CyberScope and Continuous Monitoring: Looking Ahead

From: Telos

By David Wilson
A year ago this month, DHS made it mandatory to use CyberScope to submit security data for FISMA reporting.  Just two weeks ago, we passed another significant CyberScope milestone: the deadline for beginning monthly submissions.  So I thought this would be a good time to take a look at three concerns I have about agencies’ security practices when compared with CyberScope reporting requirements.
First, CyberScope focuses on continuous monitoring, and its guidelines require reporting at the bureau and operating division level.  Both of those are obviously good things.  But they do mean that continuous monitoring initiatives must be implemented at those same organizational levels.  Otherwise, the results received by DHS won’t accurately reflect the agency’s security posture from top to bottom. 
Accomplishing this isn’t easy.  It requires more than just instituting a generic continuous monitoring capability and then replicating at each bureau.  Federal agencies are (for the most part) composed of largely disparate bureaus (or generically speaking, “business units”) that often don’t have comparable missions or structures.  For example, the Bureau of Printing and Engraving and the IRS are both components of the Department of the Treasury, yet they have distinctly different missions. 
This is an important consideration because continuous monitoring must include the relevant management, operational, and technical controls, which can be different for each bureau within an agency.  The data generated and submitted to CyberScope needs to align with the systems at each level of the agency, as well as with the people and processes at each level of the agency. 
(Another benefit to this level of reporting granularity is that it helps preserve the chain of command among the agency CIO, CISO, SAOPs, system owners and other personnel involved in cybersecurity.  It gives each level of authority within the agency visibility into any issues under their purview, so the appropriate officials at each level can address the problems for which they’re responsible.)
Second, agencies must be vigilant against becoming complacent following their monthly CyberScope submission. They are still the responsible party for securing their systems.  The transfer of data from an agency to DHS does not transfer any operational security responsibility. 
In other words, DHS doesn’t require CyberScope feeds so that DHS can take action; DHS requires the data as evidence that the agency can monitor the security posture of their own assets. Which means that each bureau or office within the agency needs to implement its own scoring system, and those systems in toto need to reflect the agency’s organizational hierarchy and mission.
Third, when organizations implement continuous monitoring, they may need to re-visit or re-engineer some of their business processes to ensure their organization and their security architecture are truly in alignment.  Agencies may discover that their current organizational structure and how they implement security controls aren’t aligned.  Taking advantage of common controls across sub-organizations via an inheritance construct should be encouraged to reduce potential duplication of effort.  
In sum, agencies should consider business unit mission and organizational alignment when implementing their continuous monitoring strategies and developing internal scoring metrics.  Each operational system must continue to account for their unique security requirements.  More importantly, CyberScope should not be used as a substitute for agency-specific implementations of risk scoring and management programs. 


Situational Awareness Incident Response (SAIR) Tier III Project

The Department of Homeland Security has published a Request for Information (RFI) that requests

industry feedback on existing Government product performance requirements involving the Situational Awareness Incident Response (SAIR) Tier III project. The objective of SAIR Tier III is to provide U.S. Government (USG) agencies the ability to assess, assure, monitor, and measure the security posture of their information technology (IT) assets in a timely manner (i.e., near-real time.) This RFI provides an opportunity for respondents to submit their ideas and initiatives related to this request. Additionally, respondents will have the opportunity to comment on the draft product performance requirements for SAIR III listed on Attachment 2.


Protecting the mobile environment

From: 1500AM

In the VA, there are a reported 100,000 mobile devices.

Marketing analysts are predicting 55 million tablets being sold this year.

The concept of “Bring Your Own Device” (BYOD) is beginning to plague federal IT professionals whose job is to maintain a safe and secure environment.

On today’s show, Tom Kellerman, the CTO at Air Patrol Corporation, shares with listeners his thoughts on wireless situation awareness, managing the mobile risk, as well continuous monitoring.

Protecting the mobile environment means more than guarding against theft, sniffing, malicious code, and direct attack.


Cyber opportunities are hot in 2012

From: Washington Technology

  • By Chris Wilkinson
  • The 2012 Federal IT budget request is $80.9 billion, with most federal IT spending requests slightly ahead of 2011 levels. Priorities include telework and mobile computing as well as cloud computing and virtualization. Yet, according to a recent federal IT budget briefing covered in Washington Technology magazine at the end of October, significant risks are associated with mobile computing and cloud-based applications. For that reason, cyber security will continue to top federal IT technology spending trends.


    Federal agencies reduce cybersecurity risk through continuous monitoring


    Continuous monitoring helps federal agencies “dramatically reduce risk”, observed Keren Cummins, director of federal markets for nCircle.

    Cummins looked at three federal agencies – the State Department, US Agency for International Development (USAID), and the Center for Medicare and Medicaid Services (CMS) – that were able to use continuous monitoring to reduce cybersecurity risk.

    For example, the State Department was able to reduce risk by 89% in the first 12 months of its continuous monitoring program; USAID was able to raise its Federal Information Security Management Act (FISMA) grade from C– to A+ in five years; and CMS was able to reduce risk at 88 data centers by 80%.


    Government’s Cloud Audit Program Falls Behind Schedule

    From: ThreatPost

    by Paul Roberts

    In a speech on Wednesday, Federal Chief Information Officer Steven VanRoekel said that a federal plan for qualifying and providing security audits on private sector cloud providers will become mandatory for any agency that wanted to contact with third party cloud providers, according to a report on But even as the U.S. federal government forges ahead with plans to shift a quarter of its IT spending to cloud-based services, efforts to launch that program – the Federal Risk and Authorization Management Program (FedRAMP)- are falling way behind schedule, according to a GAO report.


    Federal CIO says FedRAMP to be mandatory

    From: GCN

    By Rutrell Yasin

    The Federal Risk and Authorization Program will eventually be a mandatory path as federal agencies move to the cloud, federal CIO Steve VanRoekel told a government and industry audience at the National Institute of Standards and Technology campus. And FedRAMP will help make agencies more secure in the cloud than they are today.

    “FedRAMP in the very near future is really a starting point,” Van Roekel said during a speech at the NIST Cloud Computing Forum & Workshop IV in Gaithersburg, Md, Nov. 2.  “We envision FedRAMP as a living initiative,” VanRoekel said in the second speech he has given since taking the reins of the federal CIO office.