Justice submits its security tool as the standard for every agency to follow
Using a homegrown accountability client, the Justice Department is attempting to become a Center of Excellence for the Cybersecurity Line of Business Consolidation initiative.
Dennis Heretick, DOJ’s chief information security officer and director of its IT security staff, said Justice submitted a business case to the Office of Management and Budget describing how its Cyber Security Assessment and Management (CSAM) system should become the standard for all agencies.
The “LOB concept is an excellent way for us to go about doing business,” Heretick said. “We share a lot of the same requirements, and it makes sense for us to share ideas and processes.”
OMB’s goal with the cybersecurity LOB is to make innovative agency systems the standard for certain IT security functions such as training, incident response, disaster recovery, contingency planning and how agencies select security products. An interagency task force met in March and agencies will submit business cases to OMB by Sept. 12 to become a Center of Excellence.
While federal officials would not comment on which agencies besides Justice submitted their applications to OMB, experts outside government said a number of agency systems stand out.
Alan Paller, director of the SANS Institute of Bethesda, Md., said the Transportation Department has a good system to manage vulnerabilities, while the Defense Department and the Office of Personnel Management have solid training programs. He said the Environmental Protection Agency also has a good Federal Information Security Management Act reporting tool, in addition to the one that Justice is submitting to OMB.
LOB “allows us a clearinghouse for adopting ... best practices,” Heretick said.
Heretick said Justice’s CSAM tool aims to keep hackers out of the department’s computer systems and comply with FISMA requirements.
“The first focus of what we do is to support [DOJ’s] mission,” he said.
That mission is to prevent terrorism, he said, adding that “a big part of that is about sharing information and connecting the data.”
The tool has two specific features—a homegrown Certification and Accreditation (C&A) client that uses Microsoft Access at the desktop level and TrustedAgent FISMA, an application written in Java by Trusted Integration Inc. of Alexandria, Va., that lets supervisors verify that DOJ security employees are performing the tasks necessary to bolster Justice’s IT networks. Built into CSAM is repetition and accountability so that if one step in the process was skipped or neglected, DOJ supervisors can find out the who, what, where and how.
“These tools provide online procedures, templates and subject-matter expert help instructions that allow us to emphasize implementing security versus spending on documenting security plans,” Heretick said.
Trusted Integration president Tri Phan said TrustedAgent FISMA is “a key component of DOJ’s enterprise security solution” and helped in improving the agency’s FISMA congressional scorecard by standardizing information security compliance, reducing costs and eliminating manual reporting of FISMA information.
TrustedAgent FISMA is an enterprise information security management product that automates FISMA data management and reporting for government agencies, Phan said. The software uses Java technologies and runs on Microsoft Windows platforms. The State and Homeland Security departments also use the system, Phan said.
Heretick said he and two colleagues developed the C&A client in-house starting in 2000 while at the Defense Department. The product worked so well that he brought it to Justice when he arrived two years ago. The tool “produced automated support for the certification process,” he said.
Connect with the GCN staff on Twitter @GCNtech.