Substituting cyber reporting with continuous monitoring carries risks

An Obama administration decision to relax agency reporting rules for complying with cybersecurity mandates by instead requiring automated data feeds about threats could relegate risk management to a back-office function and leave senior executives out of the loop, some auditors say.

This year's instructions for adhering to the 2002 Federal Information Security Management Act, to the delight of some information technology managers, say that continuous monitoring will replace the current costly, time-consuming process of reauthorizing systems after upgrades or at least every three years.

"Continuous monitoring programs thus fulfill the three year security reauthorization requirement, so a separate reauthorization process is not necessary," states a response in the frequently asked questions section of the Sept. 14 Office of Management and Budget guidance. The Homeland Security Department, which supervises federal cybersecurity operations, authored the memo's instructions and the FAQ, including the question, "Is a security reauthorization still required every three years?"

Traditionally, reauthorizations have involved several steps of human analysis, where first, agency IT managers write a cybersecurity plan, then an outside security professional certifies or evaluates the controls in the plan and briefs the authorizing official -- a secretary or other senior executive -- on the findings. That senior official, by approving the plan, assumes responsibility for risks associated with the system.

With continuous monitoring, software and sensors are checking in near real time the system's most important safeguards, such as antivirus scan reports and remote access logs.

By switching from reauthorizations to continuous monitoring, "there's a potential that accountability could be removed from the equation," said Rick Dakin, chief executive officer of Coalfire, an IT compliance firm that performs FISMA risk assessments. "I think it lets [agencies] substitute budgets in a tight budget climate, but I think it leaves the [department] secretary off the hook."

He said automated surveillance should augment a comprehensive security review but not supersede it. "This program is very beneficial and should continue," said Dakin, a past president of the Denver chapter of InfraGard, an FBI affiliate.

The nature of the monitoring is more technical, however, and does not focus as much on physical controls, staff training, process controls and other governance elements of a baseline cyber program, he said.

"Do not let our national cyber interest be relegated to a helpdesk function," Dakin said. At this period of growing risk, we need to get our senior executives more involved in cybersecurity and ongoing governance of those programs . . . not less."

But other IT security experts say the current procedure for reauthorizing systems demands excessive paperwork and meaningless examinations that prevent managers from acting on threats.

"It's sort of been proved that the analytical process is not nearly detailed enough to provide accuracy with regards to security," said John Gilligan, previously a chief information officer at the Air Force and Energy Department and now a private IT consultant.

The practice is more of a display that managers are going through the motions rather than a precise assessment of security posture, he added.

Gilligan, also a member of the Obama-Biden transition team that helped formulate the administration's IT policies, expects the new guidance will nudge agencies to quickly roll out continuous monitoring programs so that they do not have to endure reauthorization hassles. Most agencies have the technology to track indicators, but some have not established a means of tying together the machinery for a holistic view of security status departmentwide, he said.

Gilligan acknowledged, however, that he would be surprised if the administration does not also require an independent security team to assess the data output. "The tools are only so good," he said. "The human beings would still need to evaluate the results of tools. The guidance needs to also emphasize that it's also using the tools and providing actions based on what's happening."

The OMB memo states, "Agencies are expected to conduct ongoing authorizations of information systems through the implementation of continuous monitoring programs . . . In an effort to implement a more dynamic, risk-based security authorization process, agencies should follow the guidance in [National Institute of Standards and Technology] Special Publication 800-37, Revision 1."

That guidance, said NIST fellow Ron Ross, directs agency security and risk management professionals to analyze the incoming surveillance data in a way that senior leaders can understand.

"It doesn't mean that the authorization process is completely dead after the first time," he said on Friday. "The senior leaders are going to be involved more frequently. Ongoing authorization means ongoing acceptance of risk."

Continuous monitoring allows technicians and leaders to keep pace with the time and tempo of quickly evolving threats, Ross added. "It can make the authorization process a lot leaner and meaner," he said.

DHS officials on Friday said a well-planned continuous monitoring program will provide a window into the current state of systems and assets, enabling situational awareness within an IT enterprise. Automated data feeds will measure the effectiveness of security controls and help prioritize remedies better, they added. The information allows authorizing officials to make decisions based on live systems and networks, rather than merely on architectural diagrams.