NIST SP 800-137

When asked if they have you seen measurable reductions in your agency’s risk-based on continuous monitoring efforts to date, 49 percent of the respondents said no, 27 percent said yes, and 24 percent said they didn’t know.

“There is a real disconnect,” said Karen Cummins, nCircle’s director of federal markets. “We know that continuous monitoring can be extremely powerful in reducing risk,” from showcase examples such as the State and Health and Human Services departments. But what is being measured is agencies’ ability to generate a data stream to DHS rather than their use of the data. “We’re making sure everybody has a ruler. I found that shocking.”

DHS also works with agencies by going over the CyberScope reports in what are called CyberStat reviews. So far these have showed minimal impact, with most agencies reporting that they have not yet undergone a review or don’t know whether it has improved performance. When asked if participation in CyberStat review sessions improved your agency’s overall security performance, 32 percent said they hadn’t yet participated in a review and 54 percent said they didn’t know. Only 6 percent said review sessions had improved security, which was matched by the 6 percent that said the reviews had not.

Measuring compliance is not necessarily a bad thing, Cummins said. “You have to start somewhere.” The problem appears to be the specific format required. “That raised the bar in one way and took the focus off continuous monitoring and put it on the CyberScope feed.”

A more effective approach might have been to require the use of SCAP-validated tools and leaving the process more flexible, she said.

One favorable sign coming out of DHS is the shift away from the term “continuous monitoring” in favor of “continuous diagnostics and mitigation,” which puts more emphasis on using the data being gathered rather than merely reporting it.