For more than a decade, the biggest criticism of the Federal Information Security Management Act is the static nature of how agencies reviewed their systems — on average every three years.
Congress has attempted to update FISMA for more than three years with requirements for agencies to take a new, dynamic approach to securing their systems, but its efforts have stalled. So the Obama administration slowly has been using policy and regulations to make the change to continuous monitoring.
The Homeland Security Department took the biggest step yet Monday by releasing policy, detailing requirements on what continuous monitoring looks like and giving agencies and vendors a clearer idea of how they will be expected to implement it. “For the last several years, we’ve been talking about getting away from the elements of process and compliance of an earlier time and heading out to continuous monitoring,” said John Streufert, the director of the National Cyber Security Division at DHS, in an interview with Federal News Radio. “So with our discussions with colleagues in the continuous monitoring working group [of the CIO Council] we are settling in on five core capabilities of continuous monitoring.”
These are five of the 20 most common system vulnerabilities as determined by a government-private sector group of experts. The group, which included the FBI, DHS and several others, published the Consensus Audit Guidelines in February 2009.
DHS would spend more than $200 million in fiscal 2013 to install a common set of tools, including a diagnostic dashboard, and implement a security data warehouse on each agency’s network. Agencies then would provide DHS with summary data through the CyberScope tool, giving them a more complete view of the vulnerabilities and threats across government. In the fiscal 2011 FISMA report to Congress, the Office of Management and Budget found 78 percent of agencies submitted data automatically to CyberScope.
Congress still must approve President Obama’s request for DHS.
Lawmakers have responded positively to the $202 million budget request. The House approved the White House request in full, saying in the report on the DHS spending bill, “Specifically, the funds shall be used to provide adequate, risk-based, and cost-effective cybersecurity to address escalating and rapidly evolving threats to information security, to include the acquisition of an automated and continuous monitoring program.”
The full House passed the DHS appropriations bill June 7.
The Senate would allocate $183.6 million for these efforts. In its report, the committee stated continuous monitoring “will provide for robust implementation but also a disciplined approach to ensure lessons are learned before deployment to all federal agencies.”
Both bills require DHS to submit an expenditure plan with details on timeline and process for implementation before they can spend a majority of the funds.
“If it should be passed, we anticipate discussions with department and agencies for implementations beginning in 2013,” Streufert said. “An important aspect of this is the fact that some of these continuous monitoring standards will widely across the methods of implementations for technology.”
Agencies should begin planning now
Until Congress approves DHS’ spending bill, the agency is preparing both agencies and vendors to implement the five security controls.
Earlier this week, DHS held a series of meetings outlining the requirements and expectations, including a concept of operations and how continuous monitoring fits in with the cloud-first and share-first policies, which OMB is emphasizing.
“We would really like to have industry to comment on them and get their best ideas so we can incorporate it in the future planning of the government around continuous monitoring,” Streufert said. DHS also released two memos to agencies: one offers guidance on implementing continuous monitoring and another details the requirements for cloud boundary defense.
DHS officials say the memos have not been made public or provided to industry yet.
One official, who requested anonymity, said 49 criteria are in the cloud boundary defense. The requirements grew out of the Trusted Internet Connections initiative. DHS expects to issue the requirements for TIC 2.0 in September.
Alan Paller, director of research at the Sans Institute, said the policy and requirements are a game changer for federal cybersecurity.
“This is the single highest leverage project in cyber security,” Paller said. “By ensuring only software and services that meet these specs can be deployed in federal agencies, they will immediately enable the kind of continuous risk reduction and high-speed response to new threats that have long eluded most federal agencies. This also seeds the commercial world with technology that enterprises all over country can but to get the same benefits.”
Sans was one of the main private sector supporters of the development of the Consensus Audit Guidelines.
Few agencies have all tools in place
Streufert said nearly every agency has one or two of the tools, but few have all five. He said the State Department, the U.S. Agency for International Development, the Veterans Affairs Department and the Justice Department are out in front in both using the tools and taking advantage of continuous monitoring.
In their presentation to industry and agencies, DHS said 80 percent of all attacks take advantage of known vulnerabilities and configuration management weaknesses. These five tools would help close up those unprotected areas, and give agencies a more immediate approach to finding and fixing new weak spots in their network defenses.
“The goal of this proposed DHS program in 2013 is to infuse a little bit of money and try to get some standard approaches to these five areas and get them as evenly as we can across all of dot-gov,” Streufert said.
The concept of operations for continuous monitoring includes three implementation approaches:
Internally operated services, where DHS installs and agencies run their own sensors and dashboard.
Continuous monitoring-as-a-service (CMaaS). DHS plans on issuing a request for proposals in 6-to-9 months for public or private sector organizations to provide these services to other agencies.
Cloud provider security services. This approach is considered “turn-key,” where vendors provide all aspects of the cyber services, including hardware, software and security. It’s an entirely outsourced operation, DHS officials say.
Each agency will have to decide which approach works best for them based on the application they are putting in the cloud. If the software needs to be protected as the moderate or high level, then running the services internally or using a federal CMaaS provider may make the most sense.
Vendors wanting to provide cloud services and/or cloud security services to the government will have to meet the continuous monitoring requirements detailed in the documents. They also have to get their systems approved by the third- party assessment organizations under the FedRAMP program.
DHS said agencies who are just cloud security providers would self-certify they meet the federal standards, and then have one of the third-party companies review their self-assessment.
Homeland Security officials would not comment on their acquisition strategy or how many vendors would provide these cloud security services.
“We are looking for industry help in three particular areas: continuous monitoring, which includes the five areas, the display and action of the data all hinges on the dashboard and the third area we are beginning to study in greater detail and will come back to industry on is getting continuous monitoring as service,” Streufert said. “We want to get the right sensors, the right dashboard and get industry involved in the question of how those tools are put to work in departments and agencies.”
Streufert said agencies need to start planning how those sensors will be put to use on their networks and how continuous monitoring will substitute for the current static approach to FISMA reviews of systems.
The DHS official said there will be multiple opportunities for agency and vendor participation in the coming months, including the ability to comment on a Federal Register notice to change procurement regulations to include continuous monitoring requirements.
This story is part of Federal News Radio’s daily Cybersecurity Update. For more cybersecurity news, click here.
Tom Temin is the host of The Federal Drive, 6 a.m.-10 a.m. on 1500 AM in the Washington, D.C. region and online everywhere.
Tom also writes a weekly commentary. Subscribe to Federal Drive's daily audio interviews on iTunes or PodcastOne