2008 Watch List: Security initiatives show promise

Agencies are on schedule to reach major milestones for several security initiatives that the Office of Management and Budget launched during the past several years. As those milestones converge in the final year of the Bush administration, government security efforts will provide greater security for federal networks and agencies’ missions, security experts inside and outside of government say. “I am guardedly optimistic that the stars are beginning to align on cybersecurity,” said Paul Kurtz, chief operating officer of Good Harbor Consulting. Kurtz said security finally is gaining the executive attention it deserves and, he added, the funding to safeguard federal information systems and networks. Converging security efforts include Homeland Security Presidential Directive 12, the transition to IPv6, implementation of the Federal Desktop Core Configuration for Microsoft’s XP and Vista operating systems, the Information Technology Infrastructure and Information Systems Security lines of business, the Trusted Internet Connections initiative, a gateway monitoring application called Einstein, and OMB’s security requirements for preventing and responding to data breaches and complying with the Federal Information Security Management Act. OMB has brought together a variety of initiatives into a governmentwide security program. For example, the deadline dates for implementing one program, IPv6, overlap with the deadline for the Trusted Internet Connections initiative, said Dan Chenok, vice president at SRA International. He also is the chairman of the Information Security and Privacy Advisory Board, a group that makes recommendations to the National Institute of Standards and Technology. “The initiatives are mutually enforcing,” Chenok said. “You might see these as different components of a defense- in-depth posture.” The desktop core configuration standard helps agencies manage security at a desktop level, Trusted Internet Connections works at the network level and HSPD-12 at the log-on level. IPv6 secures data transfers. Each one is a different piece of the same puzzle, Chenok said. Agencies are required to run IPv6 on their backbone networks by June, a mandate that coincides with the expiration of telecommunications and network services under the General Services Administration’s FTS 2001 contracts. Agencies are preparing to migrate to Networx, the follow- on contracts, said Karen Evans, OMB’s administrator for e-government and IT. While that transition happens, agencies that are upgrading their operating systems must implement the Federal Desktop Core Configuration. Having a standard configuration makes security patches easier to apply. In addition, managers will know who is accessing the agency network when agencies implement two-factor authentication by using HSPD- 12 cards. That will become a standard business practice, Evans said. Another initiative that is reaching a major milestone is OMB’s Infrastructure LOB, which requires performance metrics for telecom, desktops and data centers. For its most recent security initiative, the Trusted Internet Connections program, OMB directed agencies to reduce the number of Internet gateways they use. Agencies will strengthen security at those fewer gateways with the Einstein application, which monitors traffic at each gateway. “Many of the security efforts build upon each other,” Evans said. “That’s the reason why we have similar target dates.” OMB also asked agencies to begin using the desktop core configuration by February and HSPD-12 by October. As those programs are progressing — some more slowly than others — agency compliance with FISMA is advancing to a new level by incorporating a risk-based approach to security. NIST, the Defense Department and the Office of the Director for National Intelligence are developing standard security controls for all agencies. The intelligence and defense communities and NIST will modify their security requirements documents by December, said Ron Ross, a NIST senior computer scientist. All the ongoing security efforts couldn’t have been successful five years ago because agencies did not view themselves as one federal government, Evans said. “Agencies think more in a collaborative fashion, and technology’s evolved enough so we’re ready to move on to the next generation of services.” Those security efforts aren’t just about protecting agencies, Evans said, adding that security is about ensuring public trust. Kurtz said enormous security problems inside agencies have propelled the convergence of governmentwide security initiatives. “Network security inside the government is so porous that the bad guys — China and Russia — have been able to exfiltrate vast amounts of data,” Kurtz said. “Only by learning the hard way is government stepping up to the plate and starting to devote senior-level attention and money to address these issues.” Kurtz said Evans deserves much credit for laying the foundation. “Now that we have far more senior-level attention across federal agencies, we may see more rapid execution [of] those mandates that were put in place,” Kurtz said. However, getting funding to fulfill those mandates still is a challenge for large departments and agencies. Pat Howard, chief information security officer at the Housing and Urban Development Department, said that for the department, which outsources its information technology infrastructure, prioritizing all the federal security requirements requires a high level of coordination. “If we’re saying that our networks are so important to us in order to do the people’s business, then we need to be able to resource those requirements,” Howard said. Evans said the president’s 2008 budget contains sufficient funding — more than $6 billion — for security initiatives. “It just might mean that out of the money that you were planning to spend,” Evans said, “you might want to redirect some of these things because not everybody needs to build out a firewall, not everyone has to build out 24/7 capabilities, not everybody has to have all of these things. What we’re trying to do is leverage who does it well and have them do it.”