Continuous Monitoring

Continuous monitoring is about keeping an ongoing watch on how well your security controls are doing their job. NIST introduced this idea back in 2004 when they were also evangelizing about the Authorization process, then known as Certification and Accreditation (or C&A). By law (FISMA), NIST supplies federal organizations with security guidance, which can be mandatory or discretionary and flexible. C&A (now known as Authorization) is one of the mandatory pieces, requiring federal organizations to completely assess their security functionality every three years. It took most government organizations a lot of time and effort to get this process up and running, so at first, they tended to think of it as a massive project that reached a crescendo every three years, then faded into the background until the next rising, three years later. NIST wanted them to understand that security must be done in an ongoing fashion and created the “continuous monitoring” process.

Continuous monitoring preaches that only through a constantly ongoing assessment of the effectiveness of security controls, can you reach a dynamic understanding of how well your security is working. This dynamic, as real-time as possible, viewpoint of your security status is what is needed to make good decisions about handling risk and to back them up with documentation. When continuous monitoring is done correctly, it should also make the Authorization (C&A) process less onerous, less costly and more effective.

WHICH CONTROLS SHOULD BE MONITORED?
NIST tells us that we should monitor the controls that are most important, the controls which are most “volatile” (they change often), and POAM items (already identified weaknesses). It also makes sense to monitor controls that involve monitoring and controls that are already being closely monitored. Some controls are already (by their design) being continuously monitored and all that is needed is good documentation and reporting.

Most important controls: when computer security was just beginning, some of the first protections were perimeter protection (firewalls), malware protection (anti-virus), security updates (patch management), access control (logins) and configuration management (inventory, configuration settings, change control…). These things are still of primary importance and should be considered as some of your important controls.

Controls that change often: malware protection sits on a highly fluid foundation of changing threats and constantly updated methods of detecting them, vulnerability scanning and patch management are different versions of the same process and also change constantly. Information flow and system interconnections deal with areas that are fluid and may require constant tweaking. Configuration baselines should be fairly static, but current configuration settings may be constantly changing.

POAM items: represent security control failures for the most part. Security control CA-5 “PLAN OF ACTION AND MILESTONES” requires plans for remediation of weaknesses to be tracked and this becomes a “key document” in the Authorization (C&A) process. Since open POAMs may represent a vulnerability, they should be closely watched and any temporary compensating measures should also be monitored. As a POAM item is being fixed and closed, some attention through the change control process and impact analysis may be needed and a new assessment may be needed.

Controls that involve monitoring: network and system monitoring, audit record monitoring and analysis, incident monitoring, POAMs, change control monitoring, inventory monitoring, access control monitoring, and information disclosure monitoring are some of the monitoring controls to consider.

Controls that are already being closely monitored: patch management, malware protection, vulnerability assessment, network and system monitoring, and POAMs. These controls are often monitored closely and may simply need documentation and reporting to plug them into the Authorization process.

As you go through the list of security controls, looking for good candidates to monitor, you’ll notice the same controls coming up over and over again under different categories. Some of these include: patch management (SI-2), network and system monitoring (SI-4), malware protection (SI-3), and several configuration management controls (inventory CM-8, configuration settings CM-6, change control CM-3, impact analysis CM-4).

ALL controls are important and must be monitored in some fashion but some controls are more important than others and need to monitored at different levels and with different frequency. Define the importance level of each control for your organization and determine what monitoring frequency is needed.

REPORTING
Ensure that the dynamic scope of the continuous monitoring is preserved and not lost by the documenting and reporting component. Feedback obtained from continuous monitoring should be supplied to the Authorization process. Key documents in the security plan should be updated more frequently. This includes mainly the Security Plan, the Security Assessment Report and the POAM, but can include other documents as well. The reporting frequency should be specified and documented as a requirement.

SUMMARY
Using continuous monitoring to create a dynamic viewpoint of the security status of the system enables better risk decisions and makes them more credible by backing them up with good documentation. This requires ongoing assessment of security controls throughout the SDLC framework. The Authorization process can be made more consistent and more cost effective (cheaper). Many of these controls are already being monitored anyway, but may not be being documented correctly. Document them and use the results.

SEE ALSO:
Security Plans
Patch and Vulnerability Management
Authorization

NIST SP 800 DOCS:
POAMs
NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

NIST SP 800-53 Recommended Security Controls for Federal Information Systems and Organizations
NIST SP 800-53A Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans
NIST SP 800-100 Information Security Handbook: A Guide for Managers
NIST SP 800-39 DRAFT Managing Risk from Information Systems: An Organizational Perspective

Comments are closed.