Author: Baan Alsinawi, CISSP, CCSP, CISM, CGEIT, CASP+ ce, and Managing Director at CISO Global
Validating the security of your organization’s sensitive information at a single point in time with an annual risk assessment can be helpful, but what about the other 364 days of the year? If you have a cloud application and hope to sell your services to federal agencies, point-in-time assessments won’t be enough. The Federal Risk and Authorization Program (FedRAMP) compliance framework requires all cloud service providers (CSPs) who contract with federal government agencies to perform what is called continuous monitoring. Does it seem a bit extreme or unattainable? It’s not as time-consuming as it sounds, and it has six great benefits for any organization seeking to be secure.
What is Continuous Monitoring?
To explain continuous monitoring, also called ConMon, FedRAMP documentation leans on the National Institute for Standards and Technology (NIST). NIST has long been recognized as a compliance framework leader for its efforts to aggregate the dozens of disparate information security frameworks with which many organizations must comply, distilling them into a single document that aims to meet the highest standards across all. NIST SP 800-37, Revision 1 describes continuous monitoring simply an “ongoing assessment of security controls.”
NIST also covers how one would go about achieving continuous monitoring with an outline of steps:
Define your approach to establishing clear visibility into your assets, becoming aware of vulnerabilities, and ensuring that the threat information you gather is current.
Establish processes and procedures for assessing security controls, along with key metrics and the frequency with which you will perform assessments. These assessments should measure the security status of your organization, detect and track changes in your environment and data system infrastructure, and clearly measure the effectiveness of each of the security controls you have in place.
Implement a continuous monitoring program to gather the data defined above, and report findings. These processes should be as automated as possible – from the collection stage, through analysis and reporting.
Analyze all data and report findings alongside recommendations for next steps, investigating more deeply where needed to understand the initial monitoring data.
Respond to analyses by taking steps to mitigate all identified risks across people, processes, and technologies – including operational vulnerabilities.
Review and update your monitoring program to continuously improve the initial strategy, build on lessons learned at each step, and prove your organization’s ability to mature its ConMon program over time. Key indicators that are considered when evaluating how well you are following an approach of continuous improvement include whether you are enhancing your data-based decision-making, gaining increasingly more visibility over time, and your ability to the agility with which you implement improvements.
Benefits for Any Organization Implementing Continuous Monitoring
Continuous monitoring isn’t just for FedRAMP authorization. It’s a healthy approach to cybersecurity and can help you close gaps now, which improves your chances of preventing a costly cyber attack. So, if you are seeking FedRAMP authorization, you should know that while it may be a heavy lift-up front, your ROI is significant from a security perspective.
- ConMon Helps You Mitigate Risk More Effectively
You can quit worrying about being a “sitting duck” when it comes to vulnerabilities, because you are minimizing your risk for new and emerging threats. A DarkNet hacker who works with CISO teams to help tackle emerging threats often shares this truth as a guide for how diligent you need to be:
1 – If you have a single vulnerability, attackers will exploit it.
2 – If you have data flowing through your systems, you have vulnerabilities.
3 – As you grow and modernize, you will have more data traversal.
4 – If you have any questions, go back to #1.
Data breaches are a drag on organizations. They’re extremely expensive and can compromise not only your operational uptime, but can result in fines, brand damage, cyber insurance premium increases (or loss of a policy) and the loss of the federal contracts you’re using to fuel the business. So, while it takes time and investment to establish, continuous monitoring helps protect your systems, your company’s reputation, and your financial wellness as a company.
- ConMon Improves Flexibility and Responsiveness
Following NIST’s outline for executing continuous monitoring, you will improve your ability to respond to threat information rapidly and decisively. Attackers are continuously changing their tools, tactics, and processes (TTPs) to find ways into your environment. The only way to be secure is to do the same in your security program based on current and validated threat information. Some people approach security like they approach their health, thinking they can do a little of this and a little of that and call it good. But security isn’t like physical health. It requires absolute focus and diligence, and there is no margin for error. Relying on the same processes and technologies year after year does little to provide real security.
- Increase Confidence in Your Compliance Status
If only we could bottle the amount of anxiety experienced by CISO’s and compliance leaders around the world, we could probably fuel rocket ships for decades. How much energy gets spent worrying about whether your organization will meet compliance next year?
The reality is that if you want to maintain contracts with federal agencies, FedRAMP compliance is nonoptional, but continuous monitoring takes the guesswork out of it once you achieve your first FedRAMP authorization. With real-time reporting and a required commitment to continually evolving security controls over time, you don’t have to wonder how your next reauthorization assessment will go.
You can be confident in the process, knowing that you are FedRAMP compliant not just once, but continuously. That means your contracts are more reliable for business decisions as a predictor of future revenue because you are reducing your risk of losing them.
- Organizational Transparency
Less mature security programs often scramble when asked by potential clients or partners for proof of their security posture, pointing to general lists of measures and value statements, stalling responses to requests for documentation, or keeping the curtain otherwise tightly closed. With continuous monitoring, you offer clear visibility into your security posture for all stakeholders. So, your company’s leadership, government agencies with whom you contract, and the citizens whose data may be stored or processed in your cloud platform can be confident that you are doing what’s necessary to protect their sensitive data.
- Realize Long-term Cost Benefits
In the short run implementing ConMon will require time and investment. It will, however, help you improve your security posture much faster than traditional approaches. This means your data will be more accurate for informing the next steps and investments in cybersecurity, yielding a higher ROI. Without real-time, accurate data from continuous monitoring, many organizations are stabbing in the dark when making budgetary and process improvement decisions. By comparison, their progress will be slower than yours, and they are more likely to have vulnerabilities that go unaddressed in their environment.
- Improve Your Threat Sharing and Collaboration
Even five years ago, many U.S. organizations feared sharing threat intelligence due to concerns about their brand reputation and potential lawsuits in a highly litigious country. However, as laws and knowledge in the business community have begun to slowly understand and address cyber risk as an ongoing reality, collaboration is being seen as a way that security teams can help each other.
Why face attackers alone when we can all be better together? The FedRAMP program recognizes this and has built-in encouragement to share information, tactics, and more across government agencies, cloud service providers, and third-party assessors. This kind of public-private collaboration is what’s needed to effectively combat the current threat landscape of constantly evolving attack types.
Go Beyond Compliance
FedRAMP’s continuous monitoring requirement does more than help you meet compliance. It helps you improve your culture of cybersecurity. By implementing a solid program, expanding collaborations, rolling out more robust security controls, and committing to continuous improvement, your organization can approach cybersecurity as a company-wide journey. This is an ideal overlap for showing what it means to achieve security goals through one’s compliance program.
If you need help with continuous monitoring, compliance tracking, or FedRAMP authorization, you can reach out to our team anytime. We are always here for a conversation and would enjoy the opportunity to help you meet your strategy and risk goals.