2. What is continual monitoring? FISMA C&A process has traditionally been: applying security management at a point in time: Risk assessment, implement controls, then reviewed the controls to be documented, working and relevant on a three year schedule. Key aspects: vulnerability scanning and threat assessment done frequently - ST&E and POA&M (reporting) performed on a schedule and assessed by system owner.
3. Why Continual monitoring Threat landscape increasingly hostile Need to react faster, better – expect never to get to perfect Continual monitoring is the way to identify and respond more quickly. Continual monitoring helps determine if controls are appropriate and working!
4. What is wrong with the program? Frequency = more resources? Vulnerability Assessments must occur more often (difficult on big or complex environments) What do we check? Federal Desktop Core Configuration (FDCC)? STIGS, CIS Benchmarks? What about monitoring controls? Follow through? Assessment should inform control selection
5. Is this new? Not new idea – Continuous monitoring has roots in financial transaction monitoring – auditing. Quantitative analysis of process and compliance TIMELY findings = less costs
6. What is new? OMB Memo 10-15 (April 2010) outlines: Continual monitoring means to frequently assess security data across the enterprise, not just at the system level. Must use tools to assess, correlate security data – move away from manual assessment. New program – CyberScope – will collect security data from all agencies for a high level assessment
7. Data to collect • Inventory • Systems and Services • Hardware • Software • External Connections • Security Training • Identity Management and Access
8. How? Use of automated tools and integration with Cyberscope. Automated data feeds from agency tools will be collected by CyberScope/DHS Government wide benchmarking of security posture – part of CyberScope Agency-specific interviews Goal: Evidence & metrics of how security is performing.
10. Methodology Continuous monitoring needs to occur at the organization level, mission level and system level NIST 800-37 - assessment and authorization using a risk management framework. http://csrc.nist.gov/groups/SMA/fisma/documents/faq-continuous-monitoring.pdf
11. Timeline The due date for FISMA reporting through CyberScope is November 15, 2010. Beginning January 1, 2011, agencies will be required to report on this new information monthly.
12. Conclusions Move away from manual assessments to automated tools and methods to improve security information; improve security action. Improve situational awareness, risk management practices Prepare for CyberScope & interviews
13. Contact info Sean Sherman, CISSP, CIPP, CISA, PMP Director, Security Solutions Sean.Sherman@ppc.com
Ask – does this improve Security? Common complaint to FISMA/800-53 is that it is a paperwork exercise. This does try to address it. But it is still a compliance program. related action would be to adopt legislative changes to FISMA on security outcomesamendment (as has been proposed in the Lieberman- Collins Bill) would help create greater attention to security and providing appropriate resources
Will this improve security?
Not mentioned : Risk Assessment
This is predictedImpliesreduced manual process
Recall NIST updates to 800-30 (Risk Assessment) Feb 2011And updates to 800-39 (Risk management) Jan 2011These will support the new -37 methods and -53 controls