A Dynamic Approach to Federal Cybersecurity
September 29, 2011
09:24 AM EDT
At the 2010 RSA Conference, I issued a rallying call for the cybersecurity community to collectively evolve from previous static, compliance-based metrics programs to a more dynamic approach that utilizes continuous monitoring. Since then, we’ve seen the public and private sector respond with innovative approaches to this challenge.
In line with that call, recently the Office of Management and Budget released its reporting instructions for agencies under FISMA. In that memorandum, the federal government takes a significant step forward in our efforts to use continuous monitoring to more effectively and efficiently ensure the security of federal systems and networks:
Rather than enforcing a static, three-year reauthorization process, agencies are expected to conduct ongoing authorizations of information systems through the implementation of continuous monitoring programs. Continuous monitoring programs thus fulfill the three year security reauthorization requirement, so a separate re-authorization process is not necessary.
Agencies can now use continuous monitoring to better ensure that their systems are secure, freeing resources that were previously spent on static compliance efforts and can now be devoted to improving security.
Along those lines, the Wall Street Journal reported on Monday (September 26, 2011) that the American business community is proactively seeking out the Department of State for its security scanning dashboard software – a solution that gives letter grades to senior decision makers and actionable information to security specialists – both of whom are provided updated information with a frequency that more appropriately matches the dynamic cyber landscape. More than 300 businesses and local, state and federal organizations across the country have contacted the State Department for information on starting their own continuous monitoring program.
Gone are the days when cyber security is the sole preserve of specialists. Protecting sensitive information impacts our society from Main Street to Middle America – from people shopping in a store downtown or on the web, to the doctor utilizing digital devices to diagnose a patient, or to the collaboration occurring with an overseas colleague on a research and development project. We must all work together, in both the public and the private sector, to ensure that our computers and networks are secure against cyber threats.