In This Article
- Capability and budgets are not able to increase at the same rate as the complexity of the Risk Management Framework (RMF) and Continuous Monitoring.
- In 2019, Defense Counterintelligence Security Agency’s (DCSA) RMF process transitioned from The Office of the Designated Approving Authority’s (ODAA) Business Management System (OBMS) to the Enterprise Mission Assurance Support Service (eMASS), vastly increasing levels of effort for organizations trying to renew their Authorization to Operate (ATO).
- Use our questions and action items to help your compliance team move forward with an RMF Continuous Monitoring program or ATO renewal.
What Continuous Monitoring Is & Why We Do It.
NIST SP 800-137 defines the Risk Management Framework’s sixth step, Continuous Monitoring, as an ongoing awareness of information security, vulnerabilities, and threats in order to facilitate risk-based decision making.
In other words, Continuous Monitoring requires organizations to identify their risks and conduct ongoing, consistent monitoring, assessment, and mitigation. The intent behind the often complex process is to provide an impregnable process for near real-time risk management, creating a culture of proactive security that assumes data breaches are not just plausible — they’re inevitable.
Continuous Monitoring is a necessary part of a comprehensive cybersecurity program, and an integral part of the RMF and Assessment and Authorization (A&A) processes. The process involves a variety of automated and manual processes, ranging in complexity and level of effort, and an overarching management and documentation strategy to keep track of it all. To maintain your Authorization to Operate (ATO), expect to create a program that identifies security control effectiveness, documents changes to your organization’s system or environment, conducts security impact analyses, and reports security posture to organization stakeholders.
Navigating the Challenges of RMF Continuous Monitoring
Technological advances have helped the Defense Industrial Base (DIB) reach new innovative heights, but have created more gaps for vulnerabilities, risks, and a culture of convenience and passiveness regarding cybersecurity. This has led to an increased frequency and intensity of aggressive cybersecurity attacks, and a need for more stringent standards in compliance litigation and industry requirements.
In 2019, DCSA transitioned its RMF processes from The Office of the Designated Approving Authority’s (ODAA) Business Management System (OBMS) to the Enterprise Mission Assurance Support Service (eMASS). The change requires organizations seeking an ATO or ATO renewal to undergo a different, more complex process to implement and provide Continuous Monitoring. Compliance deadlines often tend to creep up, but a surprising number of organizations have been caught off-guard when they realize that they have to start from square one; unable to re-use the submission from their last renewal, the deadline approaches faster and more ferociously.
Continuous Monitoring, the final step of the RMF process, by its nature is ongoing and calls for several layers of frictionless oversight, observation, assessment, reporting, and mitigation.
Running these actions and processes seamlessly and constantly can, on the upper end, call for up to five or six full-time Information Systems Security Officers (ISSO) when organizations may not have the time or budget for even one.
Determining Your Organization’s Continuous Monitoring Bandwidth
Before moving forward with ATO renewal and/or enhancing your Continuous Monitoring program, answer the following questions internally (or with the help of an accredited consultant) to determine your bandwidth for RMF Continuous Monitoring:
- Can we satisfy all of the compliance requirements while also carrying out Continuous Monitoring?
- Can we control the scope of work that we need to continually assess our full catalog of security controls?
- How can we drive high levels of involvement with our executive stakeholders on risk-based decisions?
- Do we need to increase our personnel and budget?
What To Do If You’re Out of Bandwidth
The three main elements of Continuous Monitoring are ongoing assessments, reporting, and control authorization. In between, your ISSO(s) and the rest of your IT and compliance teams will need to address increased risks and sudden emergencies, such as broken processes, programs, or conflicting network issues. Should you need to put out a fire while lacking the bandwidth to do so, the results could be disastrous. At this point, it’s time to call for external help from a reputable consultant or cybersecurity firm.
We recommend trying to look at four elements of your Continuous Monitoring program simultaneously when discussing strategy with a consultant or firm:
- Don’t rely on Plans of Action & Milestones (POA&M) to figure out Continuous Monitoring management. (And don’t forget to include mitigation and incident response.)
All too often, compliance planning separates mitigation and incident response from the rest of the monitoring and reporting process. That leaves gaps in budgeting money and time. Instead, make sure to ask consultants and firms about patch management and running penetration tests and scenarios for incident response and contingency planning. Don’t forget about system backups, either.
- Ensure that you include training.
Training from a seasoned team of experts is an invaluable resource for in-house compliance and IT teams. Consultants and subject matter experts (SMEs) based out of longstanding firms have been doing this (and learning from their mistakes) for years, and they’ve seen every nightmare scenario under the sun. It’s worth your time if you have an internal team to ask about reviews and education regarding the notoriously hard-to-handle SCAP (Security Content Automation Protocol), STIGs (Security Technical Implementation Guides), and documentation processes, if not just to learn how you can institutionalize repeatable effective systems.
- Prioritize non-compliant items.
Non-compliance is the primary result organizations want to avoid with RMF continuous monitoring, in addition to issues that arise stemming from changes that recent updates have imposed on your network and systems. In many cases, there are conflicts that won’t become quickly or easily visible until processes start breaking. A quarterly physical visit from a consultant or expert at a cybersecurity firm could be beneficial for providing ammunition to compliance and IT teams for implementing wider, organizational changes for the better.
- Prioritize tasks by risk, but also by resource allotment.Vulnerability scanning and account management review are two of the more mundane recommendations for a holistic cybersecurity plan. They require ample time, and often have few internal resources to commit. If your organization finds these tasks unmanageable, ask about, and research, automated programs like SecureStrux’s free program PowerStrux that can help organize and summarize masses of data in order to ensure quality and accuracy, as well as easing the burden on your internal team.