Security pieces come together
Federal agencies are moving closer to a common approach to cybersecurity as they work to meet targets for several governmentwide initiatives by the end of this month. Agency officials say those efforts should produce greater security for federal networks and agencies’ missions.
Although the initiatives add up to an overall defense-in-depth strategy, they’ve arisen separately. Each addresses a different element of the larger strategy, said Dan Chenok, senior vice president at Pragmatics and chairman of the Information Security and Privacy Advisory Board. That board advises the National Institute of Standards and Technology.
To properly implement the initiatives, agencies must have effective management and operations, Chenok said.
“Although the initiatives are primarily technical, there are management issues, like training and awareness, and there are operational issues, like incorporating security properly into budgeting and making sure you’ve got security planned for,” he said.
That list of initiatives includes transitioning to IPv6, the next-generation Internet protocol; implementing a software standard, the Federal Desktop Core Configuration for Microsoft’s XP and Vista operating systems; completing Trusted Internet Connections (TIC), a gateway consolidation project; installing gateway-monitoring technology under a program called Einstein; making continued progress on completing security clearances, registering agency personnel and providing personal identity verification cards, a program authorized by Homeland Security Presidential Directive 12.
The Office of Management and Budget, the National Institute of Standards and Technology, and the CIO Council are helping agencies implement those security initiatives, said Karen Evans, OMB’s administrator for e-government and information technology. The TIC and Federal Desktop Core Configuration efforts, in particular, are difficult but necessary, she said. “Agencies understand the threat that we face and the urgency to make our desktops and networks more secure.”
The various initiatives provide different layers of security, Chenok said. The core configuration standard helps agencies manage the security of desktop PCs, and TIC makes monitoring Internet traffic easier by greatly reducing the number of gateways carrying data into and out of agency networks. Meanwhile, IPv6 will make the Internet more versatile and secure.
Complying with the initiatives is leading agencies to take a more systematic view of security, Chenok said. Looking at them as separate and unconnected requirements is innefficient, he added. “If they take a view of them as pieces of an overall security program and try to integrate them, they’re going to have better progress.”
However, that doesn’t mean agencies’ performance is going to dramatically improve overnight, he said. But agencies are aware of how these initiatives can reduce their security risks.
Some agencies, such as the Education Department, have devised processes to handle the overlapping nature of the initiatives so they can prioritize activities and avoid duplicated effort.
Other agencies, such as the Interior Department, have said they are straining to make progress because they are large and decentralized and must apply the security initiatives across a wide area.
Notwithstanding the challenges, agencies understand the importance of security, as highlighted by recently publicized data breaches and cybersecurity incidents, and they know they must get this done, said Ed Meagher, deputy CIO at Interior.
“This is basic hygiene. Most folks have stopped whining a long time ago and put their head down to just try to figure out how to do it,” Meagher said.
Education is implementing its security initiatives as part of an overall infrastructure improvement. The department has help i putting them in place because it awarded a contract for its enterprise infrastructure last year to Perot Systems, said Brian Burns, the department’s deputy CIO.
Because it must manage many initiatives concurrently, Education asked its contractor to integrate its project schedules by program office and by site location.
“That way, we can coordinate among ourselves as IT professionals and across the business side,” Burns said. “I look at it as a stacked model. You always have components, and you have to stack them in the right order.”
Education must impress on the contractors that manage its infrastructure the need to certify and accredit their systems as secure because the federal environment is more strict than the commercial side about that, Burns said.
Education looks to NIST special publications for guidance on implementing security initiatives.
The department tracks more than 160 congressional and executive mandates, including security requirements, Burns said.
Burns compared the initiatives to bricks for a house. “Let’s put the blueprints together and build from the ground up properly so that this house will stand for a long time,” he said.
Like other agencies, Interior readily completed a basic implementation of IPv6, Meagher said. Under TIC, Interior has also reduced the number of its external Internet gateway connections to five. The agency is using the Einstein application to monitor traffic entering and exiting those gateways. However, Interior, is still in the process of shutting down some unauthorized access points.
The department has installed the Federal Desktop Core Configuration and fixed about 80 percent of the problems the secure configuration has caused, Meagher said. For the remaining 20 percent, Interior has been unable to make applications work with that configuration, he said. The problems are typically with older applications that were developed before system standards were established.
“We’ve got to live with them because the cost to change them is prohibitive, so we’re trying to find work-arounds that allow you to continue to use it on a minimally accepted configuration standard,” Meagher said.
Complying with HSPD-12 is another hurdle for Interior, which has enrolled only 17 people in the program. The challenge is completing background checks and issuing cards for 100,000 people departmentwide, Meagher said. “It’s a difficult and expensive process that we’re trying to accommodate. It may take a year or more before we have everybody.”