Congressional testimony by the NASA Inspector General, attached below, discusses serious failings in agency security. Some key failings were directly tied by the IG to shortcomings in the agency’s continuous monitoring program.
The IG explained that the traditional FISMA approach to security did not reflect an organization’s actual security posture:
However, an agency’s FISMA grade has been found to be unrelated to whether its IT assets are adequately protected from attack. Thus, FISMA has, to a large extent, devolved into an expensive paperwork exercise that fails to accurately measure an organization’s IT security posture.
The IG explained that continuous monitoring is intended as a superior mechanism for understanding an organization’s IT security status:
the goal of this “continuous monitoring” initiative is to determine whether a system’s key IT security controls continue to be effective over time in light of system changes.
Despite the potential of continuous monitoring, the NASA IG found that the agency needs to take “significant steps” to upgrade its implementation of continuous monitoring.
We found that although NASA has made progress in transitioning to continuous monitoring, the Agency needs to take significant steps to ensure its successful implementation. Specifically, NASA needs to: (1) create and maintain a complete, up-to-date record of IT components connected to Agency networks; (2) define the security configuration baselines that are required for its system components and develop an effective means of assessing compliance with those baselines; and (3) use best practices for vulnerability management on all its IT systems. Only by making improvements in each of these areas can NASA ensure that its continuous monitoring will provide adequate protection for the Agency’s IT systems.
FINAL_written_statement_for_%20IT_%20hearing_February_26_edit_v2
Leave a Reply