One of the most successful (I did not say perfect) cybersecurity programs in the Federal Government is being run by the Department of State. That is because they have about as close to a continuous monitoring system as possible. They are an example for the rest of the government.
How has State done this? They have abandoned the periodic spot checking that most other agencies do as too little, too late. Problems are only caught after the fact using that type of program. Instead of doing that sort of after-the-fact checking of security practices, they receive multiple reports everyday from both their CONUS operations as well as their world-wide posts. This is not easy, as the technology they use is not perfect. It also takes a hefty amount of manpower to make it work. The real key is what they do with the data they collect.
When a violation of security policy is found, it immediately gets reported and corrective action is taken. It is done essentially publicly, so a wide range of people (including the violator’s boss) know what has occurred. In an organization where one lives or dies professionally on their so-called “corridor reputation,” this is a powerful motivator for cognizance of good security hygiene. As a result, many experts now credit State with setting the standard.
The Office of Management and Budget has noticed. They have announced that they will soon be mandating that everyone in the government go to continuous monitoring (CM). This is a huge step forward, and the right thing to do. It will draw tremendous push back from many agencies. CM is hard; it is harder for big agencies (State is much smaller than DoD, DHS or HHS). Also, there are many agency-level security types who really have a bad case of “It was not invented here” syndrome. One hopes that the budgetary “power” of OMB, the security authority of DHS, and the subject matter expertise of Cyber Coordinator Howard Schmidt can combine to force the CM mandate to stick.
Please do not misunderstand me. I am not saying everyone should adopt the exact same system that State uses. There are numerous ways to put together a CM framework. None are perfect, and all require an integration of several technologies and a huge infusion of leadership effort. The argument will be made that “We cannot do it like State, because we’re different.” Fine, but please, let’s not throw out the baby with the bath water. Get busy, talk with industry, and have them build you a CM system that is as effective as they can make it. Then use the darn thing.
Every technologically related Request for Information and Request for Proposal should include CM in it (not just big picture cybersecurity ones). No one today has the silver bullet for cybersecurity in general, or even specifically for CM. Putting in place effective CM programs will help tremendously and will move us down the road in a positive direction of better protecting our networks. Make them as good as we can today, and then continue to strive to make them better.