Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/24/2009
03:29 PM
50%
50%

NIST Urges Feds To Continuously Monitor Cybersecurity Efforts

New document puts more onus on applying risk management throughout the life cycle of IT systems

Draft guidance from the National Institute of Standards and Technology issued last week, pushes government agencies to adopt a comprehensive, continuous approach to cybersecurity, tackling criticism that federal cybersecurity regulations have placed too much weight on periodic compliance audits.

The guidance, encapsulated in a draft revision to NIST Special Publication 800-37, will likely be finalized early next year. While federal agencies aren't required to follow all of its recommendations, NIST is officially charged with creating standards for compliance with the Federal Information Systems Management Act, (FISMA), which sets cybersecurity requirements in government, so this guidance should at the very least be influential. As official statistics show attacks on the federal government continuing to rise, the Government Accountability Office and agency inspector generals have repeatedly found the federal government or particular agencies falling short of the spirit of FISMA, if not its letter. Meanwhile, critics have repeatedly found fault with either FISMA or its implementation in practice, saying that it doesn't do enough to ensure that government agencies remain consistently vigilant about cybersecurity.

The new document puts more onus on applying risk management throughout the lifecycle of IT systems. "This is part of a larger strategy to try to do more on the front end of security as opposed to just on the back end," says NIST's Ron Ross, who is in charge of FISMA guidance at the agency. "We don't think of security as a separate undertaking, but as a consideration we make in our normal lifecycle processes."

Special Publication 800-37 fleshes out six steps federal agencies should take to tackle cybersecurity: categorization, selection of controls, implementation, assessment, authorization, and continuous monitoring. It improves on earlier guidance by emphasizing making rigorous cybersecurity part and parcel of the deployment and operation of IT systems.

The document breals out its cybersecurity guidance in several steps. First, federal agencies are advised to determine the value of their information. Secondly, it recommends that they determine what controls are necessary for information of that value. Third, it suggests the need to actually put the security controls in place. Fourth, it advises an assessment of whether the controls were implemented correctly. Fifth, senior leadership is urged to make a decision as to whether adequate security steps have been taken.

Finally, and perhaps most significantly, the document advises federal agencies to put continuous monitoring in place. Software, firmware, hardware, operations, and threats change constantly. Within that flux, security needs to be managed in a structured way, Ross says.

"We need to recognize that we work in a very dynamic operational environment," Ross says. "That allows us to have an ongoing and continuing acceptance and understanding of risk, and that ongoing determination may change our thinking on whether current controls are sufficient."

The continuous risk management step might include use of automated configuration scanning tools, vulnerability scanning, and intrusion detection systems, as well as putting in place processes to monitor and update security guidance and assessments of system security requirements.

NIST will keep public comment on Special Publication 800-37 open until the end of the year.

The new document is the second in a series of five that aims to create a more consistent, unified framework for federal cybersecurity. A consortium of agencies, which includes representatives from the military, intelligence agencies, and civilian agencies, is behind the creation of the series.

The first in the series, Special Publication 800-53, provided updated recommendations on security controls. The other three documents will advise federal agencies on how to assess the effectiveness of security measures, provide an enterprise architecture lens through which to look at cybersecurity, and how to assess risk and tackle existing problems.

Over the coming year or two, NIST also plans to help integrate cybersecurity guidance into the government's official Federal Enterprise Architecture methodology, release a technical cybersecurity framework for systems and security eng

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12875
PUBLISHED: 2019-06-18
Alpine Linux abuild through 3.4.0 allows an unprivileged member of the abuild group to add an untrusted package via a --keys-dir option that causes acceptance of an untrusted signing key.
CVE-2017-8335
PUBLISHED: 2019-06-18
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of setting name for wireless network. These values are stored by the device in NVRAM (Non-volatile RAM). It seems that the POST parameters passed in this...
CVE-2017-8336
PUBLISHED: 2019-06-18
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of adding new routes to the device. It seems that the POST parameters passed in this request to set up routes on the device can be set in such a way that...
CVE-2019-12874
PUBLISHED: 2019-06-18
An issue was discovered in zlib_decompress_extra in modules/demux/mkv/util.cpp in VideoLAN VLC media player 3.x through 3.0.7. The Matroska demuxer, while parsing a malformed MKV file type, has a double free.
CVE-2012-6711
PUBLISHED: 2019-06-18
A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in function. A local attacker, who can provide data to print through the "echo -e" built-in func...