by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : October 2014
Ken Ammon, chief strategy officer at Xceedium, said continuous monitoring places agency risk management on a whole new footing by addressing the question of “how do I manage risk on a real-time basis rather than on a legacy certification and accreditation basis?” DHS has deployed Xceedium’s privileged identity man- agement solution, and other government departments, prompted by various security directives, have adopted continuous monitoring programs to mitigate risk. The fundamentals Continuous monitoring is a hot security topic today, but the concept dates back nearly 20 years. NIST’s Special Publication 800-12 was published in 1995 as an introduc- tion to computer security. It drew a distinction between a system audit, which it describes as a “one-time or peri- odic event to evaluate security,” and monitoring, which it defines as an “ongoing activity.” In 2002, FISMA referred to the “monitoring, testing and evaluation of information security controls.” NIST’s guidelines for certifying systems under FISMA, outlined in SP 800-37, established continuous monitoring as the fourth phase of a four-step certification and accreditation process. Technology for continuous monitoring followed. In 2008, OMB mandated the use of Security Content Automation Protocol tools for verifying that Microsoft Windows-based systems followed the security configurations established in the Federal Desktop Core Configuration. “Agencies must also use these tools when monitoring use of these configurations as part of FISMA continuous monitoring,” the OMB guidance states. The current wave of continuous monitoring began with the publication of the Consensus Audit Guidelines (CAG) in 2009. They outline 20 cybersecurity practices and pro- vide agencies and contractors with a short list of security controls. The goal was to focus on a few critical controls and monitor them continuously via automated tools. Industry executives say CAG established the ground- work for CDM, now the focal point for continuous moni- toring activities at civilian agencies. “If you look at CDM, it has a heavy basis in what was October 2014 FCW.COM 31 Next steps • CDM’s second phase. Phase 1 of the Department of Homeland Security’s Continuous Diagnos- tics and Mitigation program is well underway, and the remain- ing task orders are expected to be released in the next 12 months. In May, the 17 compa- nies that hold blanket purchase agreements under the General Services Administration’s CDM Program Tools and Continuous Monitoring as a Service contract vehicle submitted responses to a request for information that will be used to help GSA and DHS develop a set of detailed tool requirements for Phase 2. • Defense initiatives. The Defense Department is pursuing its own continuous monitoring activities apart from DHS’ CDM program. Rob Roy, federal chief technology officer in HP’s Enterprise Security Products division, pointed to the Defense Information Systems Agency’s joint regional security stacks as one example. He said JRSS includes a continuous monitoring concept as part of its security controls. • Self-learning systems. Rick Roach, a senior vice president at Digital Management Inc., said his company is implementing tools and systems that are heuristic in nature. He said such tools are able to build an understanding of “normal” conditions as monitor- ing takes place. A learned under- standing of acceptable condi- tions helps the system get better at identifying and responding to abnormal conditions and threats, Roach added. • Built-in security. Although continuous monitoring seeks to ensure that systems stay secure, the National Institute of Standards and Technology is pursuing a process for build- ing security into systems from the beginning. Earlier this year, the agency released the initial public draft of Special Publica- tion 800-160, which describes a systems security engineering process that establishes a “build- it-right” approach to software development, said Ron Ross, a NIST fellow. The agency expects to release the second draft of its engineering guidelines around February 2015. — John Moore
September 30, 2014
November and December 2014