He says continuous monitoring is becoming a hot topic because, under FISMA, agencies have to report how they protect their information systems. The law, though, isn’t very specific, and this is where new concepts come in.
“[It’s] using tools to actually measure and observe what the computer systems are doing. Continuous monitoring doesn’t mean constant monitoring. It’s not being done constantly. The State Department, for example, does it about once a day — checking its servers and PCs through its international networks.”
Chabrow explains that it isn’t just a buzzword, either, or the latest trend. It’s the direction in which the Office of Management and Budget wants to go.
In April, OMB issued guidance regarding FISMA and is now requiring that agencies submit real-time data about the state of their networks.
Federal News Radio has been telling you that several agencies are already working to meet this goal.
“The difference between the traditional way of complying through FISMA — you would check off . . . an area [about doing] patches of IT systems to make sure that they’re updated with their security software. Well, with continuous monitoring the agency would be automatically alerted about whether a PC or a server has received the patch. So, it’s not as if they’re just saying, ‘Yes, we’re doing it,’ [OMB] can actually tell if it’s being done.”
The goal is to reduce the measurable risks that agencies are facing. When it comes to cybersecurity, many threats are out there that contain unknowns, which is why actions like continuous monitoring are seen as so important.
Why fight battles against known enemies while you are struggling to defend against unknowns, too?
For lessons learned and best practices, Chabrow cites the State Department as a good example of an agency that has really hit the ground running with continuous monitoring.
You can read all about it in his blog, but one thing he does emphasize is the financial aspect.
“One number that’s been mentioned a lot has been the amount of money that the State Department has spent on compliance under FISMA. They estimate that, over a six year period, they’ve spent $133 million on what they call the three-ring binders that they submit to show that they’re secure. In communicating with [State’s CISO], he didn’t give me a price tag on what [continuous monitoring] costs, but it’s not cheap. In fact, there’s a certain disruption that goes on. He said that, under FISMA they had something like 60 writers of these . . . Reports. Now they have a workforce of 4,100-plus technicians.”
So, continuous monitoring is more expensive and requires more manpower. Is it worth it?
Chabrow says he’s talked to several federal CIOs and CISOs who say, yes, it is a bit disruptive, but it is the job of the CIO to alleviate fears of both agency heads and their employees.
While the concept is still relatively new, Chabrow also notes that continuous monitoring is not a silver bullet, nor is it being regarded as one.
“It’s a step in the right direction. Actually seeing what your systems are doing, rather than having a human saying, ‘this is what we’re supposed to be doing’.”