According to GovInfoSecurity as well as several other publications, starting next month federal agencies will be required to implement continuous monitoring as part of their obligations under FISMA. At a minimum “continuous” is defined as monthly. All of their reported data needs to be fed into the CyberScope system. Oh and for training and consulting on how to meet this new requirement, agencies are must attend CyberStat sessions.
Just a things to ponder here…
- Given a minimum of monthly reporting being “continuous,” guess how often agencies will report. Daily? No. Weekly? Nope. Biweekly? Getting closer but still not there.
- Continuous monitoring is suppose to start next month … or like 10 days from now. Another reason for just monthly reporting (versus more frequent … or even real “continuous”)… Agencies can wait until the end of October to report and at least they’ll get 31 more days to prepare.
- So we are implementing a major shift going from yearly reporting to continuous monitoring… Is the government going to provide agencies additional budget to make this transition? If continuous monitoring ends up costing more than yearly reporting, do agencies get more funding?
- Finally, can we please stop overloading the term “cyber?” Cybersecurity, CyberScope, CyberStat, … I propose we dedicate one day a year where we aren’t allowed to mention those five characters.
Overall, I applaud this change as a move in the right direction however I also fear the government will not provide appropriate resources any time soon. And without such resources agencies will finagle the well intentioned requirement into something useless … similar to how we got into this mess in the first place.
Beginning next month, the White House will require federal agencies to report monthly, not annually as required by the Federal Information Security Management Act, on the state of the security of their information and information systems.
And, the Office of Management and Budget is telling agencies that monthly reports are the minimum, encouraging them to report significant changes in security status as soon as they become known.
To ease the new burden of more frequent reporting, agencies will cull security data from continuous monitoring systems being implemented throughout the government, feeding that information into an automated reporting tool known as CyberScope (see Automated FISMA Reporting Tool Unveiled).
Post photo is by Qualys.com.