Novel cybersecurity approach has plenty of fans—and naysayers

The Consensus Audit Guidelines are supposed to help agencies fix cybersecurity by focusing on the most dangerous threats first. But critics say the voluntary measures are redundant -- or worse.

For someone like John Streufert, chief information security officer at the State Department, computer security can seem like a mind-numbing numbers game.

In 2009, for instance, the department’s computer incident response team dealt with 3,124 information technology security events. That was a 112 percent increase compared with the previous year. This year, the number is already on track to nearly double again — to as many as 6,000 events. Adding to the challenge, State must protect not only its Washington operation but also 260 embassies and consulates spanning 24 time zones.


In this report

Novel cybersecurity approach has plenty of fans—and naysayers

Just how continuous should continuous monitoring be?

The 20 critical security controls your organization should focus on 


The unrelenting rise in threats can wear a security staff thin, but State officials believe they have some numbers in their favor. The department’s strategy depends, in part, on a package of 20 security practices: the Consensus Audit Guidelines (CAG). The voluntary guidelines, which debuted in February 2009, provide federal agencies and contractors with a short list of the most important defensive measures, or controls.

State is one of the early adopters of the guidelines, also known as the 20 critical security controls, and was part of the consortium that agreed on them in the first place. The group, which also included the National Security Agency, the Defense and Homeland Security departments, and private-sector representatives, established a minimalist philosophy: Enterprises should focus on a few key controls that block the most common types of known attacks. Furthermore, those security controls should be continuously monitored through automated tools whenever possible.


Related stories

Cyber policy snared in legislative tangle

NASA hits FISMA reset button

Cybersecurity moving up on Congress' to-do list, staffer says


However, some IT security experts question whether CAG covers the same ground as other IT governance frameworks and security programs that agencies already must follow — the eight-year-old Federal Information Security Management Act (FISMA) in particular.

They also wonder whether CAG might unduly focus attention on certain defenses at the expense of the bigger picture, resembling a cybersecurity version of the Maginot line, the infamous French defensive fortifications that German forces sidestepped during their invasion of France in World War II.

Following the advice of CAG is a good first step but is "akin to a quick glance in the mirror before you leave for an important meeting,” said Jon Gossels, president of SystemExperts, an IT security consulting firm. "It answers the question, did I forget my belt? It doesn’t tell you if you are healthy, or in our case, if the agency is operationally secure.”

But CAG adopters appear sold on its emphasis on attack-based metrics and high-priority controls and the more frequent monitoring of those key defenses. They say it is not a replacement or duplication of FISMA but updates and complements it with a more targeted, timely and responsive application of that regimen’s set of defenses.

Indeed, the Office of Management and Budget’s most recent FISMA guidance to agencies in April includes for the first time a goal of continuous monitoring of security information, an apparent nod to that part of CAG.

State, for one, reckons its move to CAG has already paid dividends.

Streufert, who also is deputy chief information officer at State, contrasted the new approach to the department’s previous routine of compiling certification and accreditation reports. Those reports, which document the security compliance of individual systems, have been a staple of FISMA. Critics have long argued that the reports are static and don’t deal with security issues in the here and now.

“Under the old program, we had 60 people writing certification and accreditation reports,” he said. “Under the new program of continuous monitoring, we have 4,135 people all across the world dealing with the most critical cyber problems on a priority basis. It’s a very powerful idea: What if everyone working on security in an organization concentrated on the most critical problems first?”

The Case for CAG

Although State is considered the federal agency most actively deploying the guidelines, a few other agencies are also putting the guidelines to use.

For example, the Nuclear Regulatory Commission has started integrating the guidelines into its processes and strategy, said Patrick Howard, the agency’s CISO.

When the guidelines were published last year, NRC was already working with a common set of controls based on the National Institute of Standards and Technology’s Special Publication 800-53, which includes a catalog of 171 recommended security controls that agencies should follow to comply with FISMA.

NRC is now tuning its security control inventory to include CAG. The CISO staff and IT operations employees worked together to assess CAG requirements, determining areas in which the agency needs to bolster its controls. NRC is in the process of addressing those gaps. “Overall, we think this is going to lead to better security,” Howard said.

His office now expects systems owners to adopt the guidelines that apply to their applications.

Meanwhile, officials at the Centers for Medicare and Medicaid Services said they see CAG as an add-on to existing security measures. “We are not adopting CAG as a separate framework,” said Ryan Brewer, CISO at CMS. “It’s a nice supplement.”

Brewer said the guidelines have been helpful as a best practice as the agency moves toward continuous monitoring. He is mapping his security efforts to both CAG controls and NIST's guidelines.

CISOs view CAG’s prioritization of security controls as its pivotal benefit. Indeed, the preamble to the 20 critical security controls points to the importance of establishing a prioritized baseline of information security measures and controls. Furthermore, the 20 controls “are viewed as effective in blocking currently known high-priority attacks, as well as those attack types expected in the near future.”

“What CAG tells us is: Pay attention to the controls that are most likely to be subject to attack,” Streufert said.

State’s analysis of cyberattacks during an 11-month period revealed that all the assaults mapped to five of the 20 critical security controls. That insight helps State focus on the hot spots rather than test dozens of controls that treat every vulnerability equally.

“We decided we were going to be respectful of all 800-53 controls, but…concentrate our efforts,” Streufert said.

That targeted thinking has helped State rapidly deploy security fixes. Earlier this year, officials identified the need to patch Internet Explorer — in light of the Aurora attack — as a top priority. Streufert said State was able to boost the percentage of machines equipped with Microsoft’s patch from 20 percent to 85 percent in six days. He attributes that improvement to prioritization and getting far-flung employees with security duties to focus on the task.

Overall, State’s exposure to security threats has declined. Streufert cited an 89 percent drop in measured risk at domestic locations and 90 percent at foreign sites. The department uses a scoring system to assess the level of risk at its sites. Security personnel view the scores on a dashboard.

John Gilligan, an IT consultant, former Air Force CIO and leader of the consortium behind the CAG, said he sees the guidelines’ influence expanding in government.

“What I have seen is a fairly significant endorsement of the concept that is at the root of the 20 critical controls,” he said. “I think for a number of the organizations, this is the way they are going to operate.”

Streufert said he believes the government will experience a shift from FISMA’s traditional accent on collecting process and compliance metrics to an emphasis on attack-based metrics and automated scanning.

“We are headed into a critical transition period,” Streufert said.

CAG in Question

However, not everyone is convinced of CAG’s imminent ascendancy.

Harry “Bud” Horton, chief technology officer of Accenture’s cybersecurity practice, questions whether CAG is even necessary, given agencies’ adoption of other IT governance and security frameworks. He said most of the federal government uses the Information Technology Infrastructure Library or the Control Objectives for Information and Related Technology as a system configuration and governance framework. Agencies with extensive overseas operations might also use the ISO 27000 family of IT security management standards.

Security officials at agencies that use such frameworks and standards, coupled with FISMA, believe they are already accomplishing CAG objectives, Horton said. “Some of them feel like it is a redundant capability or a redundant set of guidelines,” he added.

Financial considerations might also discourage agencies from pursuing CAG. “Budgets being as tight as they are, agencies are only going to do what they are mandated to do,” Horton said.

Peyton Engel, technical architect at CDW Government, said agencies far along the FISMA track might indeed view CAG as unnecessary. “It is not surprising that these [guidelines] are redundant, if you are someone with a mature FISMA program in place,” he said.

On the other hand, not every organization has a mature FISMA initiative, Engel said. For those entities, CAG provides a tier of guidance that is quickly achievable and can help adopters improve security. Those quick wins include actions such as using an automated tool for asset inventory discovery and installing hard drive encryption software on laptop PCs that contain sensitive data.

“These are things that you don’t have to do major surgery in an organization to implement,” Engel said.

For agencies that have addressed the basics, higher CAG tiers cover hardened configuration and advanced security measures.

“I like the way the guidelines break out the controls into…different levels of complexity to denote what is easy to achieve and what is difficult,” said Patricia Titus, CISO at Unisys and former CISO at the Transportation Security Administration. “This allows you to obtain some low-hanging fruit options.”

But security consultants say agencies that adopt CAG as a quick way to boost security or supplement ongoing efforts should consider the guidelines’ limitations.

Gossels said CAG’s main benefit is in raising the probability that government systems will be less vulnerable to obvious security exposures. He said he sees the guidelines’ primary drawback as their lack of a fundamental conceptual model.

CAG "identifies a few specific trees — control mechanisms — without describing the forest,” he said.

Gossels cited the example of two CAG controls regarding the controlled use of administrator privileges and access based on need to know. He said that when read individually, the controls make sense. The problem emerges when one considers that the two controls are part of the broader umbrella of identity and access management.

“Nowhere does the CAG speak to the issues of request, approval, recertification and disablement life cycle workflow necessary for any functional identity and access management program,” he said.

Gossels said he believes agencies need to look beyond the guidelines to more comprehensive security frameworks. CISOs, for their part, see the CAG controls as a starting point but not a comprehensive security plan.

NRC’s Howard said CAG adopters need to take into account NIST guidance and agency-specific security needs. He said he considers the guidelines a minimum essential security baseline.

“You need to address [CAG] through the prism of local needs and with the expectation that you are going to have to build on those,” Howard said. “You just can’t take those out of the box and implement them and expect them to meet your needs.”

And there's another reason to look beyond CAG: The 20 critical security controls are mainly technical in nature. CMS' Brewer said NIST's SP 800-53 takes into account other factors, such as security awareness, that are “equally important but not as glamorous as the technical ones.”

Streufert said the complete list of NIST controls includes numerous security issues that can’t be diagnosed with an automated security tool. Those include considerations such as whether an organization has adequate physical security and whether all key officials have been trained.

“State’s approach is to keep an eye on all types of controls — technical, managerial and operational — but ensure that the most active attack vectors are handled first,” Streufert said.

In that setup, CAG and SP 800-53 each have a role to play. Although NIST's publication provides a catalog of known security problems, CAG focuses on the most common types of attacks.

“We really need both ideas,” Streufert said.

CAG Prospects

Adoption of CAG beyond its existing federal users might depend on whether the guidelines become enshrined in law. That’s the thinking of Accenture’s Horton, who said legislation drives much of a CISO’s activities and security programs.

“People are waiting on legislation to see how it is going to be incorporated, if at all,” he said. “Until some legislation mandates how CAG is used in the federal government and how it interacts with…NIST and FISMA, I don’t see a larger widespread adoption.”

Short of legislation, NIST’s adoption of CAG would have a similar codifying effect, Horton added.

But Gilligan said he envisions agencies recognizing CAG principles even without a formal endorsement from NIST or OMB, which directs FISMA reporting. Agency officials might not explicitly refer to CAG, but they still speak of deploying priority controls or pursuing continuous monitoring, he added.

“In essence, it is really the same thing,” Gilligan said.

Some CISOs said they detect CAG’s influence in OMB’s April 21 memo detailing FISMA reporting requirements for 2010. The memo states that agencies “need to be able to continuously monitor security-related information from across the enterprise in a manageable and actionable way.”

CAG’s imprint might also find its way into new FISMA reporting metrics, which DHS is shepherding. Gilligan said the department is using the 20 critical controls to guide the metrics effort.

"The Consensus Audit Guidelines are helpful," a DHS spokesman said. "However, they are only one small element of an effective information security program."

The spokesman said the federal government's unified information security framework requires that a "complete set of security controls be considered as part of an overall systems security architecture." NIST has been working with DOD, the intelligence community and the Committee on National Security Systems to develop the framework, he added.

“The 20 critical controls [have] had a very significant impact as a catalyst in changing the thought process over the past year,” Gilligan said. “They are not the end-all, but it’s the place you ought to start.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.