ISCM is not only a technical problem, it also requires policy actions in order to achieve and sustain its goals. The ISCM program at ARL will continue to be incrementally improved with the appropriate rigor and assessment frequencies to support the mission/business requirements, risk tolerance, and security categorization. By leveraging an integrated operational and technical ISCM portal, the Cyber Security Service Provider (CSSP) operations process and knowledge management capabilities ensure sustained and continuous assessments can be synchronized across the Army. To support ongoing risk determinations and future risk acceptance decisions by senior leaders, policies supporting the following six steps are necessary for achieving and sustaining an effective ISCM:
- Define an ISCM policy, strategy, and supporting doctrine based on risk tolerance that promotes clear visibility into assets, awareness of vulnerabilities, up-to-date threat information, and mission/business impacts.
- Ensure its ISCM program determines metrics, status monitoring frequencies, control assessment frequencies, and an ISCM technical architecture.
- Automate collection, analysis, and reporting of data where possible. Collect the security-related information required for metrics, assessments, and reporting.
- Analyze the data collected and report findings, determining the appropriate response. It may be necessary to collect additional information to clarify or supplement existing monitoring data.
- Respond to findings with technical, management, and operational mitigating activities or acceptance, transference/sharing, or avoidance/rejection.
- Review and update the monitoring program, adjusting the ISCM strategy and maturing measurement capabilities to increase visibility into organizational assets and awareness of vulnerabilities, further enable data–driven control of the security of an organization’s information infrastructure, and increase organizational resilience.
In 2017, ARL will release an ISCM Widget to support continuing re-authorization capabilities. This capability facilitates the NIST SP 800-137 requirement “that security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions…”
In 2017, ARL will propose a widget(s) that could support Mission Assurance Continuous Monitoring (MACM), an integrated observation of mission-aligned ISCM with operational and technical information network operations capabilities to create and preserve information assurance on the DoD information networks and increase organizational resilience.
In 2018, ARL will propose a widget(s) that could support Cyber Defense Continuous Monitoring (CDCM), an integrated global observation of mission-aligned partners through passive and active cyberspace operations intended to preserve the ability to utilize friendly cyberspace capabilities and protect data, networks, net-centric capabilities, and other war fighting and support enabling systems.
ARL will continue to develop ISCM and ensure that its requirements are well informed and reflect the best practices, lessons learned, and efficiencies developed across the Army.
- Burwell, S. M. (2013, November 18). “Enhancing the Security of Federal Information and Information Systems” [Memorandum]. Washington, DC: Office of Management and Budget. Retrieved from https://www.whitehouse.gov/sites/default/files/omb/memoranda/2014/m-14-03.pdf
- “Implementing Continuous Risk Monitoring at the Department of State” (2010, May). Retrieved from http://www.state.gov/documents/organization/156865.pdf
- Splunk. http://www.splunk.com/en_us/products/splunk-enterprise/features.html
- PostgreSQL. https://www.postgresql.org/about/
- Python. https://www.python.org/about/
- Apache Hadoop. http://hadoop.apache.org/
- Richardson, R. D. (n.d.). “INSCOM – Big Data”. Retrieved from https://info.publicintelligence.net/INSCOM-BigData.pdf
- Bart, D. V. (2016, April 22). “Big Data Platform (BDP) and Cyber Situational Awareness Analytic Capabilities (CSAAC)”. Retrieved from http://www.disa.mil/~/media/Files/DISA/News/Conference/2016/AFCEA-Symposium/4-Bart_Big-Data_Platform_Cyber.pdf
- “DISA’s Big Data Platform and Analytics Capabilities” (2016, May 16). Retrieved from http://www.disa.mil/NewsandEvents/News/2016/Big-Data-Platform
- Apache Storm. http://storm.apache.org/
- Apache Accumulo. https://accumulo.apache.org/
- ASSURED COMPLIANCE ASSESSMENT SOLUTION (ACAS). Retrieved July 20, 2016 from http://www.disa.mil/cybersecurity/network-defense/acas
- ANTI-VIRUS/ANTI-SPYWARE SOLUTIONS. Retrieved July 20, 2016 from http://www.disa.mil/Cybersecurity/Network-Defense/Antivirus
- Long, K. S. (2004, December). “CATCHING THE CYBER SPY: ARL’S INTERROGATOR”. Retrieved from http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA432198
- National Vulnerability Database. https://nvd.nist.gov/
- Apache Spark. http://spark.apache.org/
- Hadoop MapReduce. https://hadoop.apache.org/docs/r1.2.1/mapred_tutorial.html#Overview
- Elasticsearch. https://www.elastic.co/products/elasticsearch
- Term Frequency-Inverse Document Frequency (n.d.) Retrieved from http://www.tfidf.com/
- Lippmann, R.P, Riordan J.F, Yu T.H, and Watson K.K. (2012, May 22). “Continuous Security Metrics for Prevalent Network Threats: Introduction and First Four Metrics,” [Whitepaper]. MIT-Lincoln Labs. Retrieved from https://www.ll.mit.edu/mission/cybersec/publications/publication-files/full_papers/2012_05_22_Lippmann_TechReport_FP.pdf
- Watkins, L.A., Hurley, J.S. “Cyber Maturity as Measured by Scientific Risk-Based Metrics” Journal of Information Warfare (2015) 14.3: 60-69. Retrieved from https://www.researchgate.net/publication/280953172_Cyber_Maturity_as_Measured_by_Scientific_Risk-Based_Metrics