An effective cybersecurity strategy requires more than a periodic safety check. That’s the thinking behind continuous monitoring, a risk management approach that seeks to keep organizations constantly apprised of their IT security status.
The National Institute of Standards and Technology describes continuous monitoring as providing an ongoing awareness of security threats and vulnerabilities. That approach provides a sharp contrast to what has been the federal norm of annual security reviews and more thorough recertifications every three years.
The rapid proliferation of malware and other cyberattacks encourages a faster monitoring tempo. IT security vendor Kaspersky Lab said in late 2013 that it was detecting 315,000 new malicious files each day, up from 200,000 new files per day the previous year. Panda Security, a security solutions provider, reported earlier this year that 20 percent of the malware that has ever existed was created in 2013.
As the onslaught continues, the federal sector has been taking steps to improve its situational awareness. Indeed, agencies have been following continuous monitoring directives and guidelines for a few years now. The Continuous Diagnostics and Mitigation program, which the Department of Homeland Security manages with support from the General Services Administration, is the government’s latest take on continuous monitoring. CDM provides a more comprehensive approach and makes funding available for agencies to adopt the security practice.
“The [CDM] program reflects the evolution of continuous diagnostic programs over the past 10 years,” a DHS official said.
However, Ron Ross, a NIST fellow, acknowledged that continuous monitoring is difficult given the number of IT systems in the federal sector and agencies’ diverse missions and business functions. “It is a big job to have a good continuous monitoring program so we can give senior leaders the best information that we can possibly give them,” he added.
Why itÂ matters
The Federal Information Security Management Act (FISMA) of 2002 requires agencies to review their information security programs at least annually, and Office of Management and Budget Circular A-130 calls for agencies to review their systems’ security controls at least every three years.
The government’s current security push, however, favors a more dynamic approach. The emphasis on continuous monitoring reflects the realization that nothing stays the same in the IT environment. The threat landscape changes with each new attack vector and malware variety, while agencies’ systems and networks are subject to frequent reconfiguration.
As a result, a security regimen that keeps the IT infrastructure locked down today might not provide adequate protection tomorrow. The moment-to-moment vigilance of continuous monitoring seeks to ensure that an agency’s security controls remain relevant.
Editor’s Note: Ideas inspired from;
John, Moore. “Can CDM change the game?– FCW.”
FCW. N.p., 10 OctÂ 2014. Web. 22 Dec. 2015.