Discussion on Information Assurance topics, sharing approaches, best practices, new ideas, and events.
FISMA and Congress
May 22, 2009 at 12:10 pm #72541
GAO cites information security weaknesses
* By Ben Bain
* May 19, 2009
Recommends Office of Management and Budget revise FISMA guidance
Despite indications that agencies have improved their compliance with parts of the Federal Information Security Management Act, many major agencies still consider their information security controls a significant deficiency or material weakness, according to the Government Accountability Office.
Gregory Wilshusen, director of information-security issues for GAO, told the House Oversight and Government Reform Government Committee’s Management, Organization and Procurement Subcommittee today many agencies had not fully or effectively implemented key elements of an agencywide information-security program, as required by FISMA. Meanwhile, GAO recommended that the Office of Management and Budget improve its guidance for FISMA reporting.
GAO’s findings come as lawmakers consider reforming the FISMA law that critics say relies too much on paper compliance reports and doesn’t fully address information-technology vulnerabilities. Sen. Thomas Carper (D-Del.) on April 28 introduced legislation designed to improve FISMA .
“Six years after FISMA was enacted, we continue to report that poor information security is a widespread problem with potentially devastating consequences,” Wilshusen said in prepared remarks based on a draft GAO report. That draft analyzed reports on government information security from agencies, inspectors general, OMB, Congress and the GAO.
GAO found that out of 24 major agencies:
* Thirteen said controls over financial systems and information were a “significant deficiency” and seven said it was a “material weakness” in performance and accountability reports for fiscal 2008.
* Twenty-two of the agencies’ IGs identified information security as a “major management challenge” for their agency.
* Twenty-three had weaknesses in access controls reported and 23 had weaknesses in their agencywide information security programs.
Wilshusen said OMB’s annual instructions for FISMA reporting weren’t always clear and didn’t cover key security activities. In addition, he said, OMB didn’t include key information about findings and significant deficiencies identified by IGs in its report to Congress on agencies’ FISMA compliance.
Vivek Kundra, the federal chief information officer and the top IT official in OMB, said the administration wanted to make security compliance more automatic and ongoing. FISMA “has raised the level of awareness in the agencies and in the country at large, but we’re not where we need to be,” he said.
Kundra said the administration’s initial review of government information security showed the performance data currently collected under FISMA doesn’t reflect the security posture of agencies and the current collection process is cumbersome and takes time away from meaningful analysis. He also said there is too much focus on compliance and not enough on outcomes.
“While the current reporting metrics have made sense, or may have made sense when FISMA was enacted, they’re largely compliance based; they are trailing — rather than leading — indicators,” Kundra said. “We need metrics give us insight into agencies’ security postures and possible vulnerabilities on an ongoing basis.”
Agencies need to adopt a “risk-based approach” to IT security, Kundra said, including for cloud computing which President Barack Obama endorsed in his fiscal 2010 budget request.
May 22, 2009 at 12:11 pm #72547
HEARING information includes links to written testimony
HearingTestimony and Witness list for the Subcommittee Hearing on: “The State of Federal Information Security
Today at 9:00 a.m. The Subcommittee on Government Management, Organization and Procurement will hold a hearing titled: “The State of Federal Information Security.” The hearing will take place in 2247 Rayburn House Office Building.
Documents and Links
* Testimony of Mr. Vivek Kundra (77 KB)
* Testimony of Mr. Greg Wilshusen (191 KB)
* Testimony of Mr. Samuel Chun (31 KB)
* Testimony of Ms. Jacquelyn Patillo (22 KB)
* Testimony of Ms. Margaret H. Graves (62 KB)
* Witness List (66 KB)
May 22, 2009 at 12:41 pm #72545
I read the transcripts of the witnesses. Like most testimony, they all seemed a little light on specifics. Let’s take your last quote from Mr. Kundra as an example. He said we need to adopt a “risk-based approach”. If we do C&A correctly, we are already using a risk-based approach since it starts with FIPS 199. If indeed he was using “risk-based approach” as code for something else, it should be made clear. Clearly he must be given time to formulate a coherent program, but it’s likely that Congress may act before the administration can set and publish its intent.
May 22, 2009 at 1:20 pm #72543
Here’s our notes from the Q&A session that followed the opening statements.
Q1. What type of information does FISMA not have?
Mr. Kundra stated that set standards don’t accurately reflect the security posture as things are always changing, i.e. firewalls protected networks from the outside but now more advanced technologies are allowing a deeper attack, people are bringing down defenses so we need to monitor agencies on a real-time basis, not quarterly or annually since that is more of an industry norm.
Q2. President Obama is proposing the use of their IT resources, data warehousing, cloud computing, etc. What policies and protocols are in place to ensure vendors comply with FISMA?
Mr. Kundra stated that:
The Federal CIO Council ensures FISMA is applied to cloud computing
Security should be baked into the infrastructure/architecture for security solutions
A Privacy Committee is ensuring privacy is at the forefront and considered before procurement
Are vendors responsible? Look at a risk-based approach so there is not one model for everyone, i.e. it is not necessary to drive up costs to protect public information; FISMA should not be seen as a ceiling but as a floor depending on agency threats
Gregory Wilshusen (Director, Info Sec Issues, GAO):
Contractors should treat information as federal information and use FISMA/NIST guidance. IG’s have reported that as the number of contractor systems increase, FISMA compliance decrease.
Jacquelyn Patillo (Acting CIO, Dept of Transportation):
Stated that FISMA and federal spending/budget should be integrated. The DOT spends less than 1% of its budget on security. She also believes there should be a risk-based system
Q3. Can we directly trace or fingerprint attacks?
Samuel Chun (Director, Cyber Security Practice, EDS) stated:
This is very difficult and will be a very complex, long-term effort; DARPA has been involved with this.
Margaret Graves (Acting CIO, DHS) stated:
DHS can track down to the original source and Intel can perform forensic analysis, however it is a very time-consuming task and requires significant human effort to analyze, US-CERT has this capability. There is, however, a traceability conflict with privacy invasion.
Q4. FISMA should be reformed on a statutory basis. What are your thoughts on FISMA reforms? We should also ask agencies to respond and comment on how we can reform FISMA to ensure cybersecurity.
Mr. Chun stated:
There needs to be a central office in the government to address compliance and contractor issues. The creation of a CTO may help
Stated that FISMA is cumbersome and labor intensive and that there are ways to improve FISMA:
o Automate the collection of data
o Rationalize which metrics are important; metrics should be evolutionary and should show how an agency is protected
o Security should be baked into architecture, systems, and personnel
o Security responsibility lies in all of us
o Monitoring should occur on a real-time basis as threats evolve around the world
Q5. Referring to the laptop stolen from the VA, how many of our threats are physical and cyber breaches – how many are associated with wireless devices?
Stated that he doesn’t have the number of thefts but the number of incidents reported to US-CERT have tripled from 2006-2008. Physical theft incidents are included in the “unauthorized access” category, as well as cyber theft incidents; this category is 18% of the total number of incidents reported. A key control to prevent this threat is encryption since the workforce is more mobile. We can only assess and manage risk, we can’t avoid it.
Q6. How can we harmonize agencies better?
Stated that technologies exist to address issues and threats, but human beings are the last line of defense and we can educate our people at a level beyond security awareness training. There needs to be IT training coming directly from the IT office – our people should be thoroughly trained and certified.
Q7. IT security expert in the White House?
Stated that he is working with Melissa Hathaway and recognizes that cybersecurity is a vital issue that cuts across all life. President Obama’s recommendations will be coming out after the Hathaway report
Mr. Wilshusen stated:
GAO had experts and had established White House responsibility; there were problems before when responsibility was given to DHS, but they couldn’t monitor their budgets, so elevating responsibility to the White House is necessary.
8. There is a DoD Directive that requires certifications, should we use that as a model?
Stated that anything you do to improve skills is a benefit. A better measure of how effective an agency’s security awareness training is having a challenge response test rather than online CSAT training. The IRS has a good program in place where the IG would ask claim representatives specific questions to test how well they can respond. For example, programs can include sending emails to employees to see if they open them.
Q9. How do we know if the “bad guys” are working for us? What is DoD doing – background checks?
M.J. Shoer (President and Virtual CTO of a VAR, the Jenaly Technology Group testifying on behalf of the Computing Technology Industry Association (CompTIA):
DoD does background checks and there is a testing component to 8570; CompTIA was part of the development of 8570
Background checks are being performed on contractors
Chairwoman Watson stated:
• 23 out of 24 agencies did not authenticate users; GAO corrected exact meaning
• Multi-factor authentication is used in the Marines/Navy per EDS contract
• Technology does exist
• DoD uses CAC cards
Ms. Patillo stated:
• DOT looks at the number of events per day, there are 3 million events everyday and they have to analyze them to make them actionable events, from 3 million, they would generally come up with 10 actionable events. Human intervention is needed to correlate the data, so we have to look more at innovation and technology to make this process more effective
What should we do policy-wise?
Ms. Patillo stated:
• We need to look at security at the beginning of the system acquisition process, vendors should build in security; this can be required at a Department level but it’s more official if the issue is elevated as a requirement in the FAR (Federal Acquisition Requirements).
Mr. Kundra stated:
• We need to look at default settings, government procured private industry, vendors want there to be more options but that creates even more events – based on options, you can turn things on and off, built in systems.
You must be logged in to reply to this topic.