New guidance from the National Institute of Standards and Technology defines an information security continuous monitoring strategy and shows how organizations can create an information security continuous monitoring program.
The shift to monthly reports of key metrics through CyberScope from annual FISMA filings allows security practitioners to make decisions using more information and more quickly than ever before, OMB Director Jacob Lew says.
The soon-to-be issued FY 2011 Chief Information Officer FISMA Reporting Metrics from the Department of Homeland Security will require agencies to report on their progress in automating the continuous measurement of the most critical security risks.
"Organization-wide monitoring cannot be efficiently achieved through manual processes alone or through automated processes alone; however, automation can make the process of continuous monitoring more efficient," NIST says.
Within days, the State Department can tell which systems have and have not been patched. When State CISO John Streufert learned of the critical problem posed by the Aurora vulnerability, he didn't have to send an e-mail. The process was automated.
"Folks should not be fearful that if they don't have the skill set, they have to go find a new job because it's my responsibility to make sure that ... we are going to retrain them," says Jerry Davis, NASA deputy chief information officer for security.
The White House takes a significant step to move federal departments and agencies toward real-time monitoring of their computer systems and networks and away from paper filings documenting compliance with the FISMA.
Under the program, the State Department scans every computer and server not less than every 36 hours on eight security factors, resulting in an overall risk reduction of 90 percent on key unclassified networks.
One of the objectives of FISMA reform is to promote real-time metrics to determine IT security, but NIST senior scientist Ron Ross discusses new guidance he co-authored that achieves some of the goals without the need of legislation.
The National Institute of Standards and Technology characterizes its new guidance released this past week as transformational, and no one can speak more authoritative about it than Ron Ross, NIST's highly regarded senior computer scientist, information security researcher and FISMA implementation project leader who...