The December 2014 updated FISMA requirements place an increased emphasis on how agencies and contractors monitor their security controls. According to the new legislation, FISMA requirements now include:
The use of automated tools in agencies’ information security programs, including for periodic risk assessments, testing of security procedures, and detecting, reporting, and responding to security incidents.
This directive tells us that compliance is no longer going to be a predominantly documentation and reporting exercise and that continuous monitoring will play a more central role. In other words, the government is moving away from a ‘check-the-box’ approach, which requires that agencies and contractors do so, too. The new FISMA legislation mandates that entities take a more proactive stance by appointing someone to mind the store at all times, and not just when an audit-reporting requirement is needed.
Continuous Monitoring: Going Beyond Data
Often times, audit findings and ongoing monitoring reports are organized in dashboards or report cards. While this type of reporting is useful, it’s limited. Snapshot reporting is more granular around data and typically does not speak to the process. It does help identify performance gaps but tends to elicit action around technical vulnerabilities and fixes, which might not solve the root problem.
It’s critical to go beyond summary data and conduct ongoing validation and testing of your processes as well. Think creatively, here. For example, choose five random change management tickets and verify that proper procedure was followed.
- Were all of the stakeholders notified?
- Did the appropriate advisory board members have an opportunity to weigh in?
- Was adequate testing performed?
This type of sampling will help you identify procedures that are lapsing on a continual basis and/or individuals who are failing to perform the requisite tasks. But don’t stop there. It’s important to not only check that procedures are being followed but to also evaluate the process for its efficacy and alignment with business requirements. Sometimes, an organization will continue to perform a standard operation simply because ‘they’ve always done it that way.’ Under-performing processes become institutionalized, thereby weakening the effectiveness of security controls overall. Sure, validation tests help to verify that your staff is adhering to the procedure, but regular testing also gives you the opportunity to challenge each initiative to make sure it’s optimized and that it supports your business goals.
Adopting a Mature Model
In recent years, some agencies and contractors have begun migrating to a maturity model of cyber security implementation. These models are complex and take time to incorporate, but ultimately, the organizations that adopt them enjoy more sophisticated data security infrastructures. And while NIST standards mandate specific FISMA requirements for all agencies and contractors, many forward-thinking management teams are exploring other models to stimulate new perspectives and fresh thinking in their approach.
One example of a model highly regarded by multiple agencies is Carnegie Mellon University’s Software Engineering Institute’s Capability Maturity Model (CMM). As with all maturity models, rather than fighting constant fires, the CMM advocates creating a unified, enterprise-wide program that continues to improve as self-reported findings emerge. According to this methodology, process maturity moves through five levels:
Level 1 – Initial
Basic practices are in place, but performance is ad hoc. This may partly be a reflection of the lack of experience on the team. It’s difficult to move beyond this level without a concentrated effort to do so, since documenting weaknesses and learning from them are not a high priority here. Besides the drain on resources, this type of environment puts data at unnecessary risk and inhibits an entity from working toward its true mission and goals.
Level 2 – Repeatable
At this level, management has put some processes in place that are carried out in a consistent way. While still a primitive structure, during a crisis, repeatable processes are more likely to be maintained.
Level 3 – Defined
In level 3, there is a higher degree of standardization and more resources expended to support the process. The security controls environment is fairly stable throughout the organization and the stakeholders are better trained.
Level 4 – Managed
Here, process metrics are being implemented and management has more control. Processes are more readily adapted to particular projects while adhering to specifications and maintaining a high degree of efficacy.
Level 5 – Optimizing
With a solid foundation in place, an organization at this level of maturation continues to identify areas of improvement. On an ongoing basis, they are constantly striving toward optimization across the enterprise. As you ‘graduate’ to higher levels of maturation, policies and procedures become part of your institutional knowledge, independent of who is executing them. Over time, the CMM allows you to benchmark your outcomes with your findings, and against industry standards as well. Processes and procedures become more defined, documented, and repeatable.
Security controls move toward optimization, and continuous monitoring becomes endemic to your process. You will also find that you have created a new organizational culture—one that places a top priority on securing data, and one that believes this noble goal can actually be accomplished.