Airmen at Nellis Air Force Base, Nev., monitor the base's computer network. Some agencies are falling short of the goal of continuously monitoring networks and hardware. (Air Force)
Agencies are under White House orders to continuously monitor and fix security risks on their computer systems and networks.
Specifically, by October 2014, they should be using automated software to monitor 95 percent of the devices operating on their networks to know whether they are secure. Those automated security scans should take place about every 72 hours.
Yet half of the government’s largest agencies, including the Environmental Protection Agency and Transportation Department, are falling short, according to the latest data.
A 2012 report on Perform-ance.gov noted that continuous monitoring scores dropped for several agencies as they discovered new hardware assets operating on their networks. “Though this represents a decrease in the continuing monitoring compliance score, this represents a positive move to improve their overall security posture,” the report said.
The challenge for agencies, however, is not only meeting the goals but sustaining progress.
“Part of continuous monitoring is continuous sustainment,” said Andrew Rikarts, who oversees the Veterans Affairs Department’s effort. VA has an enormous network infrastructure to monitor: 750,000 network devices, such as servers and computers, and 50,000 medical devices. VA is one of a handful of agencies that boasts continuous monitoring of all known hardware assets and devices connected to its network.
At VA, managers have access to a dashboard that shows the department’s cybersecurity performance.
“The dashboard is open to all authenticated VA users on the intranet so that anyone in the organization can see how the IT organization is performing, and that means peers see how they are performing against each other and can adjust their efforts accordingly,” Rikarts said. “The simple visualization of compliance information is a great motivator for progress.”
Agencies are required to self-report quarterly and annually their ability to:
• Automatically scan and detect computers, servers and other hardware assets connected to their networks.
• Detect if software on those devices is properly configured to meet agency security standards.
• ; Detect other security vulnerabilities on all hardware connected to the network.
But agencies’ reports on their continuous monitoring progress are only a snapshot of their security at a given point in time.
For example, in fiscal 2011, VA reported that it could detect software flaws on all devices and hardware connected to its network. The most recent data released last fall shows VA no longer has that capability.
John Streufert, director of the Department of Homeland Security’s National Cyber Security Division, has stressed the importance of agencies using continuous monitoring as a means to assess security risks and fix the most serious vulnerabilities first.
Past attempts to measure agencies’ cybersecurity have pitted auditors against security officers who say auditors are more focused on meeting compliance mandates and not improving outcomes. But it seems the administration is trying to balance the need to implement continuous monitoring with the results agencies are achieving.