Continuous Monitoring Today—And Tomorrow
By Lon J. Berman, CISSP, RDRP
Step 6 of the Risk Management Framework (RMF) is entitled “Monitor Security Controls”. Many security professionals would argue it is the most important step, since monitoring is what transforms RMF from yet another “point in time” evaluation to a true life cycle process. It has been more than three years since the official adoption of RMF, yet no Information Security Continuous Monitoring (ISCM) policy, procedure or guidance has been published by DoD.
Security control CA-7 states:
“The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].”
For each of the Control Correlation Identifiers (CCIs) comprising this control, the RMF Knowledge Service provides the following Implementation Guidance and Assessment Procedure:
“Future DoD-wide Continuous Monitoring guidance to be published”
Many system owners (and independent assessors!) interpret this to mean CA-7 can legitimately be declared as “Not Applicable” pending publication of DoD-wide guidance. Is this really the end of the story (for now)? Can we just put the whole ISCM “thing” on the back burner until DoD finally publishes some guidance?
For the sake of your program’s mission … not to mention our Nation’s security … I sincerely hope not! That’s all nice to say, but how can you be expected to establish an effective ISCM program when there is no guidance available?
The answer is that, in reality, there is no shortage of available continuous monitoring guidance – both from DoD and elsewhere. And, beyond that, many technical tools that can be leveraged in support of your ISCM program are already available from DoD.
DoDI 8510.01 (RMF for DoD IT) lays out the system owner’s responsibilities for RMF Step 6 (Monitor Security Controls).
These include:
- Determining the security impact of proposed changes to the system
- Monitoring the system and environment for security-relevant events
- Periodically assessing of security control implementation
- Reporting significant changes in security posture to the Authorizing Official
- Assessing security controls annually
- Conducting remediation activities based on the results of ongoing monitoring and assessment activities
- Updating the system POA&M on a regular basis NIST SP 800-37 provides additional guidance on Step 6 activities.
NIST SP 800-137, entitled “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations”, is an entire volume dedicated to Continuous Monitoring. It covers topics such as: development of monitoring strategies and monitoring plans, selection of metrics and assessment frequencies, security status reporting, and monitoring program evaluation.
Other government publications supporting continuous monitoring activities include:
- NIST SP 800-92, “Guide to Computer Security Log Management”
- NIST SP 800-55, “Performance Measurement Guide for Information Security”
- “US Government Concept of Operations (CONOPS) for Information Security Continuous Monitoring (ISCM)”, published by the Joint Cybersecurity Performance Metrics Working Group
DoD has developed numerous tools to support continuous monitoring. These include:
- Assured Compliance Assessment Solution (ACAS) – an enterprise vulnerability scanning and reporting tool
- Host-based Security System (HBSS) – a suite of commercial products that include malware protection and host-based intrusion detection/prevention
- SCAP Compliance Checker (SCC) – a tool that facilitates scanning of operating systems and other software for compliance with DoD Security Technical Implementation Guides (STIGs)
- SCAP benchmarks – content developed by Defense Information Systems Agency (DISA) to support STIG compliance scanning (using SCC) of various commercial software products
- STIG viewer – software tool to facilitate “manual review” of operating systems, database management systems, web servers, etc., for STIG compliance
System owners are encouraged to leverage the above resources to implement a continuous monitoring program now. When DoD (finally) gets around to publishing their long-awaited Continuous Monitoring Policy/Guidance document, it will most likely take only minor adjustments to bring your ISCM program into complete compliance.
Between now and then, you’ll sleep better!