Admittedly, we expected to hear some mixed reviews and differing levels of preparedness planning our survey on the OMB’s directive for all federal agencies to implement continuous monitoring of network security by the end of fiscal 2012.
Yet, as much as we expected to hear from attendees at the GFirst conference in September that there was still a good deal of confusion as to the specifics and timing of their continuous monitoring plans, the results that came back – less than half of all agencies said they feel confident they’ll be able to make the cutoff date – opened some eyes all around.
As our government advisor Major General John Casciano (USAF-Ret.) has been saying for years, we knew that various agencies’ and practitioners’ perceptions of what adopting continuous monitoring actually entails would likely be all over the map.
But, for none of the four technologies we included in the survey to emerge as a leading model, or even two, really made us shake our heads in wonder. (For the record 51 percent of respondents labeled IDS/IPS as part of their projects, followed by SIEM at 49 percent, network device audit at 43 percent and vulnerability assessment tools at 35 percent – respondents could obviously choose more than one option).
Clearly, government IT security pros are not only discouraged about their ability to get continuous monitoring in place ahead of the White House deadline, but they’re not even sure what they need to do. They still don’t feel comfortable with the specifics of what the OMB regulators are expecting of them.
Considering that the Obama administration cited improvement of cyber-security as a primary objective and former Fed CIO Vivek Kundra, along with cyber-czar Howard Schmidt, listed continuous monitoring as one of the most important programs in making progress, it would seem, given the replies, that those objectives are truly falling short.
To be fair, the whole nature of continuous monitoring is pretty complex, with NIST calling for agencies to both monitor for suspicious traffic on their networks, as well as deploy far more proactive and comprehensive means of assessing exposed vulnerabilities and other underlying points of risk.
However, I doubt anyone would have guessed that, if our results are representative of the larger community and not simply the relatively small sample of 200-plus experts that we reached, the atmosphere around continuous monitoring seems so completely out of whack.
Without getting too self-serving, we at RedSeal feel that the brand of intelligence we can provide regarding real-world network access and vulnerability exposure can help government agencies make continuous monitoring a reality, and a very valuable effort.
When In-Q-tel invested in us earlier this year to help facilitate continuous monitoring in the U.S. intelligence community we felt that was an endorsement that spoke for itself.
For all of us dependent on these hard-working government decision makers and practitioners to help keep our nation and its critical infrastructure safe, here’s hoping that 2012 proves a period of rapid acceleration of both understanding and deployment of continuous monitoring capabilities.
We all know, given both recent and historic events, there’s a heck of a lot of important matters at stake.
Pingback: Can You Trust Your Partners? Lessons from Symantec, PCI, and the Government. | RedSeal Networks Blog