Leaving FISMA in the Dust: A True Metric for IT SecurityInterview with John Streufert, State Department Deputy CIO and CISO
That's a far cry from what federal law now requires: an annual system inventory and a once-in-three-year certification and accreditation audit required under the Federal Information Security Management Act.
Three years ago, State instituted its Risk Scoring Program, which pinpoints and corrects the worst vulnerabilities on a particular day. The frequent monitoring of IT vulnerabilities under Risk Scoring truly gauges systems and network security, unlike FISMA, often criticized as measuring the ability to file papers about securing IT rather than safeguarding the information itself. Because of Risk Scoring, Streufert says, overall risk on State's key unclassified network has plunged by more than 80 percent in the past year.
Streufert spoke with Eric Chabrow, GovInfoSecurity.com managing editor, in the first of a two-part interview.
ERIC CHABROW: You have a program called the Risk Scoring Program. How did that come about and how is that working out?
JOHN STREUFERT: I have been with the Department of State since July 2006. Early on, with CIO at the time Jim Vanderhoff, we had set the goal of not only improving our basic security program and dealing with audit findings, but also implementing a mechanism to evaluate progress in improving security across the many portions of the Department of State with a recommendation I had of doing monthly grades.
Back at that time, it took some foundation laying in 2007 to do so and, for the past 11 months, we have been gathering up data and measuring our progress and reducing known vulnerabilities and assessing the strength and configurations of the systems that are connected to our department networks.
That goal turns out to have been a good one as the attention of the whole federal government is now shifting towards use of continuous monitoring as a strategy for the future.
CHABROW: Can you give an example of a component of this program, how it works and how it helped reduce the vulnerabilities?
STREUFERT: At the Department of State, we have identified 10 separate categories that we monitor on a routine basis, and one of them is the assessment the vulnerabilities that have been identified in the national vulnerability database from the National Institutes of Standard and Technology with the assessment of points against those known vulnerabilities from point one up to a total of 10 points to measure their severity; 10 points being the worst.
We have a taken a combination of Tenable product at the State Department and SMS (Microsoft's Systems Management Server), Tenable especially focused on vulnerabilities and we scan all of the desktops and the servers connected to the network in search of evidence of vulnerabilities that may exist and when those vulnerabilities are identified for a particular personal computer or server, the points that the national vulnerability database would identify for that particular challenge are then assessed as potential risk points for one of the 260 embassies and consulates overseas or our many installations in the continental United States.
The sum of points that are found for vulnerabilities and the nine additional areas that we are currently scanning against then establish total risk points and as the information management officers and system administrators of the Department of State correct the vulnerabilities, their risk scores are lowered accordingly. And then on a curve, as these points are reduced, we then assign grades that vary between A to F-minus
CHABROW: These are the IT professionals who handle these systems who are being graded?
STREUFERT: That is correct. Everyone in the Department of State that has servers or desktops under their immediate control are submitted to the same scans. When those scans deliver back updated results that are never more than one to three days apart in terms of refreshment, every time they correct a vulnerability, their total risk score goes down.
Other kinds of factors that we are monitoring, including installation of all of the required patches, we measure the amount of age in the antivirus profiles, we pay special attention to the registry of all computers and the active directory and the same for the users in the active directory. We assure that SMS reporting is sound and in place just to name several of them. So standing back for a minute, the Department of State uses the information from both Tenable and SMS and we have been able to find a treasure trove of potential risk data to total and gradually whittle down to the point that the Department of State believes and can prove that it has reduced 83 percent of its risk at domestic sites - continental United States - and 84 percent of change in measured risk at its overseas locations. This was accomplished between July 2008 and the end of May.
CHABROW: Have other agencies approached you about what you have done?
STREUFERT: We are beginning over the last several months to speak about this more widely. I made a presentation to the government's chief information security officers who meet quarterly and had a chance at that particular forum to hear expressions of interest to look at this more carefully. A number of cabinet departments have come over and seen the risk score management dashboard that collects up and displays this risk information and are beginning to talk about how to develop something or how to export what we have for their uses so there are a number of other cabinet departments which are evaluating it and I trace this to the desire that is common among chief information security officers to look at those strategies where measurable improvements and lowering risk can be evaluated.
CHABROW: Is what you are doing somehow an indictment of FISMA or OMB in the sense that they didn't provide the guidance or direction to truly secure the IT?
STREUFERT: This is a topic that I think has been an ongoing one by those in the security field and we now have undergone several generations of change and security legislation. I think what the community can see the benefits of the current Federal Information Security Management Act that we have been operating under for the past five or six years, in that we have had a positive emphasis on annual system inventory, on annual testing, on doing certifications and accreditations every three years to name just a handful of the points that we study.
What the current law concentrates on are snapshots of processes and compliance. No one can argue that there is zero benefit from this. There is a certain benefit to know what is connected to the network.
When I think what has happened over the last half a dozen years is that the security environment is changing so rapidly that some ongoing measurement of where progress is being made and lowering risk is also seen to be something very valuable to include almost all of the new proposed pieces of legislation that have been introduced or are now being evaluated consider some potential changes and most of them respond to the fact that the security environment has become more dynamic and that some combination of more frequent scanning or more frequent penetration testing will undoubtedly be helpful to protect the .gov networks.
CHABROW: How often are your computers scanned?
STREUFERT: At the Department of State, our SMS data sets are updated several times a day, but as we are distributed across 24 time zones, the data is updated almost on a daily basis everywhere but never less frequently than every two days.
Currently, we are able to check the strength of the configurations of our systems, another one of the factors that we evaluate, every 15 days, but we have a target to attempting to do that as frequently as every three days and that will be something that we hope to bring online over the next several months.
One of the strengths of the current method at the Department of State is that we are constantly taking these snapshots and highlighting what the very worst risks are at the top of the pile for our security professionals to change. With the implementation over at the State Department and an earlier version of this same method of continuous monitoring at the Agency for International Development - where I worked, and that program began about six years ago when these worst risks were highlighted to the attention of security managers - there can be dramatic changes of risk getting rid of the worst problems first so that is probably a benefit of having the frequent scanning in combination with the highlighted attention to the worst risk.
CHABROW: You speak of a dramatic percentage decrease in vulnerabilities, what is really the bottom line? What is happening in the sense of how secure people feel or how they conduct their work, or do they have less worries about certain threats?
STREUFERT: The process of having a dashboard and continuous scanning gives a chance for not only the technical professionals at any particular location for the Department of State, an embassy or for the manager of a particular bureau in Washington, the risk dashboard gives them a chance to know exactly where they are, both individually against these defined criteria, and also how they rack up in standing against their peers.
The trend or the outcome of continuous monitoring that we have is that there is understanding of a focus of everyone involved in using information systems on what degree of risk that they are potentially exposed to.
We especially concentrate on the Microsoft operating system on desktops and servers now. There are other kinds of scanning, which is available at the State Department, but such a high return on invested time in the areas that we are concentrating on with the continuous monitoring and the grade regimen that I have described has us interested in pushing this kind of tool and information integration about risk into other areas of our program.
CHABROW: Regarding the grades, a lot of people have criticized the FISMA grading system because it talks more about how people are dolling out paper than actually securing IT. How do you differentiate the kinds of grades that you provide versus what FISMA does?
STREUFERT: We come back to the difference between process and compliance status. We earn points under the current Federal Information Security Management Act or the degree that they have a strong certification and accreditation study program that occurs once every three years with a process called reauthorization. where you come back three years later and install it.
What we have in the grades that we are giving to our organizations and now an increasing portion of them have risen from lower grades to holding steady at A's and B's across the board, we know that that particular grade is an assessment of not how things looked three years ago but a comparison of exactly what kind of progress has occurred in the last 30 days.
An example of the outcome of the State Department pilot, would be a greater confidence that there has not been a dramatic uninspected change as in the case of the previous evaluation for C&As (certification and accreditation) could be up to something that occurred three years ago. Other aspects of the current FISMA could be as old as year, but again the continuous monitoring has something that is an assessment capacity of the organization to deal with outside risk that is never longer than a month and scanning data in fact could be as fresh as 24 hours old.