Experts tackle guidance to stop cyberattacks

A group of information security analysts in government and industry plans to publish guidance in six months to identify the most effective protections against the vulnerabilities most often exploited in cyberattacks, according to John Gilligan, president of the Gilligan Group and former chief information officer of the Air Force and Energy Department. He leads the effort.

The ultimate goal of the organization, which has not yet been named, is to get the Office of Management and Budget to revise its security guidance and for agencies to incorporate those guidelines, Gilligan said Nov. 21 at a security conference sponsored by 1105 Government Information Group, which publishes Federal Computer Week.

The guidelines would help agencies decide which controls to implement and measure for next-generation security assessments, Gilligan said. Agencies currently conduct and document certification and accreditation of their major computer systems to comply with requirements of the Federal Information Security Management Act. OMB directs agency inspectors general to evaluate the documentation to determine whether the systems meet security requirements. That process still does not assure agency information security, he said.

“FISMA has the right objectives. But agencies spend a lot for security with little confidence that it is effective,” Gilligan said. The guidelines would establish measures and activities so CIOs would have more confidence in agencies' security, he said.

The security experts are from agencies that include the Defense, Justice, Homeland Security and Energy departments, the National Security Agency and Government Accountability Office. They are combining their knowledge to define the most important defensive investments that CIOs could make in cybersecurity, he said.

“People on this list understand offense and already have experience with attacks,” Gilligan said. Gilligan said he anticipates a preliminary view of the guidelines in February.

For example, when Gilligan was the Air Force's CIO, the National Security Agency found that 80 percent of the service's vulnerabilities were due to incorrectly configured commercial software. Gilligan said he worked with NSA, other federal agencies, and Microsoft to create the Secure Desktop Configuration for the Air Force, which OMB later adopted governmentwide as the Federal Desktop Core Configuration.

After the consensus guidelines are published for public comment and revision, the Chief Information Officers Council plans to review them. If they are acceptable, the council will ask OMB to revise its guidance to use the controls highlighted in the consensus guidelines to measure FISMA, said Alan Paller, research director at SANS Institute.

The guidelines would define the security controls that would be best to stop an attack or help an agency quickly recover from known attacks and provide real-world examples of those attacks, he said. The guidelines would also describe how to validate the effectiveness of those controls, typically through automation, such as a computer application, Paller said.

Agencies should pay more attention to correcting known risks to the security of the agency’s mission, he said. “If you know the known bads, fix them. Don’t do just compliance. Know how they got in and stop them; know how they got in, find them,” Paller said.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.