Despite Stiffer Reporting Requirements, Many Agencies Still Slow To Implement Continuous Monitoring

New federal government guidelines mandate monthly reporting, but online security monitoring still isnt pervasive

In a month dedicated to cybersecurity awareness, federal agencies are falling short in their efforts to implement tools for continuously monitoring security, according to experts and government watchdog organizations.
Continuous monitoring, a phrase coined under the federal governments FISMA guidelines, refers to the shift from paper reports on federal agencys cybersecurity posture to an online reporting system. Earlier this month, FISMA reporting requirements were
increased from annual to monthly
(PDF) as part of the effort to force agencies into more automated, online security monitoring and reporting.
The move to monthly reporting was [former federal CIO] Vivek Kundras effort to make it impossible to do security reporting as a bureaucratic exercise, says Mike Lloyd, chief scientist at RedSeal Systems, which makes security monitoring tools. If youre doing it monthly, you cant do it with people pushing paper. He was trying to make reporting difficult enough to force agencies to move to automation.
Reports issued this month suggest that such a kick in the pants is sorely needed among federal agencies, which have been slow to implement continuous monitoring guidelines and the federal Cyberscope tools, which are designed to help automate the monitoring and reporting processes.
A study published this month by
InformationWeek
indicates that nearly half of federal IT pros are unaware of continuous monitoring requirements.
In another report issued this month, the Government Accountability Office (GAO)
identified weaknesses in 17 of 24 agencies’ fiscal year 2010 efforts for continuous monitoring
(PDF).
And in a third
report
(PDF) issued last week, the government watchdog Center for Regulatory Effectivenes (CRE) recognizes the lack of compliance with continuous monitoring requirements and outlines a set of best practices for implementing them, as exemplified by initiatives at NASA.
Of the three reports, the GAO study offers the most specifics on the deployment of continuous monitoring technology. In its investigation of 24 agencies, the GAO reported that two have not established a continuous monitoring program at all, and 15 of the agencies that have initiated a program had weaknesses in their implementations.
These weaknesses included, for example, that continuous monitoring procedures were not fully developed or consistently implemented at 11 agencies, the report states. In another example, 10 inspectors general cited weaknesses in ongoing assessments of selected security controls. Inspectors general at nine agencies reported that information, such as status reports covering continuous monitoring results, was not provided to key officials.
The GAO report not only cites issues with reporting security posture, but also with agencies ability to take action based on their findings: For example, 18 of 24 inspectors general reported that their agency had weaknesses in its configuration management programs, and 16 indicated their agency’s patch management processes for mitigating software flaws were not fully developed.
This issue is at the heart of the continuous monitoring problem, says Bruce Levinson, editor of FISMA Focus and author of the CREs report on continuous monitoring.
The agencies have to have a plan for the use of continuous monitoring data, Levinson says. The question is not just how to collect the data, but how to use it to make better decisions about security. If agencies are not doing that, then this whole thing needs to be rethought.
Joe Gottlieb, CEO of security information and event monitoring vendor Sensage, agrees. The data collection is important, but if agencies hope to truly improve security, they will have to be more proactive in how they analyze it, he says. Its the analysis of the data that will help them find that user whos collecting unusual amounts of information and might be an insider threat.
So why arent agencies moving more quickly toward continuous monitoring? Some experts say one big problem is federal contractors that have built big businesses supporting the paper process -- and are dragging their feet because they dont want to give up those businesses.
Many of the agency heads have been part of the paper compliance process for a long time, and they resist the change, Levinson says. On the contractor side, there has been a big pushback from those who have a vested interest in keeping the process the way it was.
Federal contractors have been making big money doing policy review, and they dont want to give it up, says Tom Kellermann, CTO of AirPatrol, a mobile security vendor that does much of its business with the federal government. But automation is clearly the answer long-term.
Have a comment on this story? Please click Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Despite Stiffer Reporting Requirements, Many Agencies Still Slow To Implement Continuous Monitoring