By the time you read this, hopefully, you’re confident in your agency’s information security continuous monitoring (ISCM) strategy required for the Feb. 28 deadline from the Office of Management and Budget.
Or are you? While most agencies by now have considered and documented their CDM approach according to National Institute of Standards and Technology Special Publication 800-137, those strategies actually may not hold water in light of the Nov. 18 memo M-14-03, Enhancing the Security of Federal Information and Information Systems from OMB. These new requirements must be reconciled along with the previous ones from NIST, OMB and the concept of operations in less than a month.
It’s easy to grumble about what appears to be another paper-pushing exercise in light of so many others. But let’s keep in mind, the Department of Homeland Security’s CDM program is about far more than compliance: it swings the pendulum toward near real-time, proactive security, doing away with reliance on static infrequent, paper-bound reporting that can provide false notions of security.
A well-considered strategy that includes an objective self-audit will help set the agency’s transition course for which CDM products and services offered through the CDM blanket purchase agreement make the most sense for closing agency gaps and deficiencies. While any self-assessment can be tricky, an incisive and honest evaluation (self-conducted or through a third party assessor), can define the roadmap and the resources the agency should take advantage of — whether all of DHS’ resources, none, or some hybrid approach to effect the best CDM program.
In light of these latest requirements, the following should be considered in solidifying your ISCM strategy:
How will you implement ongoing authorization of information systems? Detail your plan for moving from static, three-year reauthorization to operate on an ongoing basis. Consider any changes from the perspective of an authorizing official, such as modifications in his/her role and responsibilities, changes in authorization support documentation and impacts of automation on the authorization process. An important aspect of the description is to define the types of incidents, events and actions that require reevaluation of a system’s authorization (for example, the compromise of personally identifiable information, change in operating system, etc.)
How will continuous monitoring impact security control assessments? Although the ISCM strategy need not specify how every control is going to be tested for every system, it must at least document all controls that will be assessed by automated means, such as access enforcement, protection of audit information, etc. Describe how you will assess security controls, including controls common to multiple information systems, for effectiveness, including how security controls will be assessed, the assessment type and frequency for all system specific, common and hybrid controls in all control families, and how results will be documented.
How will you employ standardized products for continuous monitoring? How will hardware and software asset management, configuration management, and vulnerability management tools be deployed across the enterprise? Describe in this ISCM strategy how the agency will migrate to the DHS Continuous Diagnostics and Monitoring (CDM) BPA for the acquisition of continuous monitoring products and services. In particular, the plan must cover the phase out of existing contracts and how resources will be transitioned to the BPA. Perhaps as important as defining how various divisions and offices will adopt these products and processes is the act of defining milestones to drive decision making in resolving this potentially contentious issue.
How to implement continuous monitoring across the enterprise? Document how the agency will implement ISCM agencywide including plans for transitioning various organizational elements to standardized products and processes along with actions to be taken, responsibilities for their execution and milestones for their completion. For example, the plan should list when each office and division will meet agency standards for asset management, configuration management, vulnerability scanning and incident response.
How will your continuous monitoring systems interface with the governmentwide dashboard? Even though DHS has not yet identified specific metrics, the agency ISCM strategy should address how those defined in the fiscal 2013 FISMA reporting Instructions will be collected and fed to the government dashboard, cyberscope. This must include a description of processes currently in place for cyberscope submissions as well as a notional idea of how data from agency sensor data will be aggregated, analyzed and transmitted to the federal dashboard once DHS has provided definition of data requirements.
Finally, agencies must consider how ISCM pertains to its information and the systems owned or operated by contractors. The strategy must explain how third parties will comply with ISCM requirements. This section must describe the process the agency will use to collect compliance data from external service providers on an ongoing basis and how assessments will be conducted of their operations. FedRAMP provides agencies a mechanism for ensuring contractors and third parties employ ISCM to protect agency data.
The OMB memo recognizes that CDM is complicated with many moving parts, hence, the importance of the ISCM strategy, and the emphasis on this milestone. Rather than merely appeasing a requirement that can withstand Inspector General scrutiny, the strategy should truly function as a CDM roadmap and migration path — one that takes into account the agency’s security maturation and existing capabilities, capitalize on what it has and does well, and close the gaps with DHS’ security resources to effect the best return on investment with least amount of disruption.
Patrick Howard is a senior information security consultant for Kratos/SecureInfo, and is the former chief information security officer at the Nuclear Regulatory Commission and the Department of Housing and Urban Development. He can be reached at Patrick.firstname.lastname@example.org.