The Homeland Security Department has released new information security guidance that, for the first time, requires agencies to report on progress installing tools that continuously monitor threats to computer networks.
Agencies annually are required to document their compliance with technology safeguards laid out in the 2002 Federal Information Security Management Act. Last summer, Homeland Security assumed responsibility for overseeing adherence to FISMA reporting requirements, a role that the Office of Management and Budget had previously performed.
Critics contend FISMA compels managers to spend too much time completing meaningless checklists at the expense of more critical security-related tasks and Congress is likely to overhaul the law as part of comprehensive cybersecurity legislation later this year. To address some of the complaints, last year’s FISMA guidance called for chief information officers to begin automating near real-time surveillance of controls so that annual reporting will be easier and represent more than a once-a-year snapshot. Eventually, agencies are to achieve continuous monitoring by installing software and sensors that constantly track the most important security indicators.
The June 1 DHS memo to CIOs builds off the 2010 guidance that mandated agencies begin the transition to continuous monitoring by reporting monthly on a few security indicators, such as changes in the number of network connections and laptop inventories.
Alan Paller, an information security consultant and SANS Institute research director, who posted the new guidelines online Friday afternoon, said the Obama administration’s approach may allow the government to lead by example in the area of continuous monitoring.