After a great deal of debate and delay, the Federal Information Security Management Act (FISMA) finally saw a substantive update in December 2014. For federal agencies and the businesses that contract with them, this means a considerable shift in the way FISMA compliance is reported – and more specifically, the way organizations monitor their own security.
Many agencies and businesses may not fully understand the changes, or may not be prepared to implement them. In addition, many of the changes haven’t been fully defined by the government yet. So what do FISMA’s requirements mean for these groups, and how can they use continuous monitoring to support robust FISMA compliance?
Previously, FISMA reporting consisted of extensive documentation, and the problems with this approach were many.
It took a great deal of time and effort to compile the reporting packages. Few organizations truly believed that their documentation would be reviewed. But the biggest problem was more fundamental: these documents were ineffective in promoting the security of agencies and businesses, because they only looked backward.
Even if FISMA compliance reporting revealed a security vulnerability, it was likely to be too late – and the security landscape was likely to have changed in the meantime. This backward-looking documentation spoke only to a single moment in time. In order to truly improve security controls, organizations needed to better understand their ongoing security realities.
For this reason, FISMA has been updated to replace the old onerous documentation process with a continuous monitoring approach. This way, agencies and businesses will monitor and assess key performance indicators (or KPIs) on an ongoing basis. The KPIs will function as the metrics of an organization’s security success, making FISMA reporting a much more accurate and automated process.
Now, FISMA compliance is a matter of real-time data, and it should be much more meaningful for covered organizations. But there are steps which every business and agency should take to ensure that their continuous monitoring is as effective as possible.
A proactive approach
While any degree of continuous monitoring is a major step beyond the old moment-in-time approach, simple reporting is rarely enough to support a robust security apparatus.
Reporting, even in real-time, is still reactive – it doesn’t engage substantively with your processes, and more importantly, it doesn’t influence them. While you might find bugs or technical vulnerabilities based on simple reporting, you might not find the deeper problems: the ones rooted in processes and behaviors.
That’s why it’s important to incorporate continuous validation and testing of your processes. You might select a process such as a change management ticket and ensure that proper protocol is followed at every step. As you examine your processes, make sure that you take a proactive approach, assessing whether they are truly optimized and in alignment with your needs or if they might have become institutionalized out of habit.
As the cybersecurity discipline evolves, many practitioners have adopted implementation models based on the idea of “maturity.” While there are many strong models out there, one of the most widely respected in the federal space is the Software Engineering Institute of Carnegie Mellon University’s Capability Maturity Model (CMM).
As featured in Help Net Security.