Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Despite Stiffer Reporting Requirements, Many Agencies Still Slow To Implement Continuous Monitoring

New federal government guidelines mandate monthly reporting, but online security monitoring still isn't pervasive

In a month dedicated to cybersecurity awareness, federal agencies are falling short in their efforts to implement tools for continuously monitoring security, according to experts and government watchdog organizations.

"Continuous monitoring," a phrase coined under the federal government's FISMA guidelines, refers to the shift from paper reports on federal agency's cybersecurity posture to an online reporting system. Earlier this month, FISMA reporting requirements were increased from annual to monthly (PDF) as part of the effort to force agencies into more automated, online security monitoring and reporting.

"The move to monthly reporting was [former federal CIO] Vivek Kundra's effort to make it impossible to do security reporting as a bureaucratic exercise," says Mike Lloyd, chief scientist at RedSeal Systems, which makes security monitoring tools. "If you're doing it monthly, you can't do it with people pushing paper. He was trying to make reporting difficult enough to force agencies to move to automation."

Reports issued this month suggest that such a kick in the pants is sorely needed among federal agencies, which have been slow to implement continuous monitoring guidelines and the federal Cyberscope tools, which are designed to help automate the monitoring and reporting processes.

A study published this month by InformationWeek indicates that nearly half of federal IT pros are unaware of continuous monitoring requirements.

In another report issued this month, the Government Accountability Office (GAO) identified weaknesses in 17 of 24 agencies’ fiscal year 2010 efforts for continuous monitoring (PDF).

And in a third report (PDF) issued last week, the government watchdog Center for Regulatory Effectivenes (CRE) recognizes the lack of compliance with continuous monitoring requirements and outlines a set of best practices for implementing them, as exemplified by initiatives at NASA.

Of the three reports, the GAO study offers the most specifics on the deployment of continuous monitoring technology. In its investigation of 24 agencies, the GAO reported that two have not established a continuous monitoring program at all, and 15 of the agencies that have initiated a program had weaknesses in their implementations.

"These weaknesses included, for example, that continuous monitoring procedures were not fully developed or consistently implemented at 11 agencies," the report states. "In another example, 10 inspectors general cited weaknesses in ongoing assessments of selected security controls. Inspectors general at nine agencies reported that information, such as status reports covering continuous monitoring results, was not provided to key officials."

The GAO report not only cites issues with reporting security posture, but also with agencies' ability to take action based on their findings: "For example, 18 of 24 inspectors general reported that their agency had weaknesses in its configuration management programs, and 16 indicated their agency’s patch management processes for mitigating software flaws were not fully developed."

This issue is at the heart of the continuous monitoring problem, says Bruce Levinson, editor of FISMA Focus and author of the CRE's report on continuous monitoring.

"The agencies have to have a plan for the use of continuous monitoring data," Levinson says. "The question is not just how to collect the data, but how to use it to make better decisions about security. If agencies are not doing that, then this whole thing needs to be rethought."

Joe Gottlieb, CEO of security information and event monitoring vendor Sensage, agrees. "The data collection is important, but if agencies hope to truly improve security, they will have to be more proactive in how they analyze it," he says. "It's the analysis of the data that will help them find that user who's collecting unusual amounts of information and might be an insider threat."

So why aren't agencies moving more quickly toward continuous monitoring? Some experts say one big problem is federal contractors that have built big businesses supporting the paper process -- and are dragging their feet because they don't want to give up those businesses.

"Many of the agency heads have been part of the paper compliance process for a long time, and they resist the change," Levinson says. "On the contractor side, there has been a big pushback from those who have a vested interest in keeping the process the way it was."

"Federal contractors have been making big money doing policy review, and they don't want to give it up," says Tom Kellermann, CTO of AirPatrol, a mobile security vendor that does much of its business with the federal government. "But automation is clearly the answer long-term."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-13
An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This ...
PUBLISHED: 2021-05-13
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to This issue does not affect: QNAP...
PUBLISHED: 2021-05-13
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3...
PUBLISHED: 2021-05-13
An Authentication Bypass vulnerability in the SAML Authentication component of BlackBerry Workspaces Server (deployed with Appliance-X) version(s) 10.1, 9.1 and earlier could allow an attacker to potentially gain access to the application in the context of the targeted user’s acco...
PUBLISHED: 2021-05-12
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.