The Federal Risk and Authorization Management Program known as FedRAMP [see Feds Explain How FedRAMP Will Work] fits very nicely with continuous monitoring by allowing agencies to define good sets of security requirements for cloud computing providers, Ross says in an interview previewing a presentation he will make at the RSA Conference 2012 in San Francisco later this month.
"When any federal information is moved to the cloud, we can be sure that the appropriate security controls are implemented on behalf of the cloud provider and their environment of operations," says Ross, a National Institute of Standards and Technology senior computer scientist who led a team that wrote the latest revision of NIST Special Publication 800-53, which will be unveiled at the security conference.
"The FedRAMP program," Ross says in the interview with Information Security Media Group, "integrates the continuous monitoring aspect of our new paradigm into the cloud service provider. Once those controls are deployed under the FedRAMP program and the cloud provider's environment, there will be a continuous data feed back to the federal agencies that are using those cloud services to make sure they can keep up with the security state of that cloud provider's systems over time. It is a very important effort. Not only do we help to save significant resources by having this notion of authorizing once and using many times, but it also allows us to get to that near real-time continuous monitoring approach that we think is so important for the future, especially with the kinds of threats that we are facing today."
Though the FedRAMP initiative is designed for federal agencies to vet cloud providers and assure their security, the concept behind it and other information risk management and continuous monitoring guidance could be applied to other types of governments such as local and state as well as to the private sector. "We write all of our standards and guidelines so they can be implemented on a voluntary basis by private sector organizations, and I happen to feel that a lot of the first principles, the best practices that come out of our standards and guidelines are very applicable to the private sector, because at the end of the day we're all using basically the same information technology," Ross says.
In the interview, Ross:
- Defines continuous monitoring, and explains its importance to IT security.
- Explains how continuous monitoring is integrated into the FedRAMP process.
- Previews NIST's introduction of revision 4 of Special Publication 800-53, which includes new security and privacy controls [see NIST Guidance: More Emphasis on Privacy ].
Ross leads NIST's Federal Information Security Management Act compliance team. A graduate of the United States Military Academy at West Point, Ross served in a variety of leadership and technical positions during his 20-year career in the Army. During his military career, Ross served as a White House aide and as a senior technical advisor to the Department of the Army. He is a graduate of the Program Management School at the Defense Systems Management College and holds a master and Ph.D. in computer science from the United States Naval Postgraduate School.
Defining Continuous Monitoring
ERIC CHABROW: Please define continuous monitoring?
RON ROSS: Continuous monitoring is an approach that allows organizations to take ownership of this whole process of what we call authorization or the risk acceptance process. In essence, you decide what controls you want to deploy within your information system and the environment of operations where that system operates.
Once your initial security plan is approved, you're required to develop a continuous monitoring strategy that is really going to allow organizations to say: What controls am I going to monitor? Am I going to look at the architecture, the enterprise architecture, security architecture, the threats base of vulnerabilities? How often am I going to monitor and, in essence how often are you going to do testing and evaluation, whether it's penetration testing or any kind of testing that would support your ongoing understanding of the control effectiveness? Then, how rigorous a process are you going to implement with regard to continuous monitoring? Are you going to do a deep dive with very intense testing and analysis of controls, or are you going to do a light touch?
There is a wide range of how continuous monitoring can be applied and the good news is that it is all risk based. Every organization can design the level of intensity that makes sense for their mission's base and their environments of operation.
CHABROW: What do you hope to relate to attendees at your panel about continuous monitoring at RSA Conference 2012?
ROSS: This is obviously a very important topic that the federal government now has been involved in and it has cost them significant update to some of our special publication, so I'm hoping at the conference I can take a top-level, strategic look at what we're trying to achieve with continuous monitoring. I'm going to talk about monitoring from the new perspective of the new Special Publication 800-137 publication, which talks about how you monitor information systems at the organization level, the mission business process level and also all the way down to the information system level. We're trying to implement a program, which allows us to monitor over time the effectiveness of our deployed security controls, any changes to the systems we have or the environments of operation, and of course, determine if we're complying with the laws and polices at the federal level.
Continuous Monitoring and Cloud Security
CHABROW: There has been a lot of media coverage in the past few weeks on FedRAMP (Federal Risk and Authorization Management Program), the government initiative to vet cloud security providers. How does continuous monitoring fit in with that?
ROSS: It fits in very nicely. The FedRAMP program, the General Services Administration-led initiative for the cloud computing world allows us to define first and foremost good sets of security requirements for cloud providers. When any federal information is moved to the cloud, we can be sure that the appropriate security controls are implemented on behalf of the cloud provider and their environment of operations. The FedRAMP program is an extension. It brings in some of those 800-53 controls to the cloud provider's environment, but it also integrates the continuous monitoring aspect of our new paradigm into the cloud service provider as well. Once those controls are deployed under the FedRAMP program and the cloud provider's environment, there will be a continuous data feed back to the federal agencies that are using those cloud services to make sure they can keep up with the security state of that cloud provider's systems over time. It is a very important effort. Not only do we help to save significant resources by having this notion of authorizing once and using many times, but it also allows us to get to that near real time continuous monitoring approach that we think is so important for the future, especially with the kinds of threats that we are facing today.
CHABROW: The panel's topic deals with the federal government, but I gather what people who would attend would hear would be good advice to any kind of organization.
ROSS: I think so. One of the things we try to do in the NIST standards and guidelines, although are primary customers are in the federal government and the contractors that support us. We write all of our standards and guidelines so they can be implemented on a voluntary basis by private sector organizations, and I happen to feel that a lot of the first principles, the best practices that come out of our standards and guidelines are very applicable to the private sector, because at the end of the day we're all using basically the same information technology. That technology is deployed to help us be successful in our missions and business operations and it needs to be protected. There is a very good opportunity for organizations whether it's state and local governments or private sector companies trying to stop infiltration or penetrations which would cause them to loose capability. They can find a lot of good content within the standards and guidelines were producing.
Unveiling new Controls' Guidance
CHABROW: Besides being at the panel you have another big responsibility at NIST, because NIST is expected to announce the update of Special Publication of 800-53 Revision 4 that's the NIST security controls catalog, and something I consider one of the most important guidance NIST provides. You're help leading that effort. What can you tell us about that?
ROSS: Well this is one of our first major updates. As you know, NIST has been partnering with the Department of Defense and the Intelligence Community for the past three or four years in producing what we call our Joint Task Force Documents. These are five publications that are going to be adopted and implemented by the entire federal government giving us kind of an unified information security framework across the entire federal states. This was the first publication that we partnered with the DoD and the intelligence community on back in 2009.
Of course, every two or three years we update the publication because the threats are constantly changing, technologies are changing, so this update is a very important update because we've gone through the entire catalog and we have looked at all of the gap areas where we didn't think we were getting good coverage or sufficient coverage I should say. So in the catalog you'll see things that are being addressed that have never really been addressed in full scope before. Things like insider threat, distributed systems, mobile computing. We have a brand appendix which has been previewed one time in the public on privacy controls.
It is a brand new appendix dedicated just to privacy. In fact, the name of the document will include privacy controls as well as security controls. We have a brand new updated appendix on assurance, how to make sure that you have the right security capability and the confidence that the capability has been developed. There is also some updated baselines which are kind of the minimum or fundamental requirements that federal agencies are required to implement and of course advanced persistent threat. A lot of organizations are concerned about that. We're going to try to hit that head on in 800-53 with some new controls that will allow you to do some different things, different strategies that hopefully will lead to success in that area.