It seems like every day there is a new data breach in the headlines. To address information security challenges facing government agencies, Congress instituted the Federal Information Security Management Act (FISMA) of 2002.

The National Institute of Standards and Technology (NIST) regularly recommends new guidance to help give agencies a clearer deployment path to a more robust information security program. One of these recommendations, continuous monitoring is top of mind right now across all civilian, DOD and intelligence agencies.


Some soon to be published, recently published and recently updated guidance include:

NIST SP 800-137: Information Security Continuous Monitoring for Federal Information Systems and Organizations (final revision scheduled for May 2011) for developing a continuous monitoring strategy and implementing a related program.

NIST SP 800-39, Revision 1: Guide for Applying the Risk Management Framework to Federal Information Systems (published Dec 2010) establishes a risk management framework (RMF) that promotes the concept of near real-time risk management through the implementation of a continuous monitoring process.

NIST SP 800-53, Revision 3: Recommended Security Controls for Federal Information Systems and Organizations (published May 2010) defines many of the technical security controls needed to implement both SP 800-137 and SP 800-39.

While these sets of guidance can be interpreted, deployed and audited in a wide variety of ways, let’s try to understand what NIST is actually trying to say about continuous monitoring.

The spirit of the “law”, getting the compliance box checked, and actually being secure can be very different things.

First, there is a need to understand exactly what NIST means by “continuous monitoring.” According to NIST, most organizations tend to associate monitoring with periodic security assessments, system reauthorizations, data analysis and associated reporting. In addition to these passive security practices, NIST states that a well-designed continuous monitoring strategy must also include proactive testing to effectively mitigate risk.

NIST describes continuous monitoring as helping to “ensure ongoing situational awareness and control of the security of systems across the organization and ongoing knowledge of associated threats and vulnerabilities, despite inevitable changes to organizational information systems and their environments of operation.”

As part of the continuous monitoring documents, NIST SP 800-137 states that the following are “essential to organization-wide continuous monitoring”:

1. Ongoing assessment of security controls – Read this as, “Test the stuff you already bought and figure out if it is working.”

2. Configuration management, change control and a corresponding security impact analyses – In other words, “If you make a change, like standing up a new app, what is the overall effect? Are you more secure or less secure now?”

3. Security status reporting – When doing this, you need to consider the metrics and reports you are using. Do they reflect the real risks your organization is facing?

The third point above deals with numbers/metrics/reports, though it’s not about getting numbers for the sake of having more data. Most CSOs I’ve spoken with (both commercial and federal) state quite emphatically in fact, that they don’t need more data or more tools. Instead, they need to get better information from the volume of data they already have.

NIST is asking executives to measure and collect data in a way that most accurately pinpoints and validates actual risks to critical assets, while also specifying that the data be meaningful and actionable. NIST recognizes this not only by emphasizing security data collection, but also by specifying that the data be meaningful and actionable.

For instance, NIST SP 800-137 explains that, “Metrics are measures that have been organized into meaningful information to support decision making. Metrics are developed for system-level data to make it meaningful in the context of mission/business or organizational risk management.”

So what does all this mean?

Here are my recommendations in a nut shell:

  • Figure out if your most secure information is actually secure.
  • Test and retest your security regularly (once a quarter doesn't cut it, let alone once a year).
  • Be able to prove whether your security controls are working.
  • Ask yourself is what you really are reporting on the right metric? Is getting detail on the 358,453 malware attempt against your environment important or is it more important to understand what a line of business manager or executive will actually care about (and frankly understand)?

If you don’t have an integrated, repeatable security methodology in place today that will allow you to accomplish all of this, now would be a good time to put one together.

Michael Yaffe is a government security strategist at Core Security. In this role, he is responsible for driving the company’s strategic government product and marketing efforts. Yaffe is an industry veteran with more than 15 years of experience in information security. Prior to joining Core Security, he served as director of marketing at NTRU, an information security company providing cryptographic solutions to enterprises worldwide. Yaffe holds an undergraduate degree from Bryant College and a graduate degree from Boston University. He can be reached at mike@coresecurity.com.