Agency Security Audits: A Better Way?Getting Parties to Agree on Controls to Be Scrutinized
Inspectors general and federal agencies are not on the same page in regards to annual information security audits, says Karen Evans, formerly the federal government's top IT executive.
Evans recently co-authored a paper for the not-for-profit SafeGov.org, which includes a recommendation that the White House Office of Management and Budget and Department of Homeland Security devise metrics that inspectors general can employ to assess the effectiveness of agencies' cybersecurity efforts.
At issue is the reliance of inspectors general on Special Publication 800-53, the catalog of 861 security and privacy controls published by the National Institute of Standards and Technology, when auditing government agencies. As a result, IGs often evaluate agencies on security controls that don't match up with controls used by agencies, Evans says.
A solution is identifying which controls should be applied, allowing IGs and agency information security officers to have an agreed upon baseline to measure progress in securing digital assets.
"To get them all to agree that it's the same metric, the same control and the same way you're going to measure it ... will allow you to have that picture across the board about what the federal government's risk posture is," Evans says in an interview with Information Security Media Group (transcript below).
Evans also addresses the three other recommendations made by SafeGov in its report, Staying Safe in Cyberspace: Cloud Security on the Horizon, which would have the:
- Federal CIO Council's information security and identity management committee adopt and issue an integrated network architecture to address administration priorities;
- FedRAMP's Joint Authorization Board require that all cloud service providers seeking government business under the Federal Risk and Authorization Management Program employ penetration testing capabilities;
- White House Office of Management and Budget and Department of Homeland Security devise metrics that inspectors general can employ to assess the effectiveness of agencies' cybersecurity efforts
Evans is national director of the U.S. Cyber Challenge, a program focused on building the nation's cybersecurity workforce. During the administration of President George W. Bush, Evans served as administrator for e-government and information technology at OMB, a position now known as the federal chief information officer. Earlier in her career, she served as the Energy Department's CIO.
Agency Security Audits: A Better Way?
ERIC CHABROW: How have the implementation of initiatives in regards to cybersecurity been fragmented and lacked coordination across federal agencies?
KAREN EVANS: When you start looking at some of the implementations that are happening, they have Cloud First and the data center consolidation initiative. Then you have these cross-agency priority goals, of which cybersecurity is one of those, and you look to see the solutions. You're talking with the industry about what agencies are asking for, you can see what they are really trying to do is meet all the objectives but they're doing them incrementally and separately versus trying to look at the overall objective and integrating these solutions together to get to that cost effective outcome.
CHABROW: Why would they not look at them jointly?
EVANS: What happens a lot of times is that you're being held accountable for different deadlines on different initiatives. Your team is very focused on achieving that one particular outcome. So for example, one of the things that the agencies are responsible for is the initiative called the Trusted Internet Connection, which monitors external traffic coming into your internal network. The idea is you're going to reduce the surface area of attack. The agencies are supposed to be working on their telecommunication solution doing the transition from their current solution providers over using solution providers from the networks, and this is ends with an X contract the GSA.
But if you're following what is happening with the GSA contracts, you'll see that GSA has actually missed a lot of the cost savings that were predicted because agencies aren't moving as fast and transitioning their services, which means that the outcome that you wanted is not necessarily happening through the Trusted Internet Connection. So that is one. Then you have a Cloud First policy going forward. The cloud services really technically should be considered external traffic. If that is the case, then how you monitor the traffic, how you do things would be different then if you consider anything that you do in the cloud as internal. This is why NIST had to really go through and define private clouds versus hybrid clouds versus public clouds, so that you could do these two things together and then realize the efficiencies. What has happened is some agencies as they've deployed, they've taken some things that are cloud services, put them behind the firewall, which is actually really defeating the purpose and so they took a real big hit on performance because they are routing all of that traffic back through a single point of failure.
Integrating Cloud and Mobility Programs
CHABROW: Were just talking about integrating cloud and mobility programs to enable the government to realize the economic technological emission effectiveness benefits of cloud computing or is this something else?
EVANS: That is part of it. This paper goes a step further than our initial paper which was talking about measuring what matters most. It builds off of that concept, but it gets down into some really technical specific types of things. The idea of mobility, one of the other initiatives in the administration is bring your own device to work. So that is the mobility piece. To implement mobility to allow people to have access no matter where they are, you have to implement and think about security in a very different way. It breaks the paradigm. A lot of people are still operating under "I can actually create a perimeter." You really can't, there is no perimeter anymore. If you try to engineer a solution for mobility or bring your own device, you have to go back to some basics, and that is what we talk about here, which is creating an architecture. Architectures have been required in the federal government since 1996.
There is a lot of work that was done to put those frameworks together and now you have new technology and services on top of that, but you have to really go back and say, "What is to be my architecture if I take into consideration that I should be authenticating individuals because I have a policy on two-factor authentication for remote access, I should be authorizing them to hit to different services?" I have to implement cloud services and take into consideration the effect of that. I have to have mobility. I have to really take and implement the Trusted Internet Connection which is allowing me to monitor that traffic, and then I have to look at my data and say, where should it reside? Should my data reside internally or externally with the cloud provider, and if it is then what risk level should that data be at? Who should have access to it and then what kind of evidence do I need from the cloud provider to show that they are meeting? I'll introduce another program that is continuous diagnostics and mitigation program that DHS has put in place.
Integrate Network Architecture
CHABROW: What is the thinking behind wanting to have the federal CIO council's information security and identity management committee adopt and issue an integrated network architecture?
EVANS: That would work and help both industry and the agencies if this overarching network diagram network architecture was issued. I'm not saying one solution fits all because what you would have to do is harmonize that across the board and say "Here is how you take into consideration the credentialing initiative. Here's how you do the continuous diagnostics and mitigation program that DHS has put in place. And here's how you're going to do the Trusted Internet Connection which is implementing in certain software and diagnostics so that you can get that information from the provider." And do it in a way that is integrating that at the network level so that when I'm looking at this, and I'm going to put out a proposal to now transfer over my network services using these contracts that are available, that I have a diagram. Something different for Department of Justice versus Department of Homeland Security versus Department of Education that they would have specificity within that architecture, but you need to have this integrated architecture that takes that as well as other security initiatives that the federal government is working on as a whole so that you can see how it is.
The reason why I'm saying issue it is because private industry needs to see how this all works. There are a lot of questions that have come up through our SafeGov forum about what does the federal government actually mean about this? If they are trying data center consolidation and implementing cloud services, shouldn't those go hand in hand? Well of course they should. If this is issued by the Federal CIO Council then that allows private industry to see general thinking and then bid back solutions that make that and allow for them to show their innovation, how they can drive down cost while still meeting the risk posture of each individual agency.
CHABROW: How important are private providers for the government to be able to execute properly on safe computing?
EVANS: If they understand and see that architecture, then they can show how their products fit in there, how things work, and this jumps right down into the second recommendation of the FedRAMP's Joint Authorization Board. That board is working well to accredit cloud providers. When you look at it in a traditional sense, people are thinking of it as infrastructure, as a service. When you're looking at your product and are trying to figure out, "Do I need to go through the certification or not?" Well you do and now there is a government date out there, June 2014, where agencies have to certify back to OMB and DHS that their cloud implementations are FedRAMP compliant. That means they have gone through those settings in great detail on the technical in order for a provider to demonstrate that and become certified by 3PAO. Our recommendations have been to build out that capability and capacity of the 3PAO so that industry can get their services and infrastructure. The other part is, industry is going to have to look at each other to determine who they should partner with. Because if you're a software provider and you partner with a hardware provider who has already been through the FedRAMP process, you can rely on that certification and then you just have to do the delta of the change, but that takes a strategic partnership between those two industry providers. This is building off of things that are working and trying to build out that capacity so that you can get that reliability in the security services.
CHABROW: Is the vetting process where vendors can be certified for certain products or services and then they could be used by various government agencies?
CHABROW: Why were you specifically mentioning having the providers provide penetration testing?
EVANS: What you really want is independent people doing the penetration testing. So this is us getting back to measuring what matters and having an independent third-party like the 3PAO doing that, but doing it in a way that is jointly agreed upon between the government and private industries. It is one thing to go through the certification process, but it is still only in near real-time. So you've bought a software application that is residing on hardware that has been certified by FedRAMP. Well now that it is operational and your users are using it, what you want to do is go in and do penetration testing in the operating environment to make sure those things like Target [and] Niemen Marcus that happened recently, are still operational that they are detecting things that they can mitigate them quickly and that they are doing it in the operating environment.
CHABROW: Why is this act needed?
EVANS: Because this is probably still one of the most controversial areas in FISMA; the inspector generals have to evaluate the agencies on an annual basis. OMB issues the guidance of how those are supposed to happen. What also happens, though at a high level, is that they have to use the National Institute of Standards and Technology publication 800-53.
CHABROW: These are the security controls?
EVANS: It's a large publication. What happens is that an IG can evaluate against a certain set of security controls that aren't necessarily the ones that match up to the way the agency has actually implemented security controls in the 800-53. We're making this recommendation that they should be very specific, similar to the Critical Controls so that a baseline gets established in an agency. As agency leadership changes, as IGs change, you have this baseline that everybody agreed upon and can measure the progress against or lack thereof. That is what they are attempting to do under the Continuous Diagnostics and Mitigation Program, but you have to get the IGs to agree that this metric, those are the baseline controls that we're going to measure against and then every year we will build out upon those controls, and then still measure against the baseline but then measure the incremental improvement. To get them all to agree that it is the same metric, the same control, the same way you're going to measure it then that will allow you to have that picture across the board about what is the federal government's risk posture. Right now, you can't really make the comparison across the board because IGs measure differently in each and every department.
Holding Agencies Accountable
CHABROW: SafeGov recommends OMB and the National Security Staff should hold agencies accountable by assessing their progress toward fulfilling agreed upon cybersecurity requirements. This isn't being done now?
EVANS: It is but what you want to do is just go a step further. Some of the work has already been done by the National Security Systems. So some of the initial work was done to make sure that systems that were accredited through NSS that was being used is the same methodology that the civilian agencies could use that would match up to the security controls in the 853. What we're saying is if you do this integrated architecture and you have these cross agency goals, now you have a series of plans. You had the Data First Plan, you have the Open Government Plan, you have the Cloud First Plan, HSPD-12 - you have all these plans that they all need to be integrated and then holding the agency accountable to those due dates that you have in there.
CHABROW: It seems that what you're proposing doesn't require any legislation?
EVANS: That's right.
CHABROW: Is that because there is no need for it, or because it's hard to get any kind of IT security legislation through Congress?
EVANS: We made the recommendations on not needing legislative changes. That these could be done based on, and it's actually building off the existing policies and administrative priorities, the administration's priorities out there and then trying to get a comprehensive integrated architecture so that people say, "Oh I can see that initiative."