Making decisions based on outdated information is a recipe for failure. No matter how good the data at the time it is collected, if it cannot be used quickly it loses its value for making critical cybersecurity decisions.
This has been demonstrated by federal agencies struggling to secure their information systems using Certification and Accreditation (C&A) schemes that call for periodic certification of static security controls. Government now is moving beyond C&A to continuous assessment of security status under a Risk Management Framework (RMF). But challenges remain in automating the processes needed to use the framework.
Read the full blog.