Interesting article and we wish them luck however they may have gotten the terms “vulnerability” and “threat” mixed up. They claim that we need to fix threats within 72 hours. Mmm? We’ve been trying to do that for decades … maybe even a few centuries. I doubt anything is going to happen within 72 hours of a discovered incident. Obviously, you really can’t fix threats and we’re pretty sure they meant vulnerabilities or weaknesses.
Semantics aside … we see a few concerns with requiring this 72 hour turn-around. The primary goal of this new approach seems to be the result of a loophole in the “continuous monitoring” doctrine. Yeah, agencies are continuously monitoring however nothing said they have to fix anything. Thus this 72-hour rule came about. Really? To us it seems like common sense that “fixing” would be included in “monitoring.” And somehow this effort seems to have gotten all tied up with FedRAMP. Apparently having your data in the cloud requires faster fixing. True but we think those same standards should apply to any publicly facing service regardless if data is hosted in your DMZ or a cloud server. Our final concern comes down to money. Often higher-up authorities mandate some policy but then don’t provide any supporting funding or other resources. Although this 72 hour rule wouldn’t be mandated according to initial discussions, we all know what happens to “guidelines.”
The Homeland Security Department later this month will present to federal computer contractors and remote cloud suppliers standards for finding and fixing cyber threats within 72 hours, DHS officials announced on Thursday.
The new approach aims to resolve what some cybersecurity specialists view as a flaw with the principle of automated “continuous monitoring” that the White House called for in 2010. Real-time tracking of potential network threats is intended to identify weaknesses faster and more economically than the old policy of manually reporting on computer inventories and incidents once a year. But spotting all the risks to personal computers and Internet connections in an organization does not make data any safer, critics note. Fixing them quickly does.
Resolving identified weaknesses rapidly is the goal of the new procedures and, according to some government advisers, agencies could eventually be required to adopt them. “We’re initiating the discussion and we are asking for comment,” DHS National Cybersecurity Division Director John Streufert told Nextgov on Thursday.
DHS’s decision to augment “continuous monitoring” with “continuous fixing” seems to be a proactive choice. What do you think? Post your comments below. Today’s post pic is from Signs-of-a-cheater.com.