recommended reading

New guidelines require agencies to document progress automating surveillance of cyber threats

The Homeland Security Department has released new information security guidance that, for the first time, requires agencies to report on progress installing tools that continuously monitor threats to computer networks.

Agencies annually are required to document their compliance with technology safeguards laid out in the 2002 Federal Information Security Management Act. Last summer, Homeland Security assumed responsibility for overseeing adherence to FISMA reporting requirements, a role that the Office of Management and Budget had previously performed.

Critics contend FISMA compels managers to spend too much time completing meaningless checklists at the expense of more critical security-related tasks and Congress is likely to overhaul the law as part of comprehensive cybersecurity legislation later this year. To address some of the complaints, last year's FISMA guidance called for chief information officers to begin automating near real-time surveillance of controls so that annual reporting will be easier and represent more than a once-a-year snapshot. Eventually, agencies are to achieve continuous monitoring by installing software and sensors that constantly track the most important security indicators.

The June 1 DHS memo to CIOs builds off the 2010 guidance that mandated agencies begin the transition to continuous monitoring by reporting monthly on a few security indicators, such as changes in the number of network connections and laptop inventories.

Alan Paller, an information security consultant and SANS Institute research director, who posted the new guidelines online Friday afternoon, said the Obama administration's approach may allow the government to lead by example in the area of continuous monitoring.

The 11-page document consists of mainly open-ended questions about each agency's annual information assurance practices, such as offering security awareness training, taking inventory of equipment and keeping an eye on whether employees are changing their passwords regularly.

The questions on continuous monitoring are quite involved, requesting that CIOs record the percent of data points that are being observed "at appropriate frequencies." The sources of data listed include antivirus scan reports; remote access logs; status of patches, or software bug fixes; and alerts that computer settings that have been altered.

The requirements, titled the 2011 Chief Information Officer FISMA Reporting Metrics, also try to ascertain whether outbound traffic is being monitored to ensure employees are not unloading dumps of sensitive data on public sites like WikiLeaks. For example, one section asks whether continuous monitoring includes the tracing of "large transfers of data, either unencrypted or encrypted."

Since the goal of nixing paperwork is to free up time to act on security problems, the memo's final question tries to suss out whether personnel are actually using the aggregated data: "To what extent is the data collected, correlated and being used to drive action to reduce risks?" the document asks.

But the memo does not define "continuous" -- every second, every 30 seconds, daily or monthly? -- so it's hard to draw conclusions about the effectiveness of continuous monitoring, said Jim Tozzi, the first deputy administrator of OMB's Office of Information and Regulatory Affairs, created in 1980.

"They leave it up to you to decide what the frequency is," said Tozzi, now on the board of the Center for Regulatory Effectiveness, a watchdog group that analyzes agency regulations. "You have to define what the real time is, and the system that you're going to use to get it."

Draft federal standards for continuous monitoring released in December 2010 do not specify the frequency with which automated feeds must be updated.

"NASA appears to [have] one of the more definitive systems," he said. Tozzi's staff said some of the agency's statistics, on network login attempts, for instance, are captured every 10 seconds. Tozzi's center plans to study NASA's methods and publish findings within the next few months.

Officials at the space agency have said that every NASA center has a "near real-time" status-tracking website that provides data on security configurations, patches and network vulnerability scans.

The National Institute of Standards and Technology, which developed the draft continuous monitoring standards, said there is no single frequency criterion because intervals will differ based on the duration between a computer query and response; the significance of the information recorded; the technology's capability to generate the data; and other agency-specific needs.

"NIST does not specify a time frame for monitoring as stated in the draft, which reads: 'The frequency at which information is collected varies with the specific measurement under consideration and depends in part upon the ability of the organization to collect the data and to act on it,'" said Matthew Scholl, a group manager at NIST's information technology laboratory. The draft document adds: "While this document encourages the use of automation, it is recognized that many aspects of continuous monitoring programs are not easily automated."

Another aspect of Homeland Security's instructions for meeting FISMA reporting requirements are questions regarding consumer devices. One item asks how many of the department's mobile devices, such as tablet-type computers, netbooks and smartphones, encrypt a user's data, or code it in a way that renders the information unreadable to outsiders.

The document also contains detailed questions about training techniques, notably whether agencies conduct simulations of so-called phishing attacks, where users are lured by fraudulent emails, purportedly from trusted acquaintances, into providing personal information or installing viruses.

"Provide the total number of agency-sponsored phishing attack exercises, if conducted," the guidance stated. It also requires that CIOs identify the number of attacks where users fell prey to the deception.

Homeland Security officials could not provide comment by late afternoon Monday.

Threatwatch Alert

Stolen laptop

Wireless Heart Monitor Maker to Pay $2.5M Settlement to HHS After Laptop Stolen

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.