From: Telos
By David Wilson
A year ago this month, DHS made it mandatory to use CyberScope to submit security data for FISMA reporting. Just two weeks ago, we passed another significant CyberScope milestone: the deadline for beginning monthly submissions. So I thought this would be a good time to take a look at three concerns I have about agencies’ security practices when compared with CyberScope reporting requirements.
First, CyberScope focuses on continuous monitoring, and its guidelines require reporting at the bureau and operating division level. Both of those are obviously good things. But they do mean that continuous monitoring initiatives must be implemented at those same organizational levels. Otherwise, the results received by DHS won’t accurately reflect the agency’s security posture from top to bottom.
Accomplishing this isn’t easy. It requires more than just instituting a generic continuous monitoring capability and then replicating at each bureau. Federal agencies are (for the most part) composed of largely disparate bureaus (or generically speaking, “business units”) that often don’t have comparable missions or structures. For example, the Bureau of Printing and Engraving and the IRS are both components of the Department of the Treasury, yet they have distinctly different missions.
This is an important consideration because continuous monitoring must include the relevant management, operational, and technical controls, which can be different for each bureau within an agency. The data generated and submitted to CyberScope needs to align with the systems at each level of the agency, as well as with the people and processes at each level of the agency.
(Another benefit to this level of reporting granularity is that it helps preserve the chain of command among the agency CIO, CISO, SAOPs, system owners and other personnel involved in cybersecurity. It gives each level of authority within the agency visibility into any issues under their purview, so the appropriate officials at each level can address the problems for which they’re responsible.)
Second, agencies must be vigilant against becoming complacent following their monthly CyberScope submission. They are still the responsible party for securing their systems. The transfer of data from an agency to DHS does not transfer any operational security responsibility.
In other words, DHS doesn’t require CyberScope feeds so that DHS can take action; DHS requires the data as evidence that the agency can monitor the security posture of their own assets. Which means that each bureau or office within the agency needs to implement its own scoring system, and those systems in toto need to reflect the agency’s organizational hierarchy and mission.
Third, when organizations implement continuous monitoring, they may need to re-visit or re-engineer some of their business processes to ensure their organization and their security architecture are truly in alignment. Agencies may discover that their current organizational structure and how they implement security controls aren’t aligned. Taking advantage of common controls across sub-organizations via an inheritance construct should be encouraged to reduce potential duplication of effort.
In sum, agencies should consider business unit mission and organizational alignment when implementing their continuous monitoring strategies and developing internal scoring metrics. Each operational system must continue to account for their unique security requirements. More importantly, CyberScope should not be used as a substitute for agency-specific implementations of risk scoring and management programs.