Despite Stiffer Reporting Requirements, Many Agencies Still Slow To Implement Continuous Monitoring

In a month dedicated to cybersecurity awareness, federal agencies are falling short in their efforts to implement tools for continuously monitoring security, according to experts and government watchdog organizations.

"Continuous monitoring," a phrase coined under the federal government's FISMA guidelines, refers to the shift from paper reports on federal agency's cybersecurity posture to an online reporting system. Earlier this month, FISMA reporting requirements were increased from annual to monthly (PDF) as part of the effort to force agencies into more automated, online security monitoring and reporting.

"The move to monthly reporting was [former federal CIO] Vivek Kundra's effort to make it impossible to do security reporting as a bureaucratic exercise," says Mike Lloyd, chief scientist at RedSeal Systems, which makes security monitoring tools. "If you're doing it monthly, you can't do it with people pushing paper. He was trying to make reporting difficult enough to force agencies to move to automation."

Reports issued this month suggest that such a kick in the pants is sorely needed among federal agencies, which have been slow to implement continuous monitoring guidelines and the federal Cyberscope tools, which are designed to help automate the monitoring and reporting processes.

A study published this month by InformationWeek indicates that nearly half of federal IT pros are unaware of continuous monitoring requirements.

In another report issued this month, the Government Accountability Office (GAO) identified weaknesses in 17 of 24 agencies’ fiscal year 2010 efforts for continuous monitoring (PDF).

And in a third report (PDF) issued last week, the government watchdog Center for Regulatory Effectivenes (CRE) recognizes the lack of compliance with continuous monitoring requirements and outlines a set of best practices for implementing them, as exemplified by initiatives at NASA.

Of the three reports, the GAO study offers the most specifics on the deployment of continuous monitoring technology. In its investigation of 24 agencies, the GAO reported that two have not established a continuous monitoring program at all, and 15 of the agencies that have initiated a program had weaknesses in their implementations.

"These weaknesses included, for example, that continuous monitoring procedures were not fully developed or consistently implemented at 11 agencies," the report states. "In another example, 10 inspectors general cited weaknesses in ongoing assessments of selected security controls. Inspectors general at nine agencies reported that information, such as status reports covering continuous monitoring results, was not provided to key officials."

The GAO report not only cites issues with reporting security posture, but also with agencies' ability to take action based on their findings: "For example, 18 of 24 inspectors general reported that their agency had weaknesses in its configuration management programs, and 16 indicated their agency’s patch management processes for mitigating software flaws were not fully developed."

This issue is at the heart of the continuous monitoring problem, says Bruce Levinson, editor of FISMA Focus and author of the CRE's report on continuous monitoring.

"The agencies have to have a plan for the use of continuous monitoring data," Levinson says. "The question is not just how to collect the data, but how to use it to make better decisions about security. If agencies are not doing that, then this whole thing needs to be rethought."

Joe Gottlieb, CEO of security information and event monitoring vendor Sensage, agrees. "The data collection is important, but if agencies hope to truly improve security, they will have to be more proactive in how they analyze it," he says. "It's the analysis of the data that will help them find that user who's collecting unusual amounts of information and might be an insider threat."

So why aren't agencies moving more quickly toward continuous monitoring? Some experts say one big problem is federal contractors that have built big businesses supporting the paper process -- and are dragging their feet because they don't want to give up those businesses.

"Many of the agency heads have been part of the paper compliance process for a long time, and they resist the change," Levinson says. "On the contractor side, there has been a big pushback from those who have a vested interest in keeping the process the way it was."

"Federal contractors have been making big money doing policy review, and they don't want to give it up," says Tom Kellermann, CTO of AirPatrol, a mobile security vendor that does much of its business with the federal government. "But automation is clearly the answer long-term."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.