Last year, the federal government enhanced its cyber-security requirements, moving away from annual assessments and emphasizing “continuous monitoring” of security controls as part of a reformed FISMA. The Department of State has been a visionary in defining and implementing these new processes, and its iPost system is a pretty compelling solution for continuous monitoring of host-level vulnerabilities and controls.
So what’s next for continuous monitoring? The State Department’s Office of Inspector General evaluated their information security program. Their first finding was that while State does continuously monitor host configurations, it isn’t yet monitoring the critical, volatile and inherited network controls that affect the hosts. You can read the entire report here.
One (of many) things that the new FISMA regs do well is to require IT to consider the security of the information system as a whole–not just the individual hosts or devices. Firewalls and other network access controls are part of almost every information system. OIG’s concern was that these weren’t taken into account:
“Additionally, the review team reviewed iPost controls as part of the Configuration Management (CM) review and found that while the controls did provide continuous monitoring, they did not compensate for the lack of annual testing for access and other volatile controls at the system level.”
This report is getting some attention beyond just the State Department.
InformationWeek has put together a strategic Continuous Monitoring Action Plan.