NIST answers to questions on continuous monitoring suggest no drastic change in approach
In the wake of the release of its updated Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, which among other things calls for federal agencies to continuously monitor the security controls associated with their information systems, the Computer Security Division of the National Institute for Standards and Technology (NIST) today published a set of frequently asked questions (and answers to those questions) on continuous monitoring. In contrast to some initial interpretations of pending changes in the application of federal certification and accreditation processes, this guidance from NIST makes it quite clear that it envisions continuous monitoring as an additional component of security program procedures followed to authorize systems, not as a substitute for them. It would seem that NIST is positioning continuous monitoring simply as an additional, and very valuable, source of information for agencies making risk-based decisions about the security of their information systems. This positioning is consistent with language in a memorandum from OMB distributed to all department and agency heads in April, as is the point made in both documents that by performing continuous monitoring, agencies meet the periodic testing and evaluation requirement under the Federal Information Security Management Act (FISMA).
The consideration of continuous monitoring as an additive element to existing federal information security program practices inevitably raises the question of agency resources needed to comply with expanded obligations. In the context of arguing for the record that conventional certification and accreditation practices are expensive to follow and provide little value in terms of actually securing agency systems and environments, many federal agency officials have questioned the economic wisdom of continuing to authorize their systems using existing methods and approaches. While the Department of State has, so far, continued to conduct security authorization activities and produce accreditation package documentation in parallel with its relatively new automated risk-scoring approach to security posture assessment, other agencies appear to believe that current compliance approaches mandated under FISMA (and OMB Circular A-130) will be deprecated in favor of some other, yet-to-be determined mechanism, whether by executive agency action or by act of Congress. These agencies, notably including NASA, have sought to re-allocate resources away from authorization tasks in favor of standing up continuous monitoring capabilities.
While it may be hard to see continuous monitoring as a negative, even if it does not represent a real shift away from compliance-driven processes, making the newer requirements simply additive, rather than revisionary, seems to be a lost opportunity to pursue real enhancements in agency security postures. The current emphasis for OMB is on moving the government toward more streamlined and more frequent security reporting, via the CyberScope online reporting solution. For its initial rollout, and perhaps until the information being reported is revised significantly, changing the submission mechanism and frequency of reporting doesn’t get to the heart of the problem in federal security practices, which is too great a reliance on compliance exercises rather than real situational awareness. If agency CISO’s and Congress all agree that compliance with security guidance does not equal actual improved security, then more frequent compliance checks cannot be the answer. The potential remains, depending on how continuous monitoring is implemented among agencies, for agencies to settle on a more appropriate set of security metrics than those currently required for reporting under FISMA. If, however, there is no change in the level of documentation and procedural requirements associated with system authorization, then many agencies may not have the resources within their security programs to make a genuine and sustained effort on continuous monitoring.
2 Comments on “NIST answers to questions on continuous monitoring suggest no drastic change in approach”
800-37 only requires 3 artifacts — SSP, SAR, POA&M. Usually its agency policies that make these 3 documents into the size of books. There’s nothing that should stop agencies from referencing other systems development and engineering documentation and using something like the SSP as a pointer document.
Cross-referencing among documents is encouraged, including among separately authorized systems from which a given system may “inherit” controls (like physical and environmental protection from a data center that hosts multiple, separately accredited systems). The SSP is also supposed to be a pointer to other sources of detail, but that detail usually has to exist or be developed to be referenceable. With respect to the Security Assessment Report in particular, there is an enormous level of effort required to complete a full assessment using SP800-53A, so the fact that the “required” final document need not be enormous doesn’t remove the burden from agencies of providing detailed control assessments for a large proportion of the 198 controls in 800-53. Even if a lot of these are derived from common controls, the level of effort should not be underestimated.