Virtustream Security Solutions - Continuous Monitoring

The Virtustream Security Solutions ComplyVision™ solution has been designed to guide agency C&A teams through a structured methodology that strictly follows the NIST/DOD/ICD standards and helps meet the requirements of Continuous Monitoring. It also helps C&A team to prepare the initial and subsequent updates to C&A packages, complete with the necessary documentation for getting and maintaining the Authorization to Operate (ATO).

The Federal Information Security Management Act (FISMA) of 2002 mandates each federal agency to implement a comprehensive information security program for its systems. The security programs mandated by FISMA are intended to identify and quantify threats to assets based on risk analysis. The risk-based approach mandated by FIPS 199 categorizes each system based on the key attributes of Confidentiality, Integrity and Availability. The security controls implemented on the assets are then evaluated based on the NIST 800-53 standards or DODI 8500.2 for DIACAP.

The Office of Management and Budget (OMB) has mandated new security reporting requirements that demonstrate compliance, while emphasizing risk based compliance analysis through continuous monitoring. These requirements have to be met in the existing systems, as well as new systems being procured by an agency.

The biggest challenge for agencies today, is to truly understand what it means to conduct 'Continuous Compliance Monitoring', and what that fully entails. In this paper we will review each one of these aspects of Continuous Monitoring and provide solutions to accomplish it using automation tools and techniques in context of the NIST 800-37 Rev.1, Risk Management Framework.

NIST SP 800-37 Rev1 - Risk Management Framework (RMF)

NIST 800-37 Rev.1 (Chapter 3, P.36) says, "Organizations may choose to eliminate the authorization termination date, if the continuous monitoring program is sufficiently robust to provide the authorizing official with the needed information to conduct ongoing risk determination and risk acceptance activities with regard to the security state of the information system and the ongoing effectiveness of security controls employed within and inherited by the system". The organizations must still maintain formal authorizations and acceptance of risk but may leverage results of continuous monitoring assessments to support the ongoing authorization to operate (ATO).

The initial ATO and ongoing Continuous Monitoring are required for newly procured systems as well as for continued operation of an existing system. Continuous Monitoring encompasses everything from monitoring changes to the System asset components, Situational Awareness data from assets, to conducting ports and protocol analysis using vulnerability analysis tools and keeping the system related Plan of Action and Milestones (POA&M) updated. It also includes policy monitoring and documentation updates for annual or significant change related re-certifications.

ComplyVision Solution for Continuous Monitoring

The ComplyVision solution allows agencies to meet the key requirements of Continuous Monitoring including:

The ComplyVision solution for Security Authorization enables agencies to meet the regulatory requirements of C&A Automation and Continuous Monitoring (CM). The solution addresses the requirements of a stand-alone, cloud-based or a hybrid System.