by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : October 2014
An effective cybersecurity strategy requires more than a periodic safety check. That’s the thinking behind continu- ous monitoring, a risk management approach that seeks to keep organizations constantly apprised of their IT secu- rity status. The National Institute of Standards and Technology describes continuous monitoring as providing an ongoing awareness of security threats and vul- nerabilities. That approach provides a sharp contrast to what has been the federal norm of annual security reviews and more thorough recertifications every three years. The rapid proliferation of malware and other cyberattacks encourages a faster monitoring tempo. IT security ven- dor Kaspersky Lab said in late 2013 that it was detecting 315,000 new malicious files each day, up from 200,000 new files per day the previous year. Panda Security, a security solutions provider, reported earlier this year that 20 percent of the malware that has ever existed was created in 2013. As the onslaught continues, the fed- eral sector has been taking steps to improve its situational awareness. Indeed, agencies have been following continu- ous monitoring directives and guidelines for a few years now. The Continuous Diagnostics and Mitigation program, which the Department of Homeland Security manages with support from the General Services Administration, is the government’s latest take on continuous monitoring. CDM provides a more comprehensive approach and makes fund- ing available for agencies to adopt the security practice. “The [CDM] program reflects the evolution of continu- ous diagnostic programs over the past 10 years,” a DHS official said. However, Ron Ross, a NIST fellow, acknowledged that continuous monitoring is difficult given the number of IT systems in the federal sector and agencies’ diverse missions and business functions. “It is a big job to have a good continuous monitoring program so we can give senior leaders the best information that we can pos- sibly give them,” he added. Why it matters The Federal Information Security Man- agement Act (FISMA) of 2002 requires agencies to review their information security programs at least annually, and Office of Management and Budget Cir- cular A-130 calls for agencies to review their systems’ security controls at least every three years. The government’s current security push, however, favors a more dynamic approach. The emphasis on continuous monitoring reflects the realization that nothing stays the same in the IT environment. The threat landscape changes with each new attack vector and mal- ware variety, while agencies’ systems and networks are subject to frequent reconfiguration. As a result, a security regimen that keeps the IT infra- structure locked down today might not provide adequate protection tomorrow. The moment-to-moment vigilance of continuous monitoring seeks to ensure that an agency’s security controls remain relevant. Continuous monitoring: A new look and a wider scope BY JOHN MOORE CDM represents a dramatic shift from the government’s traditional focus on certifying systems as secure and then rechecking them every so often 30 October 2014 FCW.COM ExecTe c h DHS is really the first dot- gov agency to lead the charge in CDM implementation, and this is laudable. RICK ROACH, DIGITAL MANAGEMENT INC.
September 30, 2014
November and December 2014