Complying to Stay Safe

Information technology security continues to make life difficult for agencies, but the threat isn't always from hackers—compliance headaches also take their toll.

The pain is made public each year with the release of the highly publicized security report card by the House Government Reform Committee. The latest evaluations gave the government's efforts overall a "D+" and pointed to continuing concerns.

Separately, a new survey of federal IT professionals revealed some of the underlying frustrations agency systems officials have in meeting the Federal Information Security Management Act. Despite their concerns about complying with FISMA, the respondents to the survey also made it clear agencies are serious about IT security: Two-thirds cited it as one of their top-three worries. The next biggest top-three concern, staffing, came in 18 percentage points lower than security, at 49 percent.

If most officials agree that IT security is essential to daily operations and to protecting the terabytes of citizens' personal information stowed in federal databases, why is progress so difficult?

According to security experts in and out of government, reasons range from the need for new technologies and better practices to inadequate user training and the scale of the effort. Perhaps most vexing is the fact that security will always be a moving target, as glory-seeking hackers and sinister cyberterrorists find new ways to breach systems.

"It's like asking a criminal why he robs banks, and he says, 'That's where the money is,'" says Dan Wiener II, CIO practice executive for Titan, a San Diego systems integration and engineering company. "For hackers, breaking into a government agency is like getting a merit badge."

Fortunately, new tools and best practices—combined with the continuing pressure to conform to FISMA—could appear to be chipping away at the problem, albeit slower than lawmakers, the administration and even CIOs themselves would like.

The current state of security is discouraging. The near-failing grade—and several flunking grades for specific agencies—handed out by Government Reform follows spending on security of $4.2 billion in fiscal 2004.

To some observers, the rate of progress and the price tag don't add up.

"The major issue comes down to people and processes. The security solutions are out there. Unfortunately, it's taking time for the goals and requirements of FISMA to sink in at some of our agencies," committee spokesperson Drew Crockett says. "The problem is that cybersecurity is not always the main focus in the planning process."

Agencies counter that the Capitol Hill report cards don't tell the whole story because the grades often don't reflect incremental changes taking place within agencies. In every category for which the Office of Management and Budget has measured how well agencies are doing at improving security relative to the FISMA mandates, there has been consistent improvement during the past three years.

Further, agencies cite funding as a limiting factor. Although the FISMA goals are important, the law is another unfunded mandate for agencies.

The Government Accounting Office has repeatedly warned that while the numbers seem big for security spending, there's still not enough money to go around. The $4.2 billion being spent annually is roughly 7 percent of the nearly $60 billion the government pumps into IT.

For most agencies, complying—or just trying to comply—with FISMA demands shuffling money to efforts from other programs.

"Federal agencies simply need more resources to engineer controls into systems and then sustain security controls in an operational environment," says Michael F. Davis, director of information assurance for the Marine Corps' System Command in Quantico, Va. "Additional requirements [mean] program managers need additional resources to ensure that information assurance security levels are met."

The sheer size of the government further hampers security efforts. Large agencies can have thousands of computers to secure, and assuring that systems administrators have put in place the most secure configurations and loaded the latest software patches on each one is daunting.

And nowhere is this task more critical than within the military. "Once a system is fielded to operational forces, something as simple as failure to apply a patch to a system may render an entire operational enclave vulnerable," Davis says. "This is unacceptable to the warfighter."

Despite the general overall poor state of the government's security, some agencies have set themselves apart as security frontrunners. Crockett points to the "A-" grade received by the Transportation Department, up from last year's "D+", as well as upward progress at the Justice and State departments.

Within DOT, the Federal Aviation Administration represents about 85 percent of the department's total IT infrastructure and so the state of FAA security carries more weight in the ratings.

Dan Mehan, CIO and assistant administrator for information services at FAA, attributes his agency's high marks in part to the legwork the CIO team has done in vetting its systems' security.

FAA has certified the security of nearly all its systems—a core FISMA requirement. During the certification process, an agency's inspector general or a third-party organization assesses the agency's security needs and how successfully it has implemented controls. The goal is to achieve the near 100 percent mark reached by FAA, but according to OMB, the average across government is currently closer to 77 percent.

To stay ahead of the security curve, FAA also has set up an internal certification process for its systems. Each one must now meet this FAA Security Certification and Authorization Package. The SCAP, as it is called, shows further proof of security, Mehan says.

"We also conduct frequent vulnerability scans that test for policy compliance—that the right security patches are in place and that we addressed vulnerabilities,"he adds.

To foster security awareness among the agency's employees, FAA sponsors an annual security conference. At the most recent one, in March in San Diego, 400 FAA staff members attended security-training sessions and visited booths sponsored by systems security vendors.

Near-Term Trends

In the coming year, Government Reform's Crockett sees the FISMA mandates pushing agencies to develop additional security practices, including annual reviews of contractors' systems, testing of contingency plans, incident reporting and training geared for employees with significant security responsibilities.

Along those lines, FAA plans to begin what Mehan calls exploratory work with the National Science Foundation and industry to develop strategies that will let it quarantine subnetworks within its wide area network.

Titan's Wiener says he expects to see greater emphasis on risk management, the ability of agencies to determine how much of a cybertarget they are relative to all other agencies.

"Agencies also will be working to understand their internal risks, such as from disgruntled employees," Wiener says. "Statistics have shown us that commercial industry faces more issues from insiders" than from outside hackers.

FAA is already addressing this issue: The agency has begun investigating sophisticated tools to analyze employees' behavior. "We want to monitor access permissions and track whether people are doing what we're expecting them to do" once they're logged in, Mehan says.

The issue of privacy, the flip side of security, also will continue to be a priority. "Agencies will be integrating privacy into their entire security landscape," Wiener says. "One great concern with protecting your network is protecting all the information on it, including Social Security numbers and medical records. As we automate more data collection, everyone wants to be sure their personal data is being protected. This concern is becoming part of the security landscape."

Also on the horizon are automated security practices, technology strategist Christopher Michael says.

"The one thing that can really help agencies get out of the [resource] hole is automation for determining how many of their systems have up-to-date antivirus software and whether the systems are configured correctly," Michael says. "Tools exist to do this, but up to now, they haven't been widely deployed in government."

The Marine Corps' Davis also agrees that change is coming because agencies now view security as something that must be embedded within systems and not bolted on as an afterthought.

When it reported earlier this year on FISMA compliance, OMB noted that agencies now are building security into new systems roughly 85 percent of the time; that figure was 62 percent back in 2002.

"Security must be addressed in the earliest phases of systems development and injected into the systems engineering process," Davis says.

His organization is working with Corps users and other groups to identify security specifications for inclusion in the earliest requirements documents. But Davis warns that organizations will have to plan for the added IT costs and longer rollouts that will result from this "baked in" approach.

In the government, there's an additional wrinkle, he says. Agencies must make sure systems are secure, but the measures must not impede their core missions.

For instance, he pointed to the systems demands of troops stationed in Afghanistan and Iraq. "Operating forces have noted that some security controls are too restrictive and unnecessarily interfere with combat operations," Davis notes. "Operational necessity may require a specific security control be disabled, such as the periodic lockout of an operator after a short time of system inactivity."

In the case of its deployed Marines, the Corps created a working group to determine how to streamline controls to better support warfighters and avoid bypassing restrictive information assurance controls.

Back at FAA, Mehan predicts a gradual shift in priorities for security-conscious agencies. Their efforts will ease away from complying with FISMA as those practices become commonplace and move toward focusing on the ability to respond swiftly to ever-changing threats.

"It's about how you deal with situations where more sophisticated intruders become more persistent," he says. "Compliance is important, but it's also important that you become resilient in the face of whatever kinds of attacks you may see. We have to make sure a cold doesn't turn into pneumonia."