We couldn’t agree more.
Last month, TalaTek team members attended a conference offered by CyberSecurity Seminars in partnership with Crowell & Moring LLP. It had the intriguing title “FISMA – A New Path Forward.” What we heard was that others were beginning to use the approach we have been advocating since 2006.
John Streufert, Deputy CISO at the Department of State, a key presenter, talked about the vast improvements State has seen in their second year of Continuous Monitoring as a result of their new “Continuous C&A (Certification and Accreditation)” process – which he described as “effective, real-time security, not just a snapshot in time.”
According to Streufert, the Department of State has seen an 89% reduction in domestic incidents in the last year as a result of their new Continuous Monitoring approach. During the same time frame, he stated, the Department of State had 6,000 incidents per year, threats have tripled over the last three years, and malicious code doubled in 2008-2009.
Streufert gave a thorough explanation of Department of State’s new approach, of which the key characteristics include:
- Frequent scans (2-15 days) – aiming for scanning every 36-72 hours in the near future
- Focus on the technical controls
- Focus on known vulnerabilities and configuration management which 80% of attacks leverage.
Streufert’s advice to attendees was:
- Focus your aim: Use Consensus Audit Guidelines, target anti-malware defenses (CAG-12) because 60% of US CERT reports focused on them
- Set metrics and hold staff and managers directly responsible for continuous improvement
- Invest in the right tools for everything – automation is key.
Ron Ross from NIST (National Institute of Standards and Technology) spoke about the recent initiatives at NIST where they want to focus on improving security performance in enterprise-wide Risk Management by focusing on Tier 1 Organization (Governance) to determine what their risk strategy is, and Tier 2 Mission (Business Process). He said, “In the past we’ve been focusing on Tier 3 alone, Information Systems (Environment of Operation), and that puts you in the position of ‘just chasing risk.’ Tier 1 and 2 drive Tier 3.”
Ross also said that NIST and DOD (Department of Defense) are collaborating on several new documents, consistent with both FISMA and DIACAP guidelines. When asked if the NASA security memo, which de-emphasizes C&A, deviates from FISMA, Ross said, “no the NASA memo doesn’t deviate because FISMA guidelines are positioned at near real-time analysis already.” Of course, the recent Stuxnet attack came up and Ross said, “now there are lots of imitators and this has shown us that threats no longer just come through the front door (the network), but in other ways as well (e.g., controllers, thumb drives).”
Matt Coos, who is heading up a new DHS (Department of Homeland Security) Continuous Monitoring Working group to improve the Continuous Monitoring process, said that one of the working group’s main focuses is to make the Continuous Monitoring process less manual and more automatic. The group is also encouraging the feeding of security data into NOCs and SOCs which can audit and analyze the data.
All good news.
It was tremendously heartening to hear that several government agencies are using tools similar to TalaTek’s automated FISMA Continuous Monitoring Solution. Those are precisely the types of tools required to implement effective continuous monitoring while keeping costs in check at the same time.
From the very beginning, our goal was to provide organizations with solutions that combine the near-real-time continuous monitoring technical controls with management and operational control monitoring to give a more complete picture of risk. With more and more federal agencies using this approach, our work will be made easier since we won’t have to educate as fully as we do now.
