[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] Requirements to improve security may hurt more than they help
By COURTNEY MABEUS
March 20, 2008
With threats of cyber attacks mounting, federal chief information
officers say ensuring data security is one of their most important
roles. But in a survey released last month, many say the mandates they
must comply with may be impeding — rather than improving — security.
The Federal Information Security Management Act became law five years
ago requiring agencies to establish controls to protect sensitive data
contained in information technology systems. It requires agencies to
inventory systems and to develop standards for categorizing information
contained within them by risk.
The Office of Management and Budget has complicated matters, some
experts say, by placing even more demands on CIOs, including mandates
that all laptops be encrypted and a governmentwide plan to cut down on
the number of Internet connections.
In an annual survey released by the Information Technology Association
of America in February, CIOs interviewed said they question whether the
return on their investments is outweighed by the burdens of compliance.
And though many CIOs reported efforts to reduce the costs associated
with certifying and accrediting systems as secure, the survey’s summary
report said some officials had not seen clear, measurable improvements.
“Sometimes it does feel like they’re going overboard,” said Richard
Westfield, CIO at the National Labor Relations Board. “But, where do you
draw the line?”
Patrick Howard, chief information security officer for the Housing and
Urban Development Department, said there is too much disconnect between
what is required by OMB and what is necessary “right now.” For example,
he said he wonders why there is so much emphasis on having tested
contingency plans for all systems — including those that are considered
low risk for managing sensitive information.
Such requirements, Howard said, may lead some CIOs to focus too much on
achieving a good grade on the president’s management agenda (PMA)
scorecard, which quarterly tracks how well agencies are doing in
implementing policies in a number of areas including e-government, to
the detriment of other agency projects.
“It kind of takes your ability to prioritize the use of your resources
away from you and focuses it on someone else’s priority,” Howard said.
This week, Howard becomes the new chief information security officer at
the Nuclear Regulatory Commission.
Some CIOs complain that OMB demands are usually unfunded and that
agencies are given little time to meet demands. They also say OMB has
done little analysis of the costs and benefits of those directives.
Westfield, who also serves as co-chairman of the federal CIO Council’s
Small Agency Council, said many CIOs struggle to explain the importance
of their projects to other agency management officials.
“The average, everyday user on our network and probably every other
network thinks that my job is supposed to make their jobs more difficult
to do,” he said.
With inadequate budgets — listed as one of the top five barriers to
CIOs’ effectiveness in three of the past four ITAA annual surveys —
several CIOs said they must make improvements to promote greater savings
and efficiency and not just to get the best score on the PMA.
“When you go out and make a case for the budget and the need to do this,
it can’t just be to get to green” on the traffic-light-style scorecard,
NASA CIO Jonathan Pettus said.
Pettus brought in officials from the National Institute of Standards and
Technology to help NASA comply with OMB and FISMA demands because of
inconsistent interpretations among its own IT officials. As a result of
that help, Pettus said NASA was able to identify possibilities for
consolidating some systems and developed a more efficient model for
certifying and accrediting systems. It also determined the need for a
core group of consultants to work with each of its regional offices on
future compliance efforts.
Still, just like having an established building code will not prevent a
house from collapsing, being compliant with FISMA does not necessarily
mean your agency’s information is secure, Pettus warned.
Alan Paller, director of research for Bethesda, Md.-based SANS
Institute, criticizes FISMA for that reason. Although he said he sees
real results from OMB directives, FISMA is “wasteful” because compliance
is increasingly being done by contractors who have little incentive to
promote efficiency. And, too many people with the technical skills
necessary to handle compliance reporting have left for better-paying
jobs in the private sector, Paller said. His group provides
certification and accreditation training and other resources to IT
“The solutions for most of these problems are common, but the agencies
each hire different contractors for security,” Paller said. CIOs across
agencies need to do a better job of communicating best practices to
build “a common answer rather than everyone building its own answer,” he
But some CIOs said they are working to develop automated processes to
help streamline compliance in such a way that cuts cost and staff time —
and will share that across agencies.
When CIO Joseph Klimavicz joined the National Oceanic and Atmospheric
Administration in January 2007, he developed a 500-day plan to
streamline computer security and catch up with the backlogged
certification and accreditation of 135 IT systems.
The agency established some common controls for certification and
accreditation that has allowed it to begin piloting a cyber security
assessment and management software tool that allows users to input
information to determine if a system complies. It will eventually
provide the service to the Commerce Department, of which NOAA is a part,
“This is a Turbo Tax equivalent for [certification and accreditation],”
Howard, NRC’s new chief information security officer, was a contractor
in 2003 when he helped the Transportation Department certify and
accredit about 200 systems — mostly in financial and administrative
areas — over a two-year period. By identifying common controls across
those systems, the agency was able to complete each for around $15,000 —
much less than the $25,000 to $300,000 price tag that Howard said is
often associated with such projects.
Howard said he approaches compliance as a risk management tool because
of shrinking budgets for IT security.
“Compliance is not going to go away,” he said. “It’s a part of life.”
Subscribe to InfoSec News