The award honored U.S. Sen. Tom Carper of Delaware, chairman of the Senate Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security; Vivek Kundra, chief information officer of the United States; and John Streufert, chief information security officer of the U.S. Department of State.
"They radically changed national priorities and U.S. government policy, and they acted to replace the wasted effort with continuous security monitoring -- automated so updates are generated no less often than every 72 hours -- and accompanying day-by-day, system-by-system accountability, so measurement is immediately converted into action," said Alan Paller, director of research for the SANS Institute, in a statement. "Their impact goes far beyond government; hundreds of commercial organizations and other nations' government agencies are already following their lead."
Streufert, in particular, laid some of the earliest groundwork in bringing continuous monitoring practices to the federal government through his State Department pilot program in 2008 and 2009. In the fiscal year of 2009, Streufert began supplementing State Department point-in-time compliance reports with its Risk Scoring Program, which had the department scan every computer and server connected to its network not less than every 36 hours on eight security factors and twice a month for safe configurations of software.
"In the first year of site scoring ending July 2009, overall risk on the department's key unclassified network measured by the Risk Scoring program was reduced by nearly 90 percent in overseas sites and 89 percent in domestic sites," Streufert informed Congress during a testimony in April. "These methods, however limited, have allowed one critical piece of the department's information security program to move from the snapshot in time previously available under FISMA and its related authorities to a program that scans for weaknesses on servers and personal computers continuously."
FISMA has long been lambasted by security experts as an ineffective, time-wasting compliance mandate due to the gaps in time between reporting and mitigation efforts and the lack of comprehensive visibility that point-in-time reporting offers in this day and age of constantly shifting threats. According to Streufert's April testimony, the State Department has experienced a 47 percent increase in malicious code attacks since 2008.
Streufert and his State Department team showed that government agencies could institute and automate continuous monitoring and derive FISMA reports from that. Meanwhile, Sen. Carper and Kundra laid policy and legislative groundwork necessary to quickly roll out continuous monitoring within other departments. This is in the process of being implemented through an April 10 Office of Management and Budget (OMB) mandate that required agencies to send FISMA reporting through a new software platform. The platform, called CyberScope, will allow arms of the government to follow a three-pronged reporting approach: using data feeds directly from security management tools, leveraging governmentwide benchmarking on security posture, and implementing agency-specific interviews.
"Agencies need to be able to continuously monitor security-related information from across the enterprise in a manageable and actionable way. Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), and other agency management all need to have different levels of this information presented to them in ways that enable timely decision making," the OMB report read. "To do this, agencies need to automate security-related activities, to the extent possible, and acquire tools that correlate and analyze security-related information. Agencies need to develop automated risk models and apply them to the vulnerabilities and threats identified by security management tools."
According to the SANS Institute, this year's honorees helped uncover $300 million in waste and inefficiencies related to certification and accreditation reporting, much of it from issues with FISMA.
"Agencies will not spend all of their energy to generate reports," Kundra said of the new FISMA reporting process during a press briefing in April. "Annual reporting is statutory under FISMA. We'll still have that report, but it will be derivative of the monitoring."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.