New guidelines require agencies to document progress automating surveillance of cyber threats

The Homeland Security Department has released new information security guidance that, for the first time, requires agencies to report on progress installing tools that continuously monitor threats to computer networks.

Agencies annually are required to document their compliance with technology safeguards laid out in the 2002 Federal Information Security Management Act. Last summer, Homeland Security assumed responsibility for overseeing adherence to FISMA reporting requirements, a role that the Office of Management and Budget had previously performed.

Critics contend FISMA compels managers to spend too much time completing meaningless checklists at the expense of more critical security-related tasks and Congress is likely to overhaul the law as part of comprehensive cybersecurity legislation later this year. To address some of the complaints, last year's FISMA guidance called for chief information officers to begin automating near real-time surveillance of controls so that annual reporting will be easier and represent more than a once-a-year snapshot. Eventually, agencies are to achieve continuous monitoring by installing software and sensors that constantly track the most important security indicators.

The June 1 DHS memo to CIOs builds off the 2010 guidance that mandated agencies begin the transition to continuous monitoring by reporting monthly on a few security indicators, such as changes in the number of network connections and laptop inventories.

Alan Paller, an information security consultant and SANS Institute research director, who posted the new guidelines online Friday afternoon, said the Obama administration's approach may allow the government to lead by example in the area of continuous monitoring.

The 11-page document consists of mainly open-ended questions about each agency's annual information assurance practices, such as offering security awareness training, taking inventory of equipment and keeping an eye on whether employees are changing their passwords regularly.

The questions on continuous monitoring are quite involved, requesting that CIOs record the percent of data points that are being observed "at appropriate frequencies." The sources of data listed include antivirus scan reports; remote access logs; status of patches, or software bug fixes; and alerts that computer settings that have been altered.

The requirements, titled the 2011 Chief Information Officer FISMA Reporting Metrics, also try to ascertain whether outbound traffic is being monitored to ensure employees are not unloading dumps of sensitive data on public sites like WikiLeaks. For example, one section asks whether continuous monitoring includes the tracing of "large transfers of data, either unencrypted or encrypted."

Since the goal of nixing paperwork is to free up time to act on security problems, the memo's final question tries to suss out whether personnel are actually using the aggregated data: "To what extent is the data collected, correlated and being used to drive action to reduce risks?" the document asks.

But the memo does not define "continuous" -- every second, every 30 seconds, daily or monthly? -- so it's hard to draw conclusions about the effectiveness of continuous monitoring, said Jim Tozzi, the first deputy administrator of OMB's Office of Information and Regulatory Affairs, created in 1980.

"They leave it up to you to decide what the frequency is," said Tozzi, now on the board of the Center for Regulatory Effectiveness, a watchdog group that analyzes agency regulations. "You have to define what the real time is, and the system that you're going to use to get it."

Draft federal standards for continuous monitoring released in December 2010 do not specify the frequency with which automated feeds must be updated.

"NASA appears to [have] one of the more definitive systems," he said. Tozzi's staff said some of the agency's statistics, on network login attempts, for instance, are captured every 10 seconds. Tozzi's center plans to study NASA's methods and publish findings within the next few months.

Officials at the space agency have said that every NASA center has a "near real-time" status-tracking website that provides data on security configurations, patches and network vulnerability scans.

The National Institute of Standards and Technology, which developed the draft continuous monitoring standards, said there is no single frequency criterion because intervals will differ based on the duration between a computer query and response; the significance of the information recorded; the technology's capability to generate the data; and other agency-specific needs.

"NIST does not specify a time frame for monitoring as stated in the draft, which reads: 'The frequency at which information is collected varies with the specific measurement under consideration and depends in part upon the ability of the organization to collect the data and to act on it,'" said Matthew Scholl, a group manager at NIST's information technology laboratory. The draft document adds: "While this document encourages the use of automation, it is recognized that many aspects of continuous monitoring programs are not easily automated."

Another aspect of Homeland Security's instructions for meeting FISMA reporting requirements are questions regarding consumer devices. One item asks how many of the department's mobile devices, such as tablet-type computers, netbooks and smartphones, encrypt a user's data, or code it in a way that renders the information unreadable to outsiders.

The document also contains detailed questions about training techniques, notably whether agencies conduct simulations of so-called phishing attacks, where users are lured by fraudulent emails, purportedly from trusted acquaintances, into providing personal information or installing viruses.

"Provide the total number of agency-sponsored phishing attack exercises, if conducted," the guidance stated. It also requires that CIOs identify the number of attacks where users fell prey to the deception.

Homeland Security officials could not provide comment by late afternoon Monday.