A majority of federal IT officials do not expect to meet OMB's September deadline for installing continuous monitoring systems, and top IT execs are most doubtful of all.
Fewer than half of agencies represented in a recent poll expect to meet the September deadline for using continuous monitoring to meet Federal Information Security Management Act reporting requirements, and C-level executives interviewed were more pessimistic about their prospects for success than rank-and-file administrators.
The findings reflect the complexity of bringing together information from disparate IT systems to provide the required situational awareness, said Mike Lloyd, chief technology officer of RedSeal Networks, which sponsored the survey.
“Everybody agrees that this is the right thing,” Lloyd said, with 64 percent of respondents saying that continuous monitoring and the security metrics it provides will improve IT security status. “This clearly is a technical problem.”
RedSeal interviewed 234 IT security professionals who attended the annual conference of Government Forum of Incident Response and Survey Teams held in Nashville in August. The results were released in December.
Lloyd said the technology exists to do continuous monitoring as required by the Office of Management and Budget, but few agencies have enough knowledge on their complete IT environments to deploy that technology effectively. Maintaining accurate inventories of IT systems and mapping them to the agencies’ missions to provide meaningful risk assessment have been challenges FISMA has faced since its enactment in 2002.
FISMA has been criticized as a meaningless paperwork exercise, initially enforced with requirements to assess security of IT systems every three years. But the requirements have shifted to a more real-time approach based on continuous monitoring of systems’ security postures. OMB in 2010 told agencies that FISMA reporting must be done through automated monitoring tools by Sept. 30.
The National Institute of Standards and Technology has produced guidance for the process and is developing the Security Content Automation Protocol, a set of standards for automated tools to help enable it.
Of those surveyed, 22 percent said they already had deployed continuous monitoring solutions, and altogether 45 percent said they expected to meet the deadline. When the results are broken down by role, however, 53 percent of security managers, administrators and auditors expected to meet the Sept. 30 deadline, while only 28 percent of CIOs and chief information security officers expected to.
This runs counter to the usual pattern in surveys, in which C-level executives have a rosier outlook about IT security, Lloyd said. “Confidence that they would meet the deadline was falling,” he said. “This is an interesting finding, not what a cynic might expect. People are struggling.”