Commentary by Pat Howard Program manager for CDM & CMaaS at Kratos SecureInfo
It’s that time of year again, and federal agency officials know the Federal Information Security Management Act audit drill.
But like the Passover recitation, “Why is this night different from all other nights?” we ask why is this year’s FISMA audit different than others?
The answer is continuous diagnostics and mitigation (CDM) now plays a role. CDM holds the promise of moving from periodic paper-based to real-time automated assessments, so this year’s FISMA evaluation cycle shouldn’t be regarded as just another annual checkbox exercise.
The recurring theme from the finding in the fiscal 2013 report to the evaluation instructions to inspectors general for 2014 is the emphasis on continuous monitoring (CM) implementation — a priority for the successful transition to more effective, real-time government security.
First, the findings status — what some would call constructive feedback and others the “bad news.” Although not the complete list, key weaknesses identified in the 2013 report include:
The lack of documented policies and procedures for CM (seven of 24 departments);
The lack of documented strategies and plans for CM (eight departments);
Ongoing assessments of security controls (system-specific, hybrid, and common) were not performed based on the approved CM plans (10 departments);
Authorized and other key system officials with security status were not provided reports covering updates to security plans, security assessment reports, and common and consistent Plans of Action and Milestones (POA&Ms) updated with the frequency defined in the strategy and/or plans (seven departments).
The quick take-away is that the building blocks for a continuous monitoring program are not in place for a number of agencies. It’s no coincidence that the instructions DHS provided to department/agency IGs for the 2014 audit would focus on:
Evaluating the status of agency level efforts in establishing an enterprisewide CM program, including documenting CM policies and procedures; documenting strategy for information security continuous monitoring (ISCM); and implementing ISCM, and ongoing assessments of security controls performed based on the approved CM plans.
To reinforce the point, IGs are also tracking agency compliance with Office of Management and Budget memo 14-03, Enhancing the Security of Federal Information and Information Systems issued last November. Again, in broad strokes this requires an ISCM strategy, plans for the ongoing authorization of information systems, agency-wide use of CM products and services, and staff training to operate a CM program.
As a former federal CISO, I understand the challenges that short-staffed, resource-strapped agencies face in answering to FISMA, particularly now with the spotlight on CM progress. But if there’s a silver lining, it’s that agencies can obtain assistance for these challenges, drawing on service expertise through the DHS CDM/continuous monitoring-as-a-service (CMaaS) Program. Some of the contract services most germane to helping agencies resolve these shortcomings include project management support; CDM order planning; and training and consulting in CDM governance.
Even though many agencies are eagerly awaiting product assistance through DHS’ $6 billion-plus CDM program, it makes little sense to add technology products, even if free, until an agency has identified its risks, assessed its current capabilities and created a blueprint for its CM implementation strategy.
In other words, don’t think about technology until the processes and management have been figured out.
If there’s ever going to be a successful transition away from outdated, paper- based periodic assessments to meaningful real-time, automated security assessment and reporting, then implementation of continuous monitoring is paramount. That’s why this FISMA evaluation cycle shouldn’t be taken lightly as just another to-do list.
These efforts are worthwhile, raising the bar for better security, yet some agencies understandably may find it difficult transitioning to this new paradigm. Fortunately, departments and agencies have the resources they can turn to for support and expertise.
Patrick Howard is the former chief information security officer (CISO) at the Nuclear Regulatory Commission and the Department of Housing and Urban Development. He is currently the program manager for CDM & and CMaaS for Kratos SecureInfo. He can be contacted at Patrick.firstname.lastname@example.org