Fed Needs Continuous Monitoring

The federal government needs to step up continuous monitoring of its IT infrastructure and move beyond outdated security reporting methods, says a recent panel at a trade organization conference, in a story I read online. That’s entirely consistent with the wish list that I’ve been hearing from government customers. And the need for 24/7 monitoring, for example, from a cloud-based platform, is totally in line with some new government guidance that’s coming on monitoring, increased oversight and expected legislation.

At the Management of Change conference held by American Council of Technology and Industry Advisory Council, Marianne Swanson, senior advisor for information system security at the National Institute of Standards and Technology (NIST), said that federal agencies should focus on three strategies when it comes to continuous network monitoring. She said monitoring should occur at the:

  • organization level
  • mission level
  • system level

Some new developments coming down the pike will make continuous monitoring more likely to be a reality soon. For one, NIST is developing new guidelines on security strategy, performance metrics, risk tolerance and the frequency and types of monitoring controls agencies should consider using organization-wide.  In the past, the group’s guidelines were more focused on certification requirements and authorization. NIST will also offer guidelines for managing, configuring, gathering and reporting monitoring results at the mission level and ways to implement monitoring tools and assessing automated security controls at the system level.

Another important advancement that will make it easier for federal agencies to adopt continuous monitoring is a coming NIST guide on how to manage supply-chain risks, and it will offer best practices that agencies should follow when buying software and hardware products. Private industry can also use these when developing supply-chain practices in order to meet government contract requirements.

The Department of Homeland Security is also working on new processes for assessing threats,  influencing security policy; enabling agencies to execute those policies, through best practices; and measuring how successful agencies are at preventing security breaches.

There’s also greater oversight and more legislation on the horizon. Last week, a House Oversight and Government Reform Committee approved a bill that will reform the current rules by the Federal Information Security Management Act, called the FISMA Act of 2010, that requires continuous cybersecurity automated monitoring.  Expect action on that bill by year’s end.

Despite the promise of progress, the fact remains that, today, many federal agencies are still operating aging software systems trying to cover security demands being imposed on them that they weren’t designed to handle.

Given the state of government agency software and the new demand for continuous monitoring, the best, most efficient way to look after networks and protect against breaches of security is via cloud-based monitoring systems. They’re always on, for one. And, there is no need for government IT folks to continuously update installed software. In addition, a series of versatile notifications – via phone, SMS, email and other methods – can immediately warn managers of database security breaches or outages. Another advantage is that cloud-based monitoring tools offer great reporting (addressing the performance area that DHS is reassessing), for example, historical data on each virtual server start and stop and performance data, and that allows IT managers to analyze failures and their root causes.

Cloud-based monitoring tools are the most efficient and versatile stewards of the $10 billion that the American people spend yearly on security.