IGs, CIOs team on IT security

Collaboration — instead of antagonism — improves outcome for FISMA compliance

Security headaches

When agencies use contractors to manage or host their information technology infrastructure, auditors must also evaluate those systems, said Charles Coe, assistant inspector general for IT audits and computer crime investigations at the Education Department.

“Many things are outsourced, so there’s a lot of turmoil,” he said. “And when agencies change contractors, you have to go out there and test them. We have dozens of IT contractors, and we don’t always know what’s going on in their locations.” The department’ s IG has made some inroads, however, with larger contractors. Education has four major contractor-operated data centers.

The department now makes its security expectations known to vendors before they even get a contract. The department’s chief information officer created a Web portal that contains guidance for contractors so they know the relevant security requirements.

— Mary Mosquera

Inspectors general and chief information officers are on the same side when fortifying agency information security — even though IGs are supposed to poke holes in system security while they search for weaknesses. IGs examine agencies’ documentation and sample systems to audit them for compliance with the Federal Information Security Management Act.
A relationship that is more collegial than combative can reduce problems in the FISMA process and fix vulnerabilities faster and more effectively, IGs say.

“Working together, CIOs and IGs are improving the quality of agencies’ certification and accreditation (C&A) processes and plans of action and milestones,” said Gwen McGowen, deputy assistant IG for information technology audits at the General Services Administration, speaking at the Federal Information Assurance Conference in Washington Oct. 24. 

Relationships between IT employees and the IG are key, said Beth Serepca, leader of the security and information management team in the Office of IG  at the Nuclear Regulatory Commission. Good relationships let CIOs discuss flaws and weaknesses with the IG so they can develop a corrective action, she said.

IGs want to be fair and accurate, said Charles Coe, assistant IG for IT audits and computer crime investigations at the Education Department. His relationship with Education’s CIO is better than with previous CIOs he worked with because CIO Bill Vajda emphasized building communications when he arrived at Education, Coe said. At the same time, the IG and CIO can’t be too close, he added.

“As an auditor, you have to draw the line and keep independent,” he said. 

Many agencies struggle to make an antiquated infrastructure that has been patched together over years meet Office of Management and Budget IT security requirements, Coe said. Agencies can fix only systems they can identify, and that’s done through an inventory. IGs examine only a sample of those systems in any single year. But all systems are tested in the course of three years.

In performing an audit, many examiners depend on results from scanning and penetration tests.
In a July 27 report, the Government Accountability Office highlighted major weaknesses that persisted in agencies’ IT security in access controls, segregation of duties and configuration management, despite having completed the C&A process for those systems. GAO said agencies needed standard measures to help them more realistically determine their state of security.

McGowen also is training auditors to develop better IT security skills and test procedures for FISMA evaluation, including using vulnerability, database and online applications scanning tools.

She said IGs are breaking new ground in the absence of standard methods for assessing information security programs and systems controls. When performing their C&A, agencies should consider internal and external security controls and the effect on agency operations through a risk-based approach that the National Institute of Standards and Technology published in its Risk Management Framework.

In the NIST framework, the most important measure is the continuous monitoring of security controls by agencies, said Tyler Harding, senior manager of federal advisory services at KPMG. Other changes during the past year, such as OMB’s guidance for a common desktop configuration and reporting of breaches of sensitive information and notification, will help agencies comply with FISMA.

“There has been too much emphasis on FISMA paperwork versus security controls testing and too much emphasis on inspecting quality in operations after they are deployed rather than building security and control processes into system,” Harding said. Harding said he expects the FISMA audit process to move toward an emphasis on program controls and performance measures.

Meanwhile, as ag ncies struggle to meet FISMA standards, they also face serious attacks that target federal operations and assets, Harding said. The attacks are often motivated by financial gain and frequently directed at applications, so it is not enough to simply patch operating systems, he added.

“Agencies face a challenging technology environment,” he said. They have large complex IT infrastructures to defend and many information systems to manage. Agencies must deal with cross-platform distributed computing and dynamic operational environments with changing threats, vulnerabilities and technologies, he said. 

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group