Toward that end, the federal government has modified its guidance in support of these critical areas. One big change under way is the shift from annual security threat assessments to the use of real-time metrics, analysis, and evaluation, referred to as "continuous monitoring."
Federal CIO Vivek Kundra has called attention to the need for federal agencies to implement continuous monitoring, and has instructed agencies to include funding for the tools required to enable continuous monitoring in their budget submissions for fiscal 2012.
Agencies across government are at different stages of implementation, but most are still in the early stages. Many need to invest in new IT capabilities to get from a static security posture to this new continuous approach. As evidence of that, In-Q-Tel, the technology investment arm of the CIA, invested in RedSeal Systems, a developer of automation software for continuous monitoring. RedSeal's software monitors firewalls, routers, and load balancers, watching for unauthorized access and identifying risks.
In February 2010, the National Institute of Standards and Technology (NIST) issued its "Guide for Applying the Risk Management Framework to Federal Information Systems." NIST developed this publication in conjunction with the Department of Defense, Office of Director of National Intelligence, and Committee on National Security Systems. The report explains new federal guidelines and standards, tasks related to continuous monitoring, and key considerations for selecting the supporting tools for compliance.
The objective of this collaborative initiative is to provide a common framework that can be used across federal government to transform from static, discrete, point-in-time certification and accreditation to an approach based on a six-step risk management framework. One objective is to enable more dynamic, active management of an IT environment in which the threats and vulnerabilities are changing at an increasing pace.
The six-step risk management framework goes like this: