In part 6 of this series, we explore the Monitor step of the RMF is implemented using a data-driven approach. The main objective of the Monitor step is to “maintain an ongoing situational awareness about the security and privacy posture of the information system and the organization in support of risk management decisions.” It starts with monitoring for changes in the system, environment and adversaries. Then it is essentially a repeat of steps two, three, four and five; i.e. selecting additional controls to address changes in the environment or the adversaries’ tactics, techniques and procedures; implementing those new controls and/or updating the implementation of existing controls; assessing the new controls or re-assessing updated controls; and finally revisiting the authorization decision for the system based on all the changes. The Joint Task Force that created the RMF realized that cyber defense is never ending and added this step to make the process continuous and on-going.
If you are implementing Step 6 – Monitor without a data-driven approach, forget it. You might as well skip the step and go back to the three-year certification and accreditation cycle. Without a data-driven approach you will not have timely visibility into 1) changes in the threat landscape; 2) configuration drift that is occurring in your systems; 3) new vulnerabilities that are discovered and exploits that are using them; 4) user activities that are putting your systems at risk. In essence, you won’t have timely visibility into any of the events and activities that truly necessitate continuous monitoring.
Q-Compliance and its capabilities for Step 6
Because Q-Compliance supports all other steps of the RMF with a data-driven approach, it automatically supports Step 6. For example, the same analytics and visualizations that enable a data-driven approach to Step 4 – Assess also allow you to continuously monitor for changes that may impact the effectiveness of those controls. In addition to these underlying capabilities, Q-Compliance has purpose-built features specifically targeted to enable the Monitor step. Below, the table lists the key data and automation capabilities required to support continuous monitoring from NIST SP 800-137 “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations” and describes how Q-Compliance supports each of them.
| ISCM Capability from NIST SP 800-137 | How It’s Supported in Q-Compliance |
| Pull information from a variety of sources | Integrates with any cyber security tool, application, device, and platform. From on-premises or in the cloud, it provides a real-time single source of truth about an organization’s actual security state |
| Use open specifications such as the Security Content Automation Protocol (SCAP) | Qmulos provides industry’s only SCAP input for Splunk to ingest the results of security scanners, vulnerability scanners, configuration management tools and other SCAP-compliant tools to populate the control analytics in Q-Compliance. |
| Offer interoperability with other products such as help desk, inventory management, configuration management, and incident response solutions | Q-Compliance leverages thousands of technical add-ons in Splunkbase as well as custom add-ons built by Qmulos. Additionally, we integrate and interoperate with all of the leading inventory management, configuration management, help desk and incident response tools. |
| Support compliance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines | Supports all of the applicable security and compliance standards from NIST, Department of Defense, Intelligence Community, and civilian agencies. These include but are not limited to: NIST SP 800-53 (rev. 4 and rev. 5), NIST SP 800-37, NIST SP 800-137, CNSS 1253, FedRAMP, NIST CSF, DISA STIGs, etc. |
| Provide reporting with the ability to tailor output and drill down from high-level, aggregate metrics to system-level metrics | Q-Compliance has dashboards and reports targeting all users in the organization at all levels of detail. For example, risk and compliance metrics across the entire enterprise to specific departments and systems with the ability to drill down into individual assets and events. |
| Allow for data consolidation into Security Information and Event Management (SIEM) tools and dashboard products | Q-Compliance is built on top of Splunk, the industry’s leading SIEM platform. Any data in Q-Compliance is consolidated and correlated with other data in the platform. |
Q-Compliance Dashboards
All of these capabilities in Q-Compliance are brought together to enable organizations to implement both time-driven and event-driven mechanisms to continuously monitor the risk and compliance posture of your systems and adjust the systems’ security authorizations accordingly. You can set up schedule-based reminders for when certain controls need to be reviewed or monitored based on your organization’s or system’s ISCM strategy. You can set up automated alerts to detect events that affect the compliance or security posture of your system and the specific controls that are impacted. These alerts can even trigger workflows using Splunk’s orchestration capabilities to automatically remediate the findings (e.g. apply a patch, change a configuration setting, quarantine a device, etc.); fail a control; create a Plan of Action & Milestone; or revoke the ATO of a system. As these things are occurring in the background, you will be notified through rich and intuitive dashboards, as shown in Figure 1. Furthermore, the dashboards enable you to prioritize your day-to-day security and compliance activities to maintain an acceptable level of risk for your organizations and systems.
Within Q-Compliance, the available dashboards display the latest representation of the system’s state, to include object and event-level details. Firstly, the System Continuous Monitoring dashboard provides a one-stop-shop for all users (that are authorized to see each system) to monitor all the controls that have been designated for continuous monitoring using real-time events in Splunk that are relevant to each control and system. Secondly, the System Actions dashboard provide system owners, Information System Security Officers (ISSOs), and other users with system-level responsibilities with a key summary of the items that require action and up-to-the-minute compliance indicators. Thirdly, the User Actions dashboard provide a more user-focused view of the information based on each user’s area of responsibility. These dashboards enable users to take actions to maintain and/or improve the security and compliance posture of their systems.
The benefits of using Q-Compliance for Step 6 – Monitor include:
- Timely visibility into changes in the system, environment and adversaries that impact the risk posture of your systems
- Continuously monitor ALL technical controls, not just the typical small subset of vulnerability and configuration management controls like other tools
- Automated actions triggered by findings from continuous monitoring. E.G. fail a control, create a POAM, revoke a system ATO, apply a patch, change a configuration setting, etc.
- Seamless integration with the rest of the RMF steps. I.E. any actions performed in steps one through five are automatically reflected in step six and vice-versa. This truly enables the continuous cycle envisioned by the creators of RMF.
Q-Compliance’s support for a data-driven approach for steps one through five of the RMF makes it a breeze for you to implement Step 6. Additionally, why go through the motions with a manual approach and stale data when it provides little to no security value?