The Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) blanket purchase agreement (BPA) will fill a very important space in managing security risk, according to Ron Ross of the National Institute of Standards and Technology’s (NIST) computer security division IT laboratory.
Ross, played an integral part in developing NIST’s Risk Management Framework. The framework is intended to provide a coherent structure for information security professionals throughout government to identify organizational risks facing all the different information systems in their agencies.
In the simplest terms, the risk management framework comes down to six steps: categorizing the information system and the information it handles; selecting baseline security controls for that system; putting those controls in place; assessing their implementation, effectiveness, and outcomes; authorizing the level of risk for the system; and monitoring the security controls on an ongoing basis for their effectiveness.
“When you have to assess all your security controls, the more [of them] you can automate will make the monitoring more efficient,” he said.
It used to be that infosec professionals were required to have their security measures certified and accredited every three years, Ross said, but that’s a very long time to wait today, given how quickly the cyber environment changes. New kinds of cyber attacks, new hardware and software, new applications impact many information systems resulting in nearly daily changes.
The sensors and tools that CDM offers right now will gather information, the real purpose of monitoring, and provide feedback to senior leadership at agencies, allowing them “to understand what the current state of their security system is day-by-day,” Ross said. “Every federal agency … can set how frequently their [systems] are monitored. The CDM program is using automation to make that monitoring process very quick, very efficient, for a key set of security controls.”
Using these automated monitoring tools frees up limited human resources to do the more difficult tasks. “Some of these cyber attacks require people to think about the problem and write defenses,” Ross said. “They’re not as amenable to the automation part.”
The use of automated controls such as those found under the CDM BPA should not be limited to government agencies and their contractors, Ross said. While NIST’s responsibilities for recommending standards and best practices are intended for that audience, “we always develop our publications with the private sector in mind, because we know the private sector” looks to NIST for guidance. “We treat every customer out there as one of our customers, even though they’re not required to use our stuff.”
And NIST is looking to other aspects of information technology with an eye to improved security. There are two sides to improving cyber security, Ross pointed out. “It’s not just continuous monitoring, you have to build right. It’s how to build stronger, more penetration-resistant systems. No matter how fast you are [monitoring], if the underlying system is fundamentally weak, you can’t stay ahead” of the threats.