Experts tackle guidance to stop cyberattacks

A group of information security analysts in government and industry plans to publish guidance in six months to identify the most effective protections against the vulnerabilities most often exploited in cyberattacks, according to John Gilligan, president of the Gilligan Group and former chief information officer of the Air Force and Energy Department. He leads the effort.

The ultimate goal of the organization, which has not yet been named, is to get the Office of Management and Budget to revise its security guidance and for agencies to incorporate those guidelines, Gilligan said Nov. 21 at a security conference sponsored by 1105 Government Information Group, which publishes Federal Computer Week.

The guidelines would help agencies decide which controls to implement and measure for next-generation security assessments, Gilligan said. Agencies currently conduct and document certification and accreditation of their major computer systems to comply with requirements of the Federal Information Security Management Act. OMB directs agency inspectors general to evaluate the documentation to determine whether the systems meet security requirements. That process still does not assure agency information security, he said.

“FISMA has the right objectives. But agencies spend a lot for security with little confidence that it is effective,” Gilligan said. The guidelines would establish measures and activities so CIOs would have more confidence in agencies' security, he said.

The security experts are from agencies that include the Defense, Justice, Homeland Security and Energy departments, the National Security Agency and Government Accountability Office. They are combining their knowledge to define the most important defensive investments that CIOs could make in cybersecurity, he said.

“People on this list understand offense and already have experience with attacks,” Gilligan said. Gilligan said he anticipates a preliminary view of the guidelines in February.

For example, when Gilligan was the Air Force's CIO, the National Security Agency found that 80 percent of the service's vulnerabilities were due to incorrectly configured commercial software. Gilligan said he worked with NSA, other federal agencies, and Microsoft to create the Secure Desktop Configuration for the Air Force, which OMB later adopted governmentwide as the Federal Desktop Core Configuration.

After the consensus guidelines are published for public comment and revision, the Chief Information Officers Council plans to review them. If they are acceptable, the council will ask OMB to revise its guidance to use the controls highlighted in the consensus guidelines to measure FISMA, said Alan Paller, research director at SANS Institute.

The guidelines would define the security controls that would be best to stop an attack or help an agency quickly recover from known attacks and provide real-world examples of those attacks, he said. The guidelines would also describe how to validate the effectiveness of those controls, typically through automation, such as a computer application, Paller said.

Agencies should pay more attention to correcting known risks to the security of the agency’s mission, he said. “If you know the known bads, fix them. Don’t do just compliance. Know how they got in and stop them; know how they got in, find them,” Paller said.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.