Navy CIO: No Need for CISO CouncilFirst of a Two-Part GovInfoSecurity.com Interview with Robert Carey
In this first of two parts of an exclusive interview, Carey discusses:
Carey joined the Navy's Office of CIO in 2000, regularly being elevated from e-business team leader, to director of the Smart Card Office, to deputy CIO for policy and integration to CIO. Previously, Carey served in a variety of engineering and program management leadership positions within the Navy's acquisition community in the undersea warfare domain. A 1982 graduate of the University of South Carolina with a BS in engineering, Carey earned a master of engineering management degree from George Washington University in 1995. As an active member of the Naval Reserve, he holds the rank of commander in the Civil Engineer Corps, Carey was recalled to duty for Operation Desert Storm and more recently as part of a Marine expeditionary force in Iraq's Al Anbar province.
ERIC CHABROW: Hello, I'm Eric Chabrow of the Information Security Media Group. Robert Carey is the chief information officer of the Department of the Navy. He also co-chairs the Federal CIO Council's Committee on Information Security and Identity Management. In the first of this two-part interview, Carey talks about the federal efforts to safeguard government IT systems. In the second part of our interview, he'll address how the Navy is exploring ways to use Web 2.0 and cloud computing technologies while protecting some of the nation's most sensitive data and IT systems. Thanks for chatting, Rob.
ROBERT CAREY: You're quite welcome, Eric. Thanks for having me.
CHABROW: You're co-chair, along with Justice Department CIO Van Hitch, of the CIO Council's Information Security and Identity Management Committee. How does that committee function and what are the current hot topics the committee is addressing?
ROBERT CAREY: Eric, it's a great opportunity afforded us by Karen Evans, [the former White House e-Government administrator], to align the activities across the federal government in the securities space, so there are many topics that we are working on, but the purpose of this was to make sure that cross-agency efforts were aligned and prioritized and delivering outcomes that could be vetted by the membership of the CIO Council to make it better, so therefore, provide a collaboration basis, and then provide opportunities to feed results up to OMB, should they be warranted in the policy space, and then make sure that the agencies each had an opportunity to shape outcomes in various activities. And then, finally, to make sure that these cross-agency teams that were sort of popping up everywhere, had a place and had a champion to listen to what they thought was answer to a problem. Prior to our arrival, I think there was a lot of work ongoing, and there was not so much of it getting the traction it might deserve, and so, we're trying to give that work the proper visibility that it requires.
CHABROW: Can you give me an example of one or two projects you're working on?
CAREY: We have four subteams, so each of the teams has come up with a list of prioritized work plans, if you will, and remember, this is a voluntary council, this is a voluntary body, so we get together, literally, once a month, to review progress. But, for example, we have developed a standard for the PIV [Personal Identification Verification] cards for non-federal entities, to allow us to communicate to, in essence, state and local governments, what are our standards for interoperability? And this would affect first responders, this would affect really anybody who is trying to access the federal government using a nonfederal government identity. A lot of that work had been ongoing, and it has literally just popped out, the final report, and it's been vetted by the subcommittees, and now we will push it in front of the Federal CIO Council for final comment, and then we will sign it out. And so, now, if you were the State of Maryland, the State of Virginia, the State of South Dakota, you understand that if you want to work with the federal government, here are the standards that your cards and your identities need to meet, in order to be processed and have, sort of, that seamless interoperability..
CHABROW: Congress is working on legislation to reform the Federal Information Security Management Act of 2002. How effective has been FISMA in securing government IT, and what changes to the Act would you like to see?
CAREY: FISMA has been, in my personal opinion, successful, in that it illuminated the need for the programs to be paying close attention to security, and it set up a reporting process to allow each of the agencies to report how they were complying with tenants of security. Now, that being said, one might say that the reporting process could become more onerous than the value that was being presented. What we have done is we have met with some of the Hill staff, and tried to convey to them what we would imagine would be recommended changes that would put more of a focus on, say, metrics and outcomes of security, and less on some of the bureaucratic aspects that found itself in the reporting process, not in the intent of the law, but in the reporting process. We'ree trying to make sure that if there is a FISMA II, it performs the functions it's intended. We also advised them that you need to be able to hold CIO's and CISO's accountable for outcomes carried out in that law. And so, I think that one of the first revisions of the bill had a CISO Council and some other things going on, and we felt, "Well, hey, rather than disconnect the folks that are playing in this space, why don't we connect them overtly, and then we can form that alliance to manage, in essence, cyber and security issues on behalf of each of the agencies."
CHABROW: I'm a little confused about this connection. Would there still be a CISO Council, or would it be somehow combining that with a CIO Council?
CAREY: What we've done is, as we have stood up our Information Security and Identity Management Committee, it is comprised mostly of CISOs. There are a few CIOs that are playing on it, but this is clearly the forum where the CISOs are driving the answers. As we are trying to establish that connection, that reporting relationship between, and I think the draft bill begins to do that, that there is a connection between CISOs and CIOs, a coherent connection, to deliver outcomes.
CHABROW: Let me go back to what you are saying a little earlier, focusing on outcomes, rather than bureaucratic metrics. Can you give me some examples of what you mean by the outcomes, and how these can be measured?
CAREY: Well, what we're working on, we've taken some information from the SANS Institute and some other folks about the consensus on audit guidelines, which are really a set of standard processes and associated metrics. The question is, do we levy those across the federal government? Do we make those the standard? There are many standards out there that we must comply with. We are trying to now simplify, and yet make sure we have the right set of reporting metrics out there for each of the agencies to comply with, so that there will be no misunderstanding about where someone is, compared to where they are supposed to be.
One of the things that doesn't exist is a cyber-investment roadmap, and that is another project we are trying to tackle. Each agency has a different security posture, because that is just the way they are right now. What is the proper way forward for them to invest in how they leverage what others have invested who are, maybe, further down that security path than they are? As we try to work into that space, we have to figure out how do some of these consensus audit guidelines fit? Do they become best practices? How many of them are we already doing? How do we create a reporting structure that allows committees to report on that, and make the reporting a direct corollary to the readiness posture of the networks, and the security of the networks, not of sort of counting things that don't necessarily need to be counted.
CHABROW: Can you give me an example of something that is counted that shouldn't be, necessarily, counted?
CAREY: For example, there are a couple of things in the reporting criteria that ask you to count all. Like, "All people must be trained on X, Y and Z," for example, in the cyberspace arena. And we actually do have workers who don't engage in the network. If those folks are counted as part of the total, and therefore, the bar is set at "all," and you don't train these folks who are engaged in the network, ever, then you can get an erroneously different score than you might imagine in reality exists. Does that make sense to you?
CAREY: I don't want to train the groundskeepers on cyber, and I don't want to be counted that I need to be training the groundskeepers on cyber when, in fact, they never engage in the network, and I haven't issued them any credentials to do so. We want to make sure that we count the right things that actually have a reflection of a readiness posture in the cyberspace arena.
CHABROW: That's Navy CIO Rob Carey, who also co-chairs the Federal CIO Council Committee on Information Security and Identity Management. Next time, in part two of our conversation, Carey will address the challenges of security naval and defense IT systems, introducing the latest technologies. For the Information Security Media Group, I'm Eric Chabrow. Thanks for listening, and join us next time.