4 tips for a strong defense

Agency efforts to tighten system security have evolved in recent months from documenting weaknesses to deploying security safeguards, said experts familiar with federal programs.

For the past several years, federal officials have focused on documenting the actions to certify and accredit their systems. Submitting systems to rigorous security certification and accreditation procedures is mandatory under the Federal Information Security Management Act (FISMA) of 2002. But some security experts, such as Alan Paller, research director of the SANS Institute, said those lengthy certification and accreditation procedures have sometimes hobbled the efforts of agency managers to secure their mission-critical systems.

On the federal government's annual cybersecurity report cards last year, for example, 14 out of 24 agencies received a D or an F for systems security.

Security experts said agency officials must go beyond certifying and accrediting their systems once every few years. Officials at the Office of Management and Budget and the Defense Department "have begun to tell people out loud that the old way of doing certification and accreditation is inadequate," Paller said. As a result, agency officials have stepped up efforts to continuously monitor their security controls and immediately fix vulnerabilities, he said.

Many agency officials said they have made efforts to comply with FISMA. The law provides a comprehensive framework to ensure effective information security controls on systems that support federal operations. OMB officials have threatened to withhold funding for agencies that cannot show adequate progress on meeting FISMA requirements, said Dan Burton, vice president of government affairs at Entrust Inc., an information security company.

When agencies' chief information officers must report to OMB Oct. 6 about the status of their FISMA compliance, OMB officials will know more than ever about the security of federal systems. "Going into this cycle, OMB is going to have a whole lot more information, [and] they may be more definitive in some of their decisions," Burton said.

Experts such as Burton said many agency officials still struggle to meet FISMA obligations and could use some help. Here are four crucial steps that experts said officials should take to protect their systems.

1. Assess what you've got

Agency officials' first step should be to complete a systems inventory and then assess the impact on the agency if data from any of those systems was accessed by unauthorized users, improperly modified or rendered unavailable, said Ron Ross, program manager of the system certification and accreditation program at the National Institute of Standards and Technology, which publishes FISMA technical guidance for agencies.

Federal leaders have struggled with this first step, and officials at only five of the 24 agencies that received FISMA grades last year had completed an inventory and risk assessment of mission-critical systems.

Gaining experience at assessing risk is an important part of improving systems security, FISMA experts said. "We can't afford to protect all of our systems all of the time with the same degree of rigor," Ross said. Instead, risk assessment is "a drill in prioritization."

Ross said agency managers should push the categorization of risk to the highest levels in the agency. Involve senior agency officials, he said, and avoid requiring system owners, who may have distorted views of the value of their systems, to characterize their importance.

Although federal officials are categorizing systems, they should avoid getting mired in the inventory process, Burton said. It is unnecessary, for example, for officials to inventory all of their systems before beginning to fix high-risk ones that have vulnerabilities. "Fixing the mission-critical vulnerabilities first is a way to go, so you don't get bogged down doing endless inventory," he said.

2. Set your baseline

After agency managers have assessed the potential impact of a security compromise of agency systems, they should protect them by setting appropriate baseline security controls as outlined in NIST's technical documents.

"The trick is to cover as many vulnerabilities as you can to protect your mission," Ross said. His recommendation for security controls is: "If [a system] is part of our critical infrastructure, we are going to throw all of our security controls at this high-impact type of system."

For efficiency's sake, some security controls can be managed centrally and applied to multiple systems in the same risk category without burdening every system owner with setting controls, Ross said.

Gaining political support is equally important, federal security experts said. As agency officials maneuver to set security controls on information systems, they must garner the support of senior-level managers — often above even the CIO level — to ensure that systems security is considered a management responsibility and not a technology problem, Burton said.

Without a sense of accountability for systems security among an agency's highest officials, "you don't get the resources and the priority, and it gets pigeonholed as a technology issue that the CIO needs to get fixed," he said.

3. Monitor, fix, repeat

After agency officials set systems security controls, they must continuously monitor the systems to ensure that the controls remain in place and new vulnerabilities are repaired, Paller said. Some agencies, such as the Transportation Department, use automated tools that continuously scan their networks to discover vulnerabilities and ensure compliance with security policies.

"The key is to check every week and to check all your systems," Paller said. "You create escalation and visibility reporting so that every part of the agency knows who is not securing their systems," he said. "You use peer pressure to get the energy to the parts of the agency that are not acting."

Vulnerability monitoring and management tools perform more than traditional security functions, such as intrusion detection and log analysis. They offer agencies a dashboard or report-card view of systems security based on established policies, said John Hunt, a principal with PricewaterhouseCoopers' federal practice.

"If somebody sets up a new server and it doesn't meet the policy, it will report that," Hunt said. "You can start to get some red, yellow and green lights on how you are doing on policies."

Such automated tools can help agency officials who still struggle with policy enforcement, said Mayi Canales, president and chief executive officer of consulting firm M2 Strategies Inc. and a former CIO at the Treasury Department. "Imagine if you manually had to check logs every night for everything that hangs off your network," she said. "You need policies and procedures that tie change and configuration management easily into the actual network."

4. Keep training

Agency officials cannot simply identify and fix vulnerabilities, most security experts said. They must keep employees informed and well-trained in systems security procedures. Officials should require quarterly updates of passwords and policies, said J.R. Reagan, managing director of BearingPoint Inc.'s public services solutions group.

"Agencies really need to get to application owners, where the rubber meets the road, and describe vulnerabilities," Reagan said. "That perks people up."

Without communication, security efforts can't be sustained, he added. OMB officials have given agencies a couple of years to complete the fundamentals, he said, "and now they are looking for agencies to sustain" those efforts.

Havenstein is a freelance writer based in Cary, N.C.