The E-Government Act of 2002 was a turning point in US federal government cybersecurity. Recognizing the increasing importance of information security to the economy and national security, the Act established new security compliance requirements through Title III, the Federal Information Security Management Act, or FISMA.
FISMA directed the National Institute of Standards and Technology (NIST) to develop a security control framework that would become the foundation of those new compliance requirements. It also mandated federal agencies to develop, document, and implement programs to comply with these new requirements.
FISMA was certainly well-intentioned. It sought to protect the confidentiality, integrity, and availability of government systems and data – and more importantly, to hold agencies accountable for doing so. NIST published the new, comprehensive security control framework, labeled NIST Special Publication 800-53, that provided an extensive to-do list for compliance. With FISMA, a rigorous security compliance program for the federal government truly arrived.
But there was a problem, as Cisco’s Steve Caimi explained, “simply put, the burden was too great. Facing budget challenges and staff shortages, many federal agencies struggled. They simply didn’t have the resources to implement all of the security requirements, and compiling compliance reports was very labor-intensive and time-consuming. Worse, by the time those reports were completed, they were already out of date. Something had to be done.”
The Office of Management and Budget (OMB) acted in 2012. In accordance with the Government Performance and Results Modernization Act, it identified information security continuous monitoring as one the key Cross-Agency Priority, or CAP, goals. NIST already defined that concept as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.”
That methodology enables continuous compliance through automated assessments and, perhaps more importantly, prompts faster action before vulnerabilities can be exploited. It’s about managing cyberrisks effectively, which is why ISCM is an important component of the NIST Risk Management Framework.
To help federal agencies meet their continuous monitoring goals, and to overcome the ever-present staffing and budget challenges, DHS established the Continuous Diagnostic and Mitigation, or CDM, Program to actually provide the necessary capabilities – rather than relying on agencies to procure them on their own as in the past. According to DHS, the program enhances government security because it:
- Provides services to implement sensors and dashboards
- Delivers near-real time results
- Prioritizes the worst problems within minutes, versus quarterly or annually
- Enables defenders to identify and mitigate flaws at network speed
- Lowers operational risk and exploitation of government IT systems and networks
Want to learn more about what the CDM Program is and how you can implement it at your agency? Enroll in the GovLoop Academy course, “The Continuous Diagnostic and Mitigation Program,” today!