1. Continual Monitoring Sean Sherman | Triton Federal Systems, Inc. Sean.Sherman@ppc.com

2. What is continual monitoring? FISMA C&A process has traditionally been: applying security management at a point in time: Risk assessment, implement controls, then reviewed the controls to be documented, working and relevant on a three year schedule. Key aspects: vulnerability scanning and threat assessment done frequently - ST&E and POA&M (reporting) performed on a schedule and assessed by system owner.

3. Why Continual monitoring Threat landscape increasingly hostile Need to react faster, better – expect never to get to perfect Continual monitoring is the way to identify and respond more quickly. Continual monitoring helps determine if controls are appropriate and working!

4. What is wrong with the program? Frequency = more resources? Vulnerability Assessments must occur more often (difficult on big or complex environments) What do we check? Federal Desktop Core Configuration (FDCC)? STIGS, CIS Benchmarks? What about monitoring controls? Follow through? Assessment should inform control selection

5. Is this new? Not new idea – Continuous monitoring has roots in financial transaction monitoring – auditing. Quantitative analysis of process and compliance TIMELY findings = less costs

6. What is new? OMB Memo 10-15 (April 2010) outlines: Continual monitoring means to frequently assess security data across the enterprise, not just at the system level. Must use tools to assess, correlate security data – move away from manual assessment. New program – CyberScope – will collect security data from all agencies for a high level assessment

7. Data to collect • Inventory • Systems and Services • Hardware • Software • External Connections • Security Training • Identity Management and Access

8. How? Use of automated tools and integration with Cyberscope. Automated data feeds from agency tools will be collected by CyberScope/DHS Government wide benchmarking of security posture – part of CyberScope Agency-specific interviews Goal: Evidence & metrics of how security is performing.

9. Technology Change management/FIM Configuration assessment SCAP Vulnerability Assessment CyberScope specifications: http://scap.nist.gov/use-case/cyberscope/index.html

10. Methodology Continuous monitoring needs to occur at the organization level, mission level and system level NIST 800-37 - assessment and authorization using a risk management framework. http://csrc.nist.gov/groups/SMA/fisma/documents/faq-continuous-monitoring.pdf

11. Timeline The due date for FISMA reporting through CyberScope is November 15, 2010. Beginning January 1, 2011, agencies will be required to report on this new information monthly.

12. Conclusions Move away from manual assessments to automated tools and methods to improve security information; improve security action. Improve situational awareness, risk management practices Prepare for CyberScope & interviews

13. Contact info Sean Sherman, CISSP, CIPP, CISA, PMP Director, Security Solutions Sean.Sherman@ppc.com

14. THANK YOU! Cindy Valladares cvalladares@tripwire.com