Security pieces come together

Federal agencies are moving closer to a common approach to cybersecurity as they work to meet targets for several governmentwide initiatives by the end of this month. Agency officials say those efforts should produce greater security for federal networks and agencies’ missions.

Although the initiatives add up to an overall defense-in-depth strategy, they’ve arisen separately. Each addresses a different element of the larger strategy, said Dan Chenok, senior vice president at Pragmatics and chairman of the Information Security and Privacy Advisory Board. That board advises the National Institute of Standards and Technology.

To properly implement the initiatives, agencies must have effective management and operations, Chenok said.

“Although the initiatives are primarily technical, there are management issues, like training and awareness, and there are operational issues, like incorporating security properly into budgeting and making sure you’ve got security planned for,” he said.

That list of initiatives includes transitioning to IPv6, the next-generation Internet protocol; implementing a software standard, the Federal Desktop Core Configuration for Microsoft’s XP and Vista operating systems; completing Trusted Internet Connections (TIC), a gateway consolidation project; installing gateway-monitoring technology under a program called Einstein; making continued progress on completing security clearances, registering agency personnel and providing personal identity verification cards, a program authorized by Homeland Security Presidential Directive 12. 

The Office of Management and Budget, the National Institute of Standards and Technology, and the CIO Council are helping agencies implement those security initiatives, said Karen Evans, OMB’s administrator for e-government and information technology. The TIC and Federal Desktop Core Configuration efforts, in particular, are difficult but necessary, she said. “Agencies understand the threat that we face and the urgency to make our desktops and networks more secure.”

The various initiatives provide different layers of security, Chenok said. The core configuration standard helps agencies manage the security of desktop PCs, and TIC makes monitoring Internet traffic easier by greatly reducing the number of gateways carrying data into and out of agency networks. Meanwhile, IPv6 will  make the Internet more versatile and secure.

Complying with the initiatives is leading agencies to take a more systematic view of  security, Chenok said. Looking at them as separate and unconnected requirements is innefficient, he added. “If they take a view of them as pieces of an overall security program and try to integrate them, they’re going to have better progress.”

However, that doesn’t mean agencies’ performance is going to dramatically improve overnight, he said. But agencies are aware of how these initiatives can reduce their security risks.  

Some agencies, such as the Education Department, have devised processes to handle the overlapping nature of the initiatives so they can prioritize activities and avoid duplicated effort.

Other agencies, such as the Interior Department, have said they are straining to make progress because they are large and decentralized and must apply the security initiatives across a wide area.
Notwithstanding the challenges, agencies understand the importance of security, as highlighted by recently publicized data breaches and cybersecurity incidents, and they know they must get this done, said Ed Meagher, deputy CIO at Interior.

“This is basic hygiene. Most folks have stopped whining a long time ago and put their head down to just try to figure out how to do it,” Meagher said.

Education is implementing its security initiatives as part of an overall infrastructure improvement. The department has help i putting them in place because it awarded a contract for its enterprise infrastructure last year to Perot Systems, said Brian Burns, the department’s deputy CIO.

Because it must manage many initiatives concurrently, Education asked its contractor to integrate its project schedules by program office and by site location.

“That way, we can coordinate among ourselves as IT professionals and across the business side,” Burns said. “I look at it as a stacked model. You always have components, and you have to stack them in the right order.”

Education must impress on the contractors that manage its infrastructure the need to certify and accredit their systems as secure because the federal environment is more strict than the commercial side about that, Burns said.

Education looks to NIST special publications for guidance on implementing security initiatives.
The department tracks more than 160 congressional and executive mandates, including security requirements, Burns said.

Burns compared the initiatives to bricks for a house. “Let’s put the blueprints together and build from the ground up properly so that this house will stand for a long time,” he said. 

Like other agencies, Interior readily completed a basic implementation of IPv6, Meagher said. Under TIC, Interior has also reduced the number of its external Internet gateway connections to five. The agency is using the Einstein application to monitor traffic entering and exiting those gateways. However, Interior, is still in the process of shutting down some unauthorized access points.

The department has installed the Federal Desktop Core Configuration and fixed about 80 percent of the problems the secure configuration has caused, Meagher said. For the remaining 20 percent, Interior has been unable to make applications work with that configuration, he said. The problems are typically with older applications that were developed before system standards were established. 

“We’ve got to live with them because the cost to change them is prohibitive, so we’re trying to find work-arounds that allow you to continue to use it on a minimally accepted configuration standard,” Meagher said.

Complying with HSPD-12 is another hurdle for Interior, which has enrolled only 17 people in the program. The challenge is completing background checks and issuing cards for 100,000 people departmentwide, Meagher said. “It’s a difficult and expensive process that we’re trying to accommodate. It may take a year or more before we have everybody.” 

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.

Featured

  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above