IGs, CIOs team on IT security

Collaboration — instead of antagonism — improves outcome for FISMA compliance

Security headaches

When agencies use contractors to manage or host their information technology infrastructure, auditors must also evaluate those systems, said Charles Coe, assistant inspector general for IT audits and computer crime investigations at the Education Department.

“Many things are outsourced, so there’s a lot of turmoil,” he said. “And when agencies change contractors, you have to go out there and test them. We have dozens of IT contractors, and we don’t always know what’s going on in their locations.” The department’ s IG has made some inroads, however, with larger contractors. Education has four major contractor-operated data centers.

The department now makes its security expectations known to vendors before they even get a contract. The department’s chief information officer created a Web portal that contains guidance for contractors so they know the relevant security requirements.

— Mary Mosquera

Inspectors general and chief information officers are on the same side when fortifying agency information security — even though IGs are supposed to poke holes in system security while they search for weaknesses. IGs examine agencies’ documentation and sample systems to audit them for compliance with the Federal Information Security Management Act.
A relationship that is more collegial than combative can reduce problems in the FISMA process and fix vulnerabilities faster and more effectively, IGs say.

“Working together, CIOs and IGs are improving the quality of agencies’ certification and accreditation (C&A) processes and plans of action and milestones,” said Gwen McGowen, deputy assistant IG for information technology audits at the General Services Administration, speaking at the Federal Information Assurance Conference in Washington Oct. 24. 

Relationships between IT employees and the IG are key, said Beth Serepca, leader of the security and information management team in the Office of IG  at the Nuclear Regulatory Commission. Good relationships let CIOs discuss flaws and weaknesses with the IG so they can develop a corrective action, she said.

IGs want to be fair and accurate, said Charles Coe, assistant IG for IT audits and computer crime investigations at the Education Department. His relationship with Education’s CIO is better than with previous CIOs he worked with because CIO Bill Vajda emphasized building communications when he arrived at Education, Coe said. At the same time, the IG and CIO can’t be too close, he added.

“As an auditor, you have to draw the line and keep independent,” he said. 

Many agencies struggle to make an antiquated infrastructure that has been patched together over years meet Office of Management and Budget IT security requirements, Coe said. Agencies can fix only systems they can identify, and that’s done through an inventory. IGs examine only a sample of those systems in any single year. But all systems are tested in the course of three years.

In performing an audit, many examiners depend on results from scanning and penetration tests.
In a July 27 report, the Government Accountability Office highlighted major weaknesses that persisted in agencies’ IT security in access controls, segregation of duties and configuration management, despite having completed the C&A process for those systems. GAO said agencies needed standard measures to help them more realistically determine their state of security.

McGowen also is training auditors to develop better IT security skills and test procedures for FISMA evaluation, including using vulnerability, database and online applications scanning tools.

She said IGs are breaking new ground in the absence of standard methods for assessing information security programs and systems controls. When performing their C&A, agencies should consider internal and external security controls and the effect on agency operations through a risk-based approach that the National Institute of Standards and Technology published in its Risk Management Framework.

In the NIST framework, the most important measure is the continuous monitoring of security controls by agencies, said Tyler Harding, senior manager of federal advisory services at KPMG. Other changes during the past year, such as OMB’s guidance for a common desktop configuration and reporting of breaches of sensitive information and notification, will help agencies comply with FISMA.

“There has been too much emphasis on FISMA paperwork versus security controls testing and too much emphasis on inspecting quality in operations after they are deployed rather than building security and control processes into system,” Harding said. Harding said he expects the FISMA audit process to move toward an emphasis on program controls and performance measures.

Meanwhile, as ag ncies struggle to meet FISMA standards, they also face serious attacks that target federal operations and assets, Harding said. The attacks are often motivated by financial gain and frequently directed at applications, so it is not enough to simply patch operating systems, he added.

“Agencies face a challenging technology environment,” he said. They have large complex IT infrastructures to defend and many information systems to manage. Agencies must deal with cross-platform distributed computing and dynamic operational environments with changing threats, vulnerabilities and technologies, he said. 

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group