Editor’s Note: In the attached report, GAO discusses the State Department’s work in developing their iPost risk scoring system. GAO correctly recognized that State is at the “forefront of federal efforts in developing and implementing a continuous monitoring” cababilities.
It is important to note that the Department did not concur with all of GAO’s criticicms particularly in regard to various paperwork compliance issues. For example, the report stated that “State did not concur with our recommendation for incorporating the results of iPost’s monitoring of controls into key security documents” and “the department did not concur with our recommendation to document existing controls intended to ensure the timeliness, accuracy, and completeness of iPost data because it stated that it regularly evaluates iPost data in these areas and stated that further documentation was of questionable value.”
The concerns that GAO discusses with respect to State’s continuous monitoring system should not obscure: 1) State’s leadership in federal continuous monitoring; and 2) that continuous monitoring efforts will play an increasingly crucial role in federal cybersecurity. It should further be noted that NASA, also a federal leader in continuous monitoring, has developed their own continuous monitoring risk scoring system based on work by State as well as by the agency’s Jet Propulsion Laboratory (JPL).
GAO Report–Continuous Monitoring
The report was watered down to address the questions asked by congress and was not able to present the findings in the lack of life cycle management development of a product being pushed out. The report did not say that the process included contractors scrubbing data between the collection systems, dropping non-windows findings, how it’s a numbers game to make management feel good about security without looking or the things that could hurt the agency.
The reading between the lines tells me that the users like it because the dashboard looks good, but the backend has problems by not collecting all relevant data, applying risk to the calculations, and computing scores which reflect a true view of the protection profile of the IT environment. A Potemkin Village.