Building Risk-Awareness into the FISMA-Compliant Cloud (Part 2)


NOTE: This Part 2…to read Part 1, please click HERE.

  • Cloud Continuous Monitoring Plans – 6 Elements [continued]
  • Humans & Machines
  • Why is Ongoing Monitoring So Critical?
  • Compliance & the Myth of “The Cloud”

Technology [continued]

The provider wants the system to be user-friendly for its staff, so its environment will typically be fronted by and coordinated within a control panel. In that setting, the analysts can look at the technology’s suggestions and determine what needs attention — a more sophisticated human outlook on any possible threats. The cloud company or federal office will figure out how frequently reports should be issued. A control panel should have real-time information, allowing the CSP to get up-to-the-second information and fix problems as they arise.

Instructional guides

It’s also necessary to properly educate everyone working on your ongoing monitoring team. Create instructional guides, conduct regular staff training, and otherwise share information throughout your IT staff.

“Thorough and practical training should be part of the continuous monitoring strategy itself,” says Svec, “and this training should cover the processes involved with … all elements of a continuous monitoring strategy, as well as training on the security tools being used.”

Also note that the cloud company’s ongoing monitoring should be completely agile and adaptive, with updates made to training materials as monitoring information provides an ever-changing picture of the threat landscape.


You want to keep checking the security controls you have in place. By assessing the entire system, from all angles, you make sure you’re acting competently at all times. Conduct these assessments with five steps:

  1. Discuss the system with a spectrum of relevant parties.
  2. Look at the current policy carefully.
  3. Analyze the parameters of your IT environment.
  4. Run a test to verify smooth operation.
  5. Determine what tasks are performed through automation and through human activity, in part to determine how appropriate your approaches are.

When you have the right technology implemented, you can check that everything is working properly at predetermined times, scheduling both your tools and your people. Essentially, your security stance should blend your protective software and hardware with continually developing knowledge to stay ahead of emergent threats.

Svec says that the interval at which these checks are performed should not be random but determined by cost-benefit. Look at the amount of associated risk in relationship to the amount of time and resources necessary to conduct these assessments. “In an efficient continuous monitoring model,” he adds, “risks are identified and fixed quickly.”


Everything must be documented, with the resulting reports submitted to the correct individuals in order for the information revealed in the assessment to be actionable. When cloud providers retool their reporting mechanisms to fit their own needs, they can act soundly and efficiently in response to threats. Their monitoring UI should give them easy and reliable access to all information, estimates of relevant vulnerability, and any details on fixing the problem.

People who specialize in security need to work with those who design infrastructure to form a more integrated approach toward the information, operating via a policy built for speed.


Ongoing monitoring requires a proactive response toward incoming data. Fast response and remediation is critical. In order to resolve problems, cloud providers that prioritize security and compliance follow three steps:

  1. Determine how much risk a given threat or parameter represents.
  2. Try a remediation tactic.
  3. If the tactic works, support it.

Svec stresses that conflicts of interest must be avoided: “Depending on the relationship of the third-party security assessor to the government agency or cloud provider,” he says, “a secondary assessor may be involved at this last stage in order to preserve independent assessor status.”

Humans & Machines

Federal offices and cloud companies have a lot to gain from the perspectives of those who specialize in controls, assessment, and system design. Plus, they should have access to a wide range of self-guided  technology.

This method to conduct ongoing monitoring threads together the strengths of well-built automation software and the human side (assessment itself and administration), with the primary emphasis on making the information actionable.

Why is Ongoing Monitoring so Critical?

“A well‐designed and well‐managed continuous monitoring program can effectively transform an otherwise static and occasional security control assessment and risk determination process into a dynamic process,” says the National Institute of Standards and Technology, which adds that it has the capacity to deliver fundamental, near real-time risk data to key stakeholders.

Compliance & the Myth of “The Cloud”

Notice above how speed is a critical factor. Of course it is. The cloud is fast, so you should be fine, right?

Consider that there is no such thing as “the cloud” – the speed of your cloud service varies considerably based on your service partner. Superb Internet leverages Infiniband rather than Ethernet and distributes storage rather than centralizing it, delivering significantly more impressive local disk I/O.

Would you like FISMA compliant-ready cloud with actual performance measurements that are typically 4 times better than Amazon and SoftLayer? Choose our PassMark-rated cloud servers.

By Kent Roberts

Loading Facebook Comments ...
Loading Disqus Comments ...

Leave a Reply

Your email address will not be published. Required fields are marked *