CSO

A couple of months back the General Accounting Office (GAO) issued a reported entitled “Critical Infrastructure Protection – Current Cyber Sector-Specific Planning Approach Needs Reassessment.” The report indicated that of the 17 sector-specific plans, only 9 had been updated. Of the 9 updated, only 3 dealt with missing cyber criteria and within these 3, there was limited activity related to the criteria in question. 

The Department of Homeland Security (DHS) guidance from 2006 called for agencies to address three key implementation elements:

1.       Action descriptions

2.       Completion milestones

3.       Parties responsible

Most agencies addressed the issues but failed to implement a continuous method of assessing risk that provided a constant view of their security posture. DHS circled back in 2008 with new guidance calling for the key implementation elements to be updated. Only 5 responded adequately to this guidance. The analysis from DHS points to a lack of strategic security planning coupled with a well defined and executed program. The main issue is not knowing where we stand overall with respect to our national security posture, which provides us the opportunity to address the threats and vulnerabilities with the proper level of resources. Strategic plans need to be updated as required based upon the ever changing threat landscape. This means continuous awareness of the threat landscape so plan modifications can be made in a timely fashion. These changes cascade down to the program level.

A key solution that should be undertaken at this point is a rapid assessment of overall agency risk run in parallel with efforts to build a sustainable process for continuous security posture status. This all starts with a strong security strategic plan aligned to each agency’s mission and a security program that clearly defines roles, responsibilities, accountabilities, metrics and reporting.  The security program is a critical component of security strategic plan success since developing a strategy without clear steps for execution ensures the current status quo – a point-in-time assessment of risk.

Establishing clear governance over information security and assurance ensures that threats, vulnerabilities and truly exploitable issues are discovered, remediated and constantly monitored. The continuous monitoring on the pulse of the agency security posture creates a basis for metrics that must be included ensuring proper measure at any given time.

The integration of physical and cyber security at all levels provides the basis for a holistic approach to security issues and can address many of the program problems defined in the GAO report.

Another report was released on October 9, 2009 by the Office of the Inspector General (OIG) referencing FISMA at the Department of the Interior (DOI). This report was even more scathing addressing issues with security decentralization, fragmented governance based upon organizational silos, lack of oversight and the use of unskilled personnel in critical security roles. The OIG goes on to say that the benefit of the $182M spent on IT security in FY2009 is largely negated. An example of this was the acquisition of whole disk encryption but the lack of implementation of this software demonstrating a loss of $57k per month in depreciation not to mention the inability to know if data is being lost as a result of this issue. The OIG goes on to reference many other weaknesses in the DOI security posture and identifies 13 recommendations to address the deficiencies:

1.       Realignment of the Department CIO

2.       Realignment of information security personnel

3.       Consolidation of security duties

4.       Rescind an outdated memo dated from 2002

5.       Realign authority for FISMA compliance

6.       Realign incident response resources

7.       Fully staff incident response

8.       Standardize on incident response tools and procedures

9.       Design and implement a standardize continuous monitoring program

10.   Establish and enforce minimum qualifications requirements for security staff

11.   Implement FDCC guidelines as required by federal policy (remove local admin rights)

12.   Routinely test and assess

13.   Establish C&A documentation standards

These deficiencies can all be overcome in a short period of time with the right leadership and approach. It should be remembered that FISMA only represents a minimum necessary approach to security. The best programs exceed these requirements and do so without breaking the bank.

When you couple the deficiencies identified by the GAO and the OIG with the 60 Minutes report this past Sunday night that describes how a foreign government penetrated CENTCOM for days watching cyber traffic without detection, you should understand how easy it would be to penetrate infrastructures who are far from compliant. If DoD resources are hacked this easily, one should ask the question “How easy is it then to hack non-DoD agency infrastructures?” The answer is already known.

There are services that can rapidly mature security helping to cut through government red tape that are available to the agencies in question. Many agencies suffer from having the wrong vendor in the wrong place. These vendors are truly only interested in extending the contract and subsequent funding or winning every task order; not necessarily tackling the tough issues and acting as a catalyst for change. Many times, the best interests of the agencies are not on the minds of the vendors who manage their IT resources or drive the security programs. Government agencies need to examine the relationships they have and come to a realization that they just may need new blood not cut from the same mold as the large beltway integrators are. It is time for experienced security leadership to take hold.