The Consensus Audit Guidelines are supposed to help agencies fix cybersecurity by focusing on the most dangerous threats first. But critics say the voluntary measures are redundant -- or worse.
For someone like John Streufert, chief information security officer at the State Department, computer security can seem like a mind-numbing numbers game.
In 2009, for instance, the department’s computer incident response team dealt with 3,124 information technology security events. That was a 112 percent increase compared with the previous year. This year, the number is already on track to nearly double again — to as many as 6,000 events. Adding to the challenge, State must protect not only its Washington operation but also 260 embassies and consulates spanning 24 time zones.
In this report
The unrelenting rise in threats can wear a security staff thin, but State officials believe they have some numbers in their favor. The department’s strategy depends, in part, on a package of 20 security practices: the Consensus Audit Guidelines (CAG). The voluntary guidelines, which debuted in February 2009, provide federal agencies and contractors with a short list of the most important defensive measures, or controls.
State is one of the early adopters of the guidelines, also known as the 20 critical security controls, and was part of the consortium that agreed on them in the first place. The group, which also included the National Security Agency, the Defense and Homeland Security departments, and private-sector representatives, established a minimalist philosophy: Enterprises should focus on a few key controls that block the most common types of known attacks. Furthermore, those security controls should be continuously monitored through automated tools whenever possible.
However, some IT security experts question whether CAG covers the same ground as other IT governance frameworks and security programs that agencies already must follow — the eight-year-old Federal Information Security Management Act (FISMA) in particular.
They also wonder whether CAG might unduly focus attention on certain defenses at the expense of the bigger picture, resembling a cybersecurity version of the Maginot line, the infamous French defensive fortifications that German forces sidestepped during their invasion of France in World War II.
Following the advice of CAG is a good first step but is "akin to a quick glance in the mirror before you leave for an important meeting,” said Jon Gossels, president of SystemExperts, an IT security consulting firm. "It answers the question, did I forget my belt? It doesn’t tell you if you are healthy, or in our case, if the agency is operationally secure.”
But CAG adopters appear sold on its emphasis on attack-based metrics and high-priority controls and the more frequent monitoring of those key defenses. They say it is not a replacement or duplication of FISMA but updates and complements it with a more targeted, timely and responsive application of that regimen’s set of defenses.
Indeed, the Office of Management and Budget’s most recent FISMA guidance to agencies in April includes for the first time a goal of continuous monitoring of security information, an apparent nod to that part of CAG.
State, for one, reckons its move to CAG has already paid dividends.
Streufert, who also is deputy chief information officer at State, contrasted the new approach to the department’s previous routine of compiling certification and accreditation reports. Those reports, which document the security compliance of individual systems, have been a staple of FISMA. Critics have long argued that the reports are static and don’t deal with security issues in the here and now.
“Under the old program, we had 60 people writing certification and accreditation reports,” he said. “Under the new program of continuous monitoring, we have 4,135 people all across the world dealing with the most critical cyber problems on a priority basis. It’s a very powerful idea: What if everyone working on security in an organization concentrated on the most critical problems first?”
The Case for CAG
Although State is considered the federal agency most actively deploying the guidelines, a few other agencies are also putting the guidelines to use.
For example, the Nuclear Regulatory Commission has started integrating the guidelines into its processes and strategy, said Patrick Howard, the agency’s CISO.
When the guidelines were published last year, NRC was already working with a common set of controls based on the National Institute of Standards and Technology’s Special Publication 800-53, which includes a catalog of 171 recommended security controls that agencies should follow to comply with FISMA.
NRC is now tuning its security control inventory to include CAG. The CISO staff and IT operations employees worked together to assess CAG requirements, determining areas in which the agency needs to bolster its controls. NRC is in the process of addressing those gaps. “Overall, we think this is going to lead to better security,” Howard said.
His office now expects systems owners to adopt the guidelines that apply to their applications.
Meanwhile, officials at the Centers for Medicare and Medicaid Services said they see CAG as an add-on to existing security measures. “We are not adopting CAG as a separate framework,” said Ryan Brewer, CISO at CMS. “It’s a nice supplement.”
Brewer said the guidelines have been helpful as a best practice as the agency moves toward continuous monitoring. He is mapping his security efforts to both CAG controls and NIST's guidelines.
CISOs view CAG’s prioritization of security controls as its pivotal benefit. Indeed, the preamble to the 20 critical security controls points to the importance of establishing a prioritized baseline of information security measures and controls. Furthermore, the 20 controls “are viewed as effective in blocking currently known high-priority attacks, as well as those attack types expected in the near future.”
“What CAG tells us is: Pay attention to the controls that are most likely to be subject to attack,” Streufert said.
State’s analysis of cyberattacks during an 11-month period revealed that all the assaults mapped to five of the 20 critical security controls. That insight helps State focus on the hot spots rather than test dozens of controls that treat every vulnerability equally.
“We decided we were going to be respectful of all 800-53 controls, but…concentrate our efforts,” Streufert said.
That targeted thinking has helped State rapidly deploy security fixes. Earlier this year, officials identified the need to patch Internet Explorer — in light of the Aurora attack — as a top priority. Streufert said State was able to boost the percentage of machines equipped with Microsoft’s patch from 20 percent to 85 percent in six days. He attributes that improvement to prioritization and getting far-flung employees with security duties to focus on the task.
Overall, State’s exposure to security threats has declined. Streufert cited an 89 percent drop in measured risk at domestic locations and 90 percent at foreign sites. The department uses a scoring system to assess the level of risk at its sites. Security personnel view the scores on a dashboard.
John Gilligan, an IT consultant, former Air Force CIO and leader of the consortium behind the CAG, said he sees the guidelines’ influence expanding in government.
“What I have seen is a fairly significant endorsement of the concept that is at the root of the 20 critical controls,” he said. “I think for a number of the organizations, this is the way they are going to operate.”
Streufert said he believes the government will experience a shift from FISMA’s traditional accent on collecting process and compliance metrics to an emphasis on attack-based metrics and automated scanning.
“We are headed into a critical transition period,” Streufert said.
CAG in Question
However, not everyone is convinced of CAG’s imminent ascendancy.
Harry “Bud” Horton, chief technology officer of Accenture’s cybersecurity practice, questions whether CAG is even necessary, given agencies’ adoption of other IT governance and security frameworks. He said most of the federal government uses the Information Technology Infrastructure Library or the Control Objectives for Information and Related Technology as a system configuration and governance framework. Agencies with extensive overseas operations might also use the ISO 27000 family of IT security management standards.
Security officials at agencies that use such frameworks and standards, coupled with FISMA, believe they are already accomplishing CAG objectives, Horton said. “Some of them feel like it is a redundant capability or a redundant set of guidelines,” he added.
Financial considerations might also discourage agencies from pursuing CAG. “Budgets being as tight as they are, agencies are only going to do what they are mandated to do,” Horton said.
Peyton Engel, technical architect at CDW Government, said agencies far along the FISMA track might indeed view CAG as unnecessary. “It is not surprising that these [guidelines] are redundant, if you are someone with a mature FISMA program in place,” he said.
On the other hand, not every organization has a mature FISMA initiative, Engel said. For those entities, CAG provides a tier of guidance that is quickly achievable and can help adopters improve security. Those quick wins include actions such as using an automated tool for asset inventory discovery and installing hard drive encryption software on laptop PCs that contain sensitive data.
“These are things that you don’t have to do major surgery in an organization to implement,” Engel said.
For agencies that have addressed the basics, higher CAG tiers cover hardened configuration and advanced security measures.
“I like the way the guidelines break out the controls into…different levels of complexity to denote what is easy to achieve and what is difficult,” said Patricia Titus, CISO at Unisys and former CISO at the Transportation Security Administration. “This allows you to obtain some low-hanging fruit options.”
But security consultants say agencies that adopt CAG as a quick way to boost security or supplement ongoing efforts should consider the guidelines’ limitations.
Gossels said CAG’s main benefit is in raising the probability that government systems will be less vulnerable to obvious security exposures. He said he sees the guidelines’ primary drawback as their lack of a fundamental conceptual model.
CAG "identifies a few specific trees — control mechanisms — without describing the forest,” he said.
Gossels cited the example of two CAG controls regarding the controlled use of administrator privileges and access based on need to know. He said that when read individually, the controls make sense. The problem emerges when one considers that the two controls are part of the broader umbrella of identity and access management.
“Nowhere does the CAG speak to the issues of request, approval, recertification and disablement life cycle workflow necessary for any functional identity and access management program,” he said.
Gossels said he believes agencies need to look beyond the guidelines to more comprehensive security frameworks. CISOs, for their part, see the CAG controls as a starting point but not a comprehensive security plan.
NRC’s Howard said CAG adopters need to take into account NIST guidance and agency-specific security needs. He said he considers the guidelines a minimum essential security baseline.
“You need to address [CAG] through the prism of local needs and with the expectation that you are going to have to build on those,” Howard said. “You just can’t take those out of the box and implement them and expect them to meet your needs.”
And there's another reason to look beyond CAG: The 20 critical security controls are mainly technical in nature. CMS' Brewer said NIST's SP 800-53 takes into account other factors, such as security awareness, that are “equally important but not as glamorous as the technical ones.”
Streufert said the complete list of NIST controls includes numerous security issues that can’t be diagnosed with an automated security tool. Those include considerations such as whether an organization has adequate physical security and whether all key officials have been trained.
“State’s approach is to keep an eye on all types of controls — technical, managerial and operational — but ensure that the most active attack vectors are handled first,” Streufert said.
In that setup, CAG and SP 800-53 each have a role to play. Although NIST's publication provides a catalog of known security problems, CAG focuses on the most common types of attacks.
“We really need both ideas,” Streufert said.
Adoption of CAG beyond its existing federal users might depend on whether the guidelines become enshrined in law. That’s the thinking of Accenture’s Horton, who said legislation drives much of a CISO’s activities and security programs.
“People are waiting on legislation to see how it is going to be incorporated, if at all,” he said. “Until some legislation mandates how CAG is used in the federal government and how it interacts with…NIST and FISMA, I don’t see a larger widespread adoption.”
Short of legislation, NIST’s adoption of CAG would have a similar codifying effect, Horton added.
But Gilligan said he envisions agencies recognizing CAG principles even without a formal endorsement from NIST or OMB, which directs FISMA reporting. Agency officials might not explicitly refer to CAG, but they still speak of deploying priority controls or pursuing continuous monitoring, he added.
“In essence, it is really the same thing,” Gilligan said.
Some CISOs said they detect CAG’s influence in OMB’s April 21 memo detailing FISMA reporting requirements for 2010. The memo states that agencies “need to be able to continuously monitor security-related information from across the enterprise in a manageable and actionable way.”
CAG’s imprint might also find its way into new FISMA reporting metrics, which DHS is shepherding. Gilligan said the department is using the 20 critical controls to guide the metrics effort.
"The Consensus Audit Guidelines are helpful," a DHS spokesman said. "However, they are only one small element of an effective information security program."
The spokesman said the federal government's unified information security framework requires that a "complete set of security controls be considered as part of an overall systems security architecture." NIST has been working with DOD, the intelligence community and the Committee on National Security Systems to develop the framework, he added.
“The 20 critical controls [have] had a very significant impact as a catalyst in changing the thought process over the past year,” Gilligan said. “They are not the end-all, but it’s the place you ought to start.”
NEXT STORY: Widgets, Twitter to fuel FEMA emergency alerts