Cummins looked at three federal agencies – the State Department, US Agency for International Development (USAID), and the Center for Medicare and Medicaid Services (CMS) – that were able to use continuous monitoring to reduce cybersecurity risk.
For example, the State Department was able to reduce risk by 89% in the first 12 months of its continuous monitoring program; USAID was able to raise its Federal Information Security Management Act (FISMA) grade from C– to A+ in five years; and CMS was able to reduce risk at 88 data centers by 80%.
The common elements of these programs were breadth of engagement, simplicity of result, context, and short-cycle time, Cummins explained in a presentation to the recent National Institute of Standards and Technology Security Automation Conference.
“All three of these organizations operated what we would characterize as a benchmark community in that they all had a pool of organizational components that were comparable to each other….Besides simply monitoring these components, they provided feedback to the mission- and program-level individuals”, Cummins told Infosecurity.
These agencies “engaged a community that had not been engaged previously. And they engaged them by grading them….If I were an ambassador, not only did I get a C, I knew what that meant in relation to my organization’s risk objectives and I also knew where I stood with respect to my peers”, she explained.
The feedback was provided on a monthly basis. This enabled the individual responsible for the agency component to take corrective action in a timely manner, she noted.
Cummins contrasted the continuous monitoring program to the yearly FISMA grade received by agencies. “If you get a bad grade, you think, ‘Well I can fix some of these things, but by the time they grade me again, it’s all going to have fallen apart, anyway’”, she mused.
Cummins explained that even with the FISMA CyberScope tool, agencies are not getting timely feedback. The CyberScope reporting tool was developed by the Obama administration to streamline federal agency compliance reporting under FISMA and provide monthly statistics.
“CyberScope has been a great step in the right direction in that it has created a clear-cut requirement for agencies to implement whereby they can report once a month….You get a monthly assessment [from the CyberScope tool] and you send the information off to OMB [Office of Management and Budget] or DHS [Department of Homeland Security] and at some point you will get these Cyberstats discussions….What you don’t get is continuous, systematic, monthly feedback to the people who actually have to do the work to reduce the risk”, Cummins said.
Continuous monitoring provides the chief security officer with a metrics language to describe security performance similar to the financial metrics that describes financial performance for the chief financial officer, she said.