Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Despite Stiffer Reporting Requirements, Many Agencies Still Slow To Implement Continuous Monitoring

New federal government guidelines mandate monthly reporting, but online security monitoring still isn't pervasive

In a month dedicated to cybersecurity awareness, federal agencies are falling short in their efforts to implement tools for continuously monitoring security, according to experts and government watchdog organizations.

"Continuous monitoring," a phrase coined under the federal government's FISMA guidelines, refers to the shift from paper reports on federal agency's cybersecurity posture to an online reporting system. Earlier this month, FISMA reporting requirements were increased from annual to monthly (PDF) as part of the effort to force agencies into more automated, online security monitoring and reporting.

"The move to monthly reporting was [former federal CIO] Vivek Kundra's effort to make it impossible to do security reporting as a bureaucratic exercise," says Mike Lloyd, chief scientist at RedSeal Systems, which makes security monitoring tools. "If you're doing it monthly, you can't do it with people pushing paper. He was trying to make reporting difficult enough to force agencies to move to automation."

Reports issued this month suggest that such a kick in the pants is sorely needed among federal agencies, which have been slow to implement continuous monitoring guidelines and the federal Cyberscope tools, which are designed to help automate the monitoring and reporting processes.

A study published this month by InformationWeek indicates that nearly half of federal IT pros are unaware of continuous monitoring requirements.

In another report issued this month, the Government Accountability Office (GAO) identified weaknesses in 17 of 24 agencies’ fiscal year 2010 efforts for continuous monitoring (PDF).

And in a third report (PDF) issued last week, the government watchdog Center for Regulatory Effectivenes (CRE) recognizes the lack of compliance with continuous monitoring requirements and outlines a set of best practices for implementing them, as exemplified by initiatives at NASA.

Of the three reports, the GAO study offers the most specifics on the deployment of continuous monitoring technology. In its investigation of 24 agencies, the GAO reported that two have not established a continuous monitoring program at all, and 15 of the agencies that have initiated a program had weaknesses in their implementations.

"These weaknesses included, for example, that continuous monitoring procedures were not fully developed or consistently implemented at 11 agencies," the report states. "In another example, 10 inspectors general cited weaknesses in ongoing assessments of selected security controls. Inspectors general at nine agencies reported that information, such as status reports covering continuous monitoring results, was not provided to key officials."

The GAO report not only cites issues with reporting security posture, but also with agencies' ability to take action based on their findings: "For example, 18 of 24 inspectors general reported that their agency had weaknesses in its configuration management programs, and 16 indicated their agency’s patch management processes for mitigating software flaws were not fully developed."

This issue is at the heart of the continuous monitoring problem, says Bruce Levinson, editor of FISMA Focus and author of the CRE's report on continuous monitoring.

"The agencies have to have a plan for the use of continuous monitoring data," Levinson says. "The question is not just how to collect the data, but how to use it to make better decisions about security. If agencies are not doing that, then this whole thing needs to be rethought."

Joe Gottlieb, CEO of security information and event monitoring vendor Sensage, agrees. "The data collection is important, but if agencies hope to truly improve security, they will have to be more proactive in how they analyze it," he says. "It's the analysis of the data that will help them find that user who's collecting unusual amounts of information and might be an insider threat."

So why aren't agencies moving more quickly toward continuous monitoring? Some experts say one big problem is federal contractors that have built big businesses supporting the paper process -- and are dragging their feet because they don't want to give up those businesses.

"Many of the agency heads have been part of the paper compliance process for a long time, and they resist the change," Levinson says. "On the contractor side, there has been a big pushback from those who have a vested interest in keeping the process the way it was."

"Federal contractors have been making big money doing policy review, and they don't want to give it up," says Tom Kellermann, CTO of AirPatrol, a mobile security vendor that does much of its business with the federal government. "But automation is clearly the answer long-term."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...