Skip to main content

Continuous Monitoring and the Federal Government

February 26, 2013

“Continuous monitoring” is the latest buzz word being used throughout the federal government. And depending on with whom you talk or what you read, the definition changes. The truth is there is no silver bullet to address this issue. There are a number of commercial off-the-shelf (COTS) and government off-the-shelf (GOTS) products that help achieve continuous monitoring goals. But, without the proper training, policies and procedures, federal agencies fall short of reaching those objectives.

The move to continuous monitoring narrows the gaping loophole that all current federal agencies’ system authorization policies leave open and is an explicit step towards achieving situational awareness. However, one thing that needs to be understood is that continuous monitoring programs are focused on risk and security controls, not actual threats. Yet, the development of these programs shows progress. With better visibility into agencies’ risk, leaders can start to make informed decisions to increase the security against threats. As federal agencies continue to mature their controls to include real-time threat detection systems such as intrusion prevention systems (IPS) and malware detection, this gap will decrease.

While there is no silver bullet to help achieve continuous monitoring, the closest way to do this is through another federal standard – Special Publication (SP) 800-37, the Guide for Applying the Risk Management Framework (RMF) to Federal Information Systems. The RMF was published by the National Institute of Standards and Technology (NIST) in partnership with the Department of Defense (DoD), the Office of the Director of National Intelligence (ODNI), and the Committee on National Security Systems (CNSS). This standard was created to help modernize the Certification and Accreditation (C&A) process by adopting a lifecycle methodology. With the adoption of an RMF, senior leaders within federal agencies will be able to make near real-time decisions based on the enterprise or system risk as it relates to their core mission.

Is moving to an RMF really going to improve IT security within federal agencies? The short answer is yes. By providing a lifecycle approach to security controls with real-time (or near real-time) monitoring, the security posture of the agencies will improve. The increased visibility into the security controls and automated systems tracking performance of the controls reduces risk. This is a great step forward for our federal systems, but it is only a step. To truly provide a real-time view of risk, we need to include other non-traditional data sources such as standards, training programs, and hiring practices. Some of this is addressed in the RMF, but there is no guidance on how to track it or factor it into an overall risk status. Once agencies expand their RMF to include these other data sources, they can use best practices built into SP 800-37 to help develop security, staffing, and training roadmaps. They can use this type of risk intelligence to show the gaps in security programs and help agency leaders make informed decisions on IT spending and initiatives. Agencies can also use the framework provided by NIST in SP 800-37 to develop a complete security program that leverages both threat and risk intelligence to improve the overall security posture.

    Joseph Ford

By: Joseph Ford

Solutions Architect

See More

Related Blogs

January 08, 2014

What Lurks in Your Network? Finding & Combating Undetected Malware

For the past 19 months, I have been in charge of the Incident Management (IM) team for FishNet Security, handling digital investigations and proactive...

See Details

February 06, 2012

Access Governance 101 | Optiv

We will be posting excerpts from select Identity Strategy and Advisory Group (ISAG) briefings. Part 2 below is transcribed from a recent briefing that...

See Details

September 22, 2014

The Key to a Strong IT Security Program | Optiv

Over the years, I have worked in top positions in the security departments of several major enterprises, which has given me insight into what separate...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

February 03, 2014

Intel Brief - ChewBacca Malware

On December 17, 2013, Kaspersky Lab Expert, Marco, posted a blog that identified a new piece of malware that was utilizing Tor-based communications. W...

See Details

July 21, 2010

CEO and CFO IT Security

As a security professional, I often receive questions from customers regarding why applications or classes of applications should or should not be use...

See Details

May 17, 2017

Ransomware Kill Chain and Controls - Part 2: Once the Crying is Over, the Controls Must Kick In

In the first part of the blog series, we alluded to the impending danger of ransomware campaigns. It appears the concerns were justified, given the si...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.