Deploying a Continuous Monitoring Plan A Former Federal CISO Sorts Through the Advice
Deploying a Continuous Monitoring Plan
Patrick Howard
A problem federal agencies face in deploying effective continuous monitoring is that there's just too much guidance, former federal chief information security officer Patrick Howard says.

"It's been coming on fast and strong over the last year of so," Howard says in an interview with Information Security Media Group.

"There is no shortage of guidance; there's probably too much," says Howard, a security consultant who formerly served as CISO at the Nuclear Regulatory Commission and the Department of Housing and Urban Development. "Agencies ... are a little bit confused and overwhelmed by which one of these take precedence. How do I aggregate that information to build a program? One of the bigger problems right now is that overabundance of guidance."

The Office of Management and Budget last fall issued a memorandum requiring agencies to develop an information security continuous monitoring strategy (see OMB Promotes Continuous Monitoring).

"Rather than enforcing a static, point-in-time reauthorization process, agencies shall conduct ongoing authorizations of their information systems and environments in which those systems operate, including common controls, through the implementation of their risk management programs," OMB Director Sylvia Burwell said when announcing the OMB guidance.

In implementing a continuous monitoring program, OMB advised agencies to following the United States Government Concept of Operations (CONOPS) for Information Security Continuous Monitoring as well as National Institute of Standards and Technology standards on continuous monitoring and security controls.

In the interview, Howard explains that:

  • Agencies, by conducting a risk assessment, must identify assets that need to be protected so they can determine which systems to continually monitor. "If an agency doesn't know what its most sensitive and critical systems are, then it's pretty difficult to know what to monitor," he says. "They could waste a whole lot of effort and resources unnecessarily. It has to start from a risk-based awareness of your own agency in its operations."
  • Emphasizing continuous diagnostics and mitigation - what the federal government calls continuous monitoring - will prove more effective in assuring systems are secure than the 12-year-old Federal Information Security Management Act, the law that governs federal information security. FISMA, which takes a check-box approach to cybersecurity, "did a lot when it came out in 2002, and over the next five to 10 years, FIMSA required agencies to build agency-wide IT security programs ... but it had its weaknesses [that] become obvious over time," he says.
  • Savings generated by continuous monitoring can be applied to other IT security measures. "The costs of implementing FISMA were substantial; continuous monitoring aims to reduce those quite a lot," he says.

As a senior consultant at defense and security service contractor Kratos Defense and Security Solutins, Howard serves as the CISO for the National Science Foundation's Antarctic Support Contract, which supports a program that manages U.S. scientific research and related logistics in Antarctica as well as aboard ships in the Southern Ocean. He served as CISO for the NRC from 2008 to 2012 and at Housing and Urban Development from 2005 to 2008.




Around the Network