After a great deal of debate and delay, the Federal Information Security Management Act (FISMA) finally saw a substantive update in December 2014. For federal agencies and the businesses that contract with them, this means a considerable shift in the way FISMA compliance is reported – and more specifically, the way organizations monitor their own security.
Many agencies and businesses may not fully understand the changes, or may not be prepared to implement them. In addition, many of the changes haven’t been fully defined by the government yet. So what do FISMA’s requirements mean for these groups, and how can they use continuous monitoring to support robust FISMA compliance?
Previously, FISMA reporting consisted of extensive documentation, and the problems with this approach were many.
It took a great deal of time and effort to compile the reporting packages. Few organizations truly believed that their documentation would be reviewed. But the biggest problem was more fundamental: these documents were ineffective in promoting the security of agencies and businesses, because they only looked backward.
Even if FISMA compliance reporting revealed a security vulnerability, it was likely to be too late – and the security landscape was likely to have changed in the meantime. This backward-looking documentation spoke only to a single moment in time. In order to truly improve security controls, organizations needed to better understand their ongoing security realities.
For this reason, FISMA has been updated to replace the old onerous documentation process with a continuous monitoring approach. This way, agencies and businesses will monitor and assess key performance indicators (or KPIs) on an ongoing basis. The KPIs will function as the metrics of an organization’s security success, making FISMA reporting a much more accurate and automated process.
Now, FISMA compliance is a matter of real-time data, and it should be much more meaningful for covered organizations. But there are steps which every business and agency should take to ensure that their continuous monitoring is as effective as possible.
A proactive approach
While any degree of continuous monitoring is a major step beyond the old moment-in-time approach, simple reporting is rarely enough to support a robust security apparatus.
Reporting, even in real-time, is still reactive – it doesn’t engage substantively with your processes, and more importantly, it doesn’t influence them. While you might find bugs or technical vulnerabilities based on simple reporting, you might not find the deeper problems: the ones rooted in processes and behaviors.
That’s why it’s important to incorporate continuous validation and testing of your processes. You might select a process such as a change management ticket and ensure that proper protocol is followed at every step. As you examine your processes, make sure that you take a proactive approach, assessing whether they are truly optimized and in alignment with your needs or if they might have become institutionalized out of habit.
As the cybersecurity discipline evolves, many practitioners have adopted implementation models based on the idea of “maturity.” While there are many strong models out there, one of the most widely respected in the federal space is the Software Engineering Institute of Carnegie Mellon University’s Capability Maturity Model (CMM).
The CMM is designed to help organizations cultivate more complex and robust cybersecurity infrastructures, going beyond reporting to achieve a fuller and more forward-looking security focus. Once again, it’s about being proactive, not reactive. An organization shouldn’t be constantly defending against attacks, but preventing and disabling threat vectors from the start by taking a mature approach to its processes.
What does maturity look like? In short, it is an organization-wide, unified program that drives its own improvement through self-reporting and analysis. In the CMM, organizations move through five stages of maturity:
Level 1: Initial – You have basic security controls in place, but you have not prioritized self-assessment and your control implementation may not be consistent.
Level 2: Repeatable – You have simple yet consistently executed security processes in place, which are likely to hold up in the event of a crisis.
Level 3: Defined – Your processes have achieved greater standardization through increased resources ands training.
Level 4: Managed – You have instituted process metrics and self-assessment methodologies to help your security infrastructure adapt while simultaneously running and reacting smoothly.
Level 5: Optimizing – At this stage of maturity, you have a strong security and self-assessment program in place, and you are continuously working toward an optimized security infrastructure across your organization.
Working through these levels of maturity requires resources and commitment. But it will also help you clarify your processes and build a security infrastructure that not only supports FISMA compliance, but helps improves your organization’s efficiency and security for years to come.