership from the executive and legislative branches, FISMA has progressed significantly from a "check-the-box" exercise. While more work is left to fully implement continuous monitoring solutions, the eventual outcome will be a more secure, resilient federal cyber ecosystem.

More Stories By Jacob Olcott

Jacob Olcott is Vice President of Business Development at BitSight Technologies. He previously managed the cybersecurity consulting practice at Good Harbor Security Risk Management. Prior to Good Harbor, he served as legal advisor to the Senate Commerce Committee, and also served as counsel to the House of Representatives Homeland Security Committee.

He completed his education at the University of Texas at Austin and the University of Virginia School of Law.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
If a machine can invent, does this mean the end of the patent system as we know it? The patent system, both in the US and Europe, allows companies to protect their inventions and helps foster innovation. However, Artificial Intelligence (AI) could be set to disrupt the patent system as we know it. This talk will examine how AI may change the patent landscape in the years to come. Furthermore, ways in which companies can best protect their AI related inventions will be examined from both a US and...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Bill Schmarzo, Tech Chair of "Big Data | Analytics" of upcoming CloudEXPO | DXWorldEXPO New York (November 12-13, 2018, New York City) today announced the outline and schedule of the track. "The track has been designed in experience/degree order," said Schmarzo. "So, that folks who attend the entire track can leave the conference with some of the skills necessary to get their work done when they get back to their offices. It actually ties back to some work that I'm doing at the University of San...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the...
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science," is responsible for setting the strategy and defining the Big Data service offerings and capabilities for EMC Global Services Big Data Practice. As the CTO for the Big Data Practice, he is responsible for working with organizations to help them identify where and how to start their big data journeys. He's written several white papers, is an avid blogge...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities - ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups.
Chris Matthieu is the President & CEO of Computes, inc. He brings 30 years of experience in development and launches of disruptive technologies to create new market opportunities as well as enhance enterprise product portfolios with emerging technologies. His most recent venture was Octoblu, a cross-protocol Internet of Things (IoT) mesh network platform, acquired by Citrix. Prior to co-founding Octoblu, Chris was founder of Nodester, an open-source Node.JS PaaS which was acquired by AppFog and ...
The deluge of IoT sensor data collected from connected devices and the powerful AI required to make that data actionable are giving rise to a hybrid ecosystem in which cloud, on-prem and edge processes become interweaved. Attendees will learn how emerging composable infrastructure solutions deliver the adaptive architecture needed to manage this new data reality. Machine learning algorithms can better anticipate data storms and automate resources to support surges, including fully scalable GPU-c...
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...