When government agencies or cloud service providers develop an information security strategy to achieve and maintain FISMA compliance, they face a complex set of guidelines for ensuring and demonstrating the protection of government data. But one element demands special attention from cloud providers: continuous monitoring.
A successful continuous monitoring strategy is less about documentation of risk and more about making valuable, results-driven and perpetual improvements to the overall security of the IT environment.
To ensure compliance with the Federal Information Security Management Act (FISMA), guidelines put out by the National Institute of Standards and Technology (NIST) include its Risk Management Framework, which outlines how government agencies and cloud providers can identify and manage security threats on an ongoing basis. The framework has six distinct stages: categorization of the system; selection, implementation and assessment of security controls; authorization of the information system; and continuous monitoring of security controls. Without this final stage, the other actions to secure IT systems become quickly outdated, making the system vulnerable.
However, continuous monitoring for FISMA compliance requires cloud providers to shift from a traditionally static approach to a cyclical, more dynamic strategy in order to provide the near real-time situational awareness they need to make evidence-based security decisions. Moreover, continuous monitoring helps maintain compliance with other security standards outside of NIST, including HIPAA, SOX, PCI and HITECH.
A successful continuous monitoring strategy is less about documentation of risk and more about making valuable, results-driven and perpetual improvements to the overall security of the IT environment. A solid continuous monitoring strategy incorporates management, tools, training, testing, reporting and remediation.
For a cloud provider's continuous monitoring strategy to evolve, it must have strong information security governance and management at its foundation. This approach to governance and management should comprise:
- Policy: Continuous monitoring requires a detailed, documented plan with support from both senior leadership and IT operations. It should outline the exact processes used to provide cycling assessments, and the entire plan must be revisited regularly.
- Oversight: A critical factor for results-driven continuous monitoring is aligning accountability and oversight with established business practices. This approach allows the strategy to become an integrated and ongoing part of business operations -- not a special add-on. This reinforces the focus on real-time monitoring over point-in-time assessments.
- Implementation: Clearly defined procedures for decision making and control implementation are the final components of management. Effective continuous monitoring is about execution. Identifying stakeholders' roles and responsibilities, as well as how they should communicate remediation efforts, ensures that continuous monitoring is not just about failure assessment.
Well-defined management practices improve the efficiency of continuous monitoring by streamlining the process from discovery all the way to the remediation of an identified weakness.
Selecting the appropriate appliances and software is also critical to a successful continuous monitoring strategy, and an already well-designed environment may not require too much extra investment. A cost-effective approach is for cloud providers or agencies to take stock of their existing environmental sensors, and then determine what new security and reporting tools are required to provide the appropriate level of automation.
The goal of continuous monitoring
"A well‐designed and well‐managed continuous monitoring program can effectively transform an otherwise static and occasional security control assessment and risk determination process into a dynamic process that provides essential, near real‐time security status‐related information to senior leaders," according to an FAQ from the National Institute of Standards and Technology.
The provider should build their architecture in a way that allows the information the tool reports to be combined with human analysis in a dashboard design. Since the cloud provider or government agency determines the actual reporting schedule according to its needs, this dashboard is updated and the findings remediated on a regular basis.
Training is a direct outcome of an effective management plan in that it provides the vehicle to move a plan into execution. Thorough and practical training should be part of the continuous monitoring strategy itself, and this training should cover the processes involved with maintaining, accessing and analyzing all elements of a continuous monitoring strategy, as well as training on the security tools being used. As the cloud provider's continuous monitoring strategy evolves in response to the ongoing assessments, the training should be updated as well.
Testing continuously assesses the full management, operational and technical controls of the assessment capability. The testing component of continuous monitoring requires several steps to ensure thorough and cost-effective outcomes:
- Interview the stakeholders.
- Examine existing policies.
- Investigate the system.
- Test the system.
- Identify automated versus manual protocols.
Once the appropriate testing tools are in place, testing is a continuous loop that can be set up to run on a recurring and regular basis. Carefully designed and selected automated tools are the best complement to subject-matter expertise. The best way to determine the structure and frequency of the testing loop within the continuous monitoring policy is to consider the level of risk measured against the cost of running the test. In an efficient continuous monitoring model, risks are identified and fixed quickly.
The information collected from testing is only as useful as the mechanism that reports it. Customizing this reporting ensures timely decision making. The structure of a customized dashboard of testing data, risk scores and remediation notes must focus on an accurate and usable format. Technical subject-matter experts and architecture experts not only interpret the data, but they must also rely on a predetermined policy, as mentioned earlier, to advise business and technical representatives on how to use the data to make decisions rapidly.
The final component of continuous monitoring is acting on the data. Executing remediation activities in a timely manner is what elevates continuous monitoring from merely documenting risks to data-driven action. As part of the remediation process, the assessment should:
- Identify, validate and prioritize risks;
- Test the fix;
- Support the fix.
Depending on the relationship of the third-party security assessor to the government agency or cloud provider, a secondary assessor may be involved at this last stage in order to preserve independent assessor status.
Government agencies and cloud providers should look for a third-party security assessor that has experience with continuous monitoring and working with cloud-specific certification programs, such as FedRAMP. Access to subject-matter experts in security control testing, analysis and engineering is essential to providing a complete continuous monitoring strategy. Finally, the cloud provider should have the industry relationships that allow a diverse selection of tools and solutions to provide selection, implementation and support.
This powerful, results-driven approach to continuous monitoring balances the use of automated tools with thorough human analysis, management and engineering support -- emphasizing ongoing action and remediation based on a continuous feed of information from the assessment.
About the author:
David Svec is co-principal and co-founder of Veris Group LLC, a cybersecurity consultancy and an accredited FedRAMP third-party assessment organization (3PAO) based in Vienna, Va.