Between now and early 2013, the U.S. Department of Homeland Security (DHS) is expected to release an RFP for continuous monitoring, a function for detecting network compliance and risk vulnerabilities -- which means the feds are working toward a huge shift in how they secure their networks next year.
George Schu, senior vice president at Booz Allen Hamilton, which consults federal agencies on technology decisions and often is instrumental to computing decisions at America’s highest level of leadership, said the company will bid on this RFP. And ultimately, Schu said he expects the DHS and General Services Administration (GSA) to spread this monitoring process throughout Washington, D.C., next year. He added that the deal, if successful, could lay the foundation for additional operational changes in federal agencies.
“It’s an unusual effort by the government to roll out a new process, and it is being driven out of DHS because of responsibilities for securing the .gov domain,” he said. “DHS is working with the GSA to roll out this new process across the government.”
In his opinion, the adoption will require decentralized deployment for maximum effectiveness. Each agency is unique with different needs and digital environments.
“It has to be tailored to the environment that it is going to be monitoring,” he said. “Health and Human Services probably looks different from the one that is being put together for the CIA, let’s say, because there are different risk factors.”
These differences largely depend on data that’s being handled. According to Schu, security needs for a business unit that exchanges credit card and other personal information differs from those of one that exchanges personal health information. Additionally, those would differ from the needs of a business unit that handles financial information.
Employees will have to adapt to accommodate the changes. Continuous monitoring will prompt adjustments, and Schu likened these changes to any that would occur when there’s a major technology overhaul, though he didn’t offer specifics.
“Whenever a new process is rolled out, whether it’s an ERP system, a new HR or payment system, or a personal evaluation system, there are organizational changes implicit in that in order for it to work successfully,” Schu said.
If continuous monitoring is adopted, it would be more evidence of the government’s push to strengthen America’s cyber defensibility. The Obama administration is currently working on drafts of the well publicized cybersecurity executive order. The law may create security standards for companies to comply with in order to secure the government data they handle.
“There is a big push for the government to do a better job in getting pertinent cybersecurity information out to critical infrastructure operators in the private sector to improve their cybersecurity awareness and posture in the face of an impending attack,” Schu said