In Praise of FISMA
"We found it very efficacious a couple of years ago to do to ourselves anything that we anticipated the IG's auditors to do to us," NSF CIO George Strawn said in an interview with GovInfoSecurity.com (transcript below). "We thought the best money we spent was performing penetration tests and other types of attempted infiltrations into our system on our own, and then we could work on cleaning up what we found ourselves by the time the inspector general's auditors came around to try the same thing."
In the interview, Strawn also discusses how operational IT managers also have cybersecurity responsibilities and how the Federal Information Security Management Act, if applied properly, furnishes the structure to truly secure information asssets.
Strawn was interviewed by Eric Chabrow, managing editor of GovInfoSecurity.com.
ERIC CHABROW: Please tell us about the IT security organization at the National Science Foundation.
GEORGE STRAWN: I might even preface that with a little bit about the National Science Foundation since we are sort of the quiet agency and some people really don't know much about us. We are rather small by federal standards, about $6 billion, almost all of which goes out the door to support finance and engineering, research and education, much of it in universities and colleges and a little bit in non-profit and various other places.
We are the only government science agency that supports science but doesn't do science. That is, we have no laboratories that are run under government contract. We have fewer than 2,000 employees so we are officially a small government agency, although we are a CFO Act agency so we attend the large agency CIO Council.
It's pertinent to mention our smallness because that is relative. So far, we have a fairly good record in security management issues. We have one location in Arlington, Va., which makes our security easier than plenty of other places. The FAA, for example, has more locations than we have employees.
Since we are an administrative IT shop that is to handle the administration of IT research proposal and turning them into grants, we have had pretty good luck for the last few years in the sense of getting good ratings from the administration, the inspector general and Congress in terms of the quality of security and privacy programs.
We got serious about security six or seven years ago. What did that mean? It meant several things. We formed an agency-wide security working group, which brought together persons from all ranks and all areas of the foundation to begin to socialize around the place for enhanced security policies and procedures. We garnered the support, including money attached from the top management of the Foundation, and they also used the bully pulpit to support the needs for security. These things got us off to a pretty good start.
We are small, in the sense that I would call us a one-bureau agency. We have a division director for information services, who by the way is also my deputy CIO, and I asked her to assume the role of chief information security officer. We did what is hard to do in a bigger organization of mix line and staff responsibilities. Our chief security staff officer is also our chief line IT operations officer, and that has been very efficacious around here for us in terms of the management issues associated with security.
CHABROW: What is the most innovative IT security program being pursued at the National Science Foundation?
STRAWN: Under the Federal Information Security Management Act, the inspector general is in charge of doing an IT audit of the Foundation's IT systems. We found it very efficacious a couple of years ago to do to ourselves anything that we anticipated the IG's auditors to do to us subsequently in the year. So, at that point, we thought the best money we spent was performing penetration tests and other types of attempted infiltrations into our system on our own and then we could work on cleaning up what we found ourselves by the time the inspector general's auditors came around to try the same thing. That was good money to be spent to sort of doubly prepare ourselves for what were our vulnerabilities in terms of excess from the outside.
CHABROW: How did you conduct the infiltration tests?
STRAWN: We hired a third party to come in and do the infiltration. Penetration tests and vulnerability tests and that type of thing is more or less what was done; what ports that we had left open that we didn't think we had open, what scanning our network, what ways could people get in and so on and so forth and of course, we discovered there were a number of spots that hadn't been properly closed, and by the time we had done that, both from the IG and by ourselves for a couple of years, we were locked up pretty tight.
Another thing we did that I don't think is particularly innovative these days, but we hadn't done it before, was automating patch management on both our desktops and our servers. We got serious even a little before OMB made it mandatory to have annual security awareness training completed by every man, woman and child in the foundation, so that helped the security change. And, we made sure that the IT staff, which had been in the habit of offloading security responsibility as much as possible to the using clientele, that that was no longer the case, that security was everybody's job and primarily it was the security job of the IT professionals.
CHABROW: Are there any kind of IT security skills that are in demand at the Foundation and are hard to find?
STRAWN: Our positions are filled. In addition to the senior security officer, who as I mentioned is the division director of information systems, we have a crack, chief operational security office in that division who is an excellent lead for these activities. We are small, we have probably 50 government people and maybe 250 contractors working in our IT activity and between our contractor staff and our U.S. government staff, we couldn't have made the progress we did without the high quality staff that we have. That has been one of our shining lights so far. We have had A's and A-pluses for the last two or three years from the Congressional grading of the results of the FISMA tests.
CHABROW: Do you think FISMA works? There has been a lot of criticism of FISMA as not really securing IT but as more of pushing paper.
STRAWN: If you think that FISMA means certify and accredit in a paper process all of your applications and systems and leave it go at that, you can make it a paper process that is nothing but bureaucratic and really doesn't improve the security very much. I suppose I think we probably have a little more C&A processes than they were worth. But since we take security seriously and have a multi-dimensional security process, I would say overall, we are pretty satisfied with the requirements that have come down from OMB-land to us.
Some of the may be a little bit onerous and others we think may not be quite worth the cost, but if you integrate over the whole process, they have done a pretty good job of telling us what to do and we have done a pretty good job of doing it, and I think we are much more secure because of that partnership.
CHABROW: Do you think there is the need to reform it?
STRAWN: There is always the need to reform it, and it will be reformed whether it needs it or not. The government is in a constant state of changing and especially it will need to continue to be changing as the nature of the threats continue to change.
Government agencies in general tend to change when they are told to change. There is usually too much work and not enough money to do everything that you want to do so the process that makes the federal government move forward is serious attention to this type of oversight and I think OMB and OSTP (Office of Science and Technology Planning) by and large, with great support from places like NIST that defines standards that get promulgated by OMB. I am a supporter of the process, knowing that it will continue to evolve and change, because IT continues to evolve and change.
Given the complexities of the federal government I think they are doing a better job than we have any reason to expect what it would have done.