Continuous Monitoring as a Cost SaverA Replacement for Checklist Compliance?
Continuous monitoring - continuous diagnostics in the new lingo of the federal government - is getting a lot more attention these days, as it should.
The idea is that the automated scrutiny of computer networks and systems to identify vulnerabilities not only will make them safer, but it could prove to be a money saver as well.
There's still a lot of room for improvement in the maturity of risked-based security programs and continuous monitoring of controls.
Still, most organizations in the United States and Britain have yet to implement continuous monitoring, according to a new Ponemon Institute survey conducted for the risk management software provider Tripwire.
When asked to rate how well their organizations employ continuous monitoring to assess and prioritize risks, 46 percent of the 749 American and 571 British IT and risk management professionals surveyed say their organizations have partially or fully implemented continuous monitoring (see chart below). Yet, that's a 7 point improvement over 2012 results. "There's still a lot of room for improvement in the maturity of risked-based security programs and continuous monitoring of controls," the report says.
$6 Billion Plan
The U.S. federal government is betting $6 billion that continuous monitoring will make government IT more secure [see $6 Billion DHS IT Security Plan Advances]. A Department of Homeland Security initiative is aimed at helping federal, state and local government agencies purchase discounted wares to safeguard against IT vulnerabilities.
"We assume we're going to save money; we're also assuming that we're going to improve security by standardizing what we're deploying and measuring," says Chris Ipsen, Nevada chief security information officer, who's considering participating in the federal program.
Cost savings is especially important at the federal level, where congressionally imposed sequestration - automatic, across-the-board budget cuts - has caused agencies to scale back spending in all areas.
White House Cybersecurity Coordinator Michael Daniel sees continuous diagnostics as a way to reduce required compliance costs under the Federal Information Security Management Act. Continuous diagnostics, he says, provides a "closer to real-time understanding" of what's happening in government networks.
"We're interested in some activities that could really help us generate some savings, things like being able to do continuous diagnostics and monitoring on networks rather than doing [an] audit-compliance approach to network security, which takes up a lot of personnel bodies and reporting time," Daniel says. "We don't think that's an effective way of doing security."
The wasteful resources Daniel refers to are tied to FISMA's requirement that agencies annually file to Congress a checklist that shows the steps they've taken to secure their IT systems. But checking off boxes that say a system is in compliance doesn't mean the system is secure. Automated continuous diagnostics, on the other hand, regularly checks to see if the systems are secure. But even with adoption of continuous monitoring, Congress would have to amend the 11-year-old FISMA to eliminate agencies' costly annual reporting to Congress.
Calculating FISMA Reporting Costs
How costly is annual FISMA reporting? The Office of Management and Budget didn't have any idea. But testifying at a 2010 Senate hearing, SANS Institute Research Director Alan Paller cited a State Department estimate that it spent $133 million over six years to certify and accredit 150 of its major IT systems, producing 95,000 pages of documents [see Proof: Continuous Monitoring Does Work]. That's $22.2 million a year or $1,400 per page, just for one of the smaller agencies.
Of course, systems still have to be accredited, but much of the paperwork associated with FISMA compliance could be eliminated. Still, any savings won't be immediate. That's because many agencies need to invest more heavily in continuous monitoring. A Congressional Budget Office study issued last year showed that the cost of implementing FISMA reform would have increased spending by $710 million over five years.
One reason CBO projected higher FISMA spending is the failure of many agencies to properly employ continuous monitoring. CBO cited agencies' inspectors general reviews that show fewer than half of federal agencies have implemented adequate continuous monitoring operations of their computer systems.
Sill, the move to continuous diagnostics makes good financial sense as a long-term investment to identify systems' vulnerabilities. Organizations in and out of government should make the move.