Switch to Continuous Monitoring Requires New SkillsNASA Pledges to Retrain Personnel to Meet Changing Job Demands
"You are definitely talking about a different skill set," Davis, NASA deputy chief information officer for security, said in an interview with GovInfoSecurity.com (transcript below). "It is more of an operations type activity versus a compliance activity and what we are doing ultimately is we are operationalizing compliance. There is a little bit more of a technical skill set that an organization will need."
But Davis said IT security pros at NASA needn't worry about their jobs. "Folks should not be fearful that if they don't have the skill set, they have to go find a new job because it's my responsibility to make sure that we take the skill set that we have and that we repurpose them, and by repurposing them we are going to retrain them," Davis said in an interview with GovInfoSecurity.com (transcript below).
Last month, Davis issued a memorandum explaining the NASA's move to continuous monitoring of its IT systems.
In the interview, Davis addressed how the shift to continuous monitoring has had an impact on the IT security staff's morale, and how he's getting employees hesitant about change to buy into the new approach. He also discussed changes in IT security spending priorities at NASA.
Davis was interviewed by GovInfoSecurity.com Executive Editor Eric Chabrow.
ERIC CHABROW: I don't want to get into the discussion of the pros and cons of FISMA requirements and real time monitoring. I think it's accepted throughout the government IT community that FISMA served its purpose but it's outdated. What I would like to explore are the challenges you are facing in implementing this continuous monitoring and its impact on NASA's IT and IT security organizations.
We are speaking three weeks after you issued a memorandum announcing the move to continuous monitoring. What has happened within NASA's IT and IT security organizations since then?
JERRY DAVIS: A lot has happened since then as you can very well imagine. I think it started off with a little bit of concern internally throughout the IT community because we had, in a sense, been more or less been caught up in the old way of doing things and this is a change, and as you know at most organizations change is very, very difficult to impart on an organization. So, we have been working through a lot of change in managements activities and really getting around and out and about to the constituency that we service internal to NASA and the folks that are actually going to be helping us move forward with this move toward automated continuous monitoring.
There has been a real kind of communication activities going on in really what does continuous monitoring mean, what are the tools, what is the concept of operations look like, and what is certification and accreditation going to look like for NASA going forward after this year. It's really been a lot of communications going on, a lot of presentations and posturing and getting ready to implement what I consider this historic change.
CHABROW: In IT nothing seems to come off as anticipated. Since the announcement, what surprises have occurred as you enter this new way to secure documents securing IT?
DAVIS: The biggest surprise that occurred was really the concern initially because we did not have a fully 100 percent fleshed out plan on exactly what activities were going to take place. It's funny that I thought putting the money back in system owners pockets by not having to pay for an independent third party to come to do a review would be something that was very well welcomed, but again, as I said, I think some folks were more concerned about the compliance aspect of it and moving away from the compliance aspect and moving into kind of a real time security activity.
That concern surprised me a little bit. I mean people are definitely willing to use their monies for other things, but the surprise around and initially a little bit of reluctance to move out of compliance was probably one of the biggest surprises. But we are finding that the more that we communicate to people that that's changing very, very rapidly as people really fully understand what we are doing going forward and that we have largely thought it through and that we believe that we have the tools and the capabilities to make it happen. We are confident going forward at this point.
CHABROW: Where was this concern coming from? Was it just people within the IT and IT security organizations or the people higher up in NASA's organization?
DAVIS: It's really the folks in the middle. The higher ups in the organization had a series of pre-briefs very early on, prior to me releasing the memorandum. I provided to the most senior executives in NASA my perception of what would take place after we issued the memo, what the different concerns may be, and so they were--the most senior management in NASA has been okay.
I think some of the folks in the middle because there is uncertainty as you move away from this third party activity and the third party activity that we had been doing. It takes a lot of manpower. It takes somebody to prepare to package it, to make sure that the certification, accreditation packages, the system security packages, all of those things are updated and when you talk about going to continuous monitoring where that's not such a big focus, I think some folks don't understand.
A lot of it came down to what am I supposed to be doing next. That was a public concern that we had. It was really those people in the middle who actually what I call turn the screws and make things happen who were literally unsure of what they were doing next. But as I said, as we start walking them through the concept of operations they see that there is still a need for their skill set and the things that they have been doing, we're just going to use it in a little bit different fashion.
CHABROW: What about the skills? I would assume that certain skills that you need to comply with C&A through the traditional FISMA approach are different from the skills needed to do continuous monitoring. What is that impact on the staff? Are people worried about their jobs or do you need to bring new people in?
DAVIS: Yeah, I think some of the impact, you are definitely talking about a different skill set. We are moving to an area, number one, where it is more of an operations type activity versus a compliance activity and what we are doing ultimately is we are operationalizing compliance. There is a little bit more of a technical skill set that an organization will need and NASA is no different, that we are going to need more people to use the skill sets that they have or develop the skill sets around technology and understanding what's taking place when I say vulnerability management and we look at particular vulnerabilities.
It is going to take a little bit different skill set to really understand what those vulnerabilities are, how they impact security posture of the system and then ultimately the security posture of the agency as a whole. But you still need the other skill sets around risk management. We have to have a skill set that we really truly understand risk management and how to impart risk management across an organization.
The other side of the technical skill set are the tools, the security controls that we will be using to monitor to carry on a day-to-day basis, hour-by-hour basis. Those tools, there is a little bit of a learning curve to understanding the tools. There is a technical skill set that has to rise to the top that we are going to be relying on people to provide for us.
But the folks who do not have that skill set that are working in the areas around system security plan development, the packages that are required for certification and accreditation, that skill set we still need. We still need that skill set but what we are going to do is we are going to automate a lot of those processes and in automating that process the people who do not have that skill set we are going to train them.
We are setting up a training activity for the new tools that we have so folks should not be fearful that if they don't have the skill set they have to go find a new job because it's my responsibility to make sure that we take the skill set that we have and that we repurpose them, and by repurposing them we are going to retrain them.
CHABROW: Obviously, a big issue not only in government but elsewhere is the number of technical people who have IT security skills and I'm wondering if this is going to require more technical now and are their sufficient people out there to make this shift to continuous monitoring?
DAVIS: I speak for NASA, you know, I feel fairly confident that we have enough people and I also feel confident that the one good thing about working at NASA is that you have a lot of people who have technical backgrounds. They may not necessarily be in IT but they have technical backgrounds maybe in engineering and sciences and things of that nature. Those people who may come off of other projects and come into the IT side of the house, those are the folks that will assimilate very quickly and we can train them very quickly.
But, we do know that outside of NASA across the government, there is a very, very fairly broad shortage of people that have the proper IT skills, IT security skills. Technical skills are in short supply and high demand. Internally we feel confident that we do have enough people and where we may have gaps we will get the people that we need and it is my responsibility again on that training side. I also own training for NASA and we are going to be putting people through professionalization courses so we will train them here and we will make sure that they have the right skill sets to do the job that we are asking them to do.
CHABROW: Would this shift to continuous monitoring require more or less use of government contractors?
DAVIS: I think that could go either way. It really depends on the agency. For us, we don't really see a shift one way or the other. To manage the continuous monitoring, we already have the tools in place, the same contract force that runs the tools today. Even if we switched to a new version of a tool or a new tool all together that does the same functionality, we are going to use the same contractors that we have and the same civil service that we have.
We don't see a need one way or the other to move civil servants out or work with less civil servants or work with less contractors today. Everything seems to be a zero sum game; everything seems to stay fairly straight.
CHABROW: That would include the employees there, too?
DAVIS: Right, absolutely, the civil servants. It would include the same as now; we may repurpose some folks and again, where we may have gap centers as we go to different NASA centers, they may find that they may have to repurpose someone who was maybe on one particular function in C&A and they may have to repurpose them to do another aspect of these tools as they come online and are integrated. They may find a shifting but we don't anticipate a real downturn from going to an automated solution.
CHABROW: What new tools are needed to go to continuous monitoring?
DAVIS: That's a really good question and the good thing is that we have a very, very good guidance initially from NIST (National Institute of Standards and Technology) from Special Publication 800-37. It is very detailed about continuous monitoring and the whole risk management framework.
To determine what tools that we need, the first thing that we had to do was a fairly comprehensive risk assessment of NASA information security. From that risk assessment what we learned was what are the absolute threats that we are dealing with, what our assets look like and what do those vulnerabilities look like that are being exploited. From there we were able to select the proper security controls that are mapped in NIST 800-53 and from those controls we were able to select the proper tools to monitor those controls.
Some of the key things that we are looking at with tools are in the area of patch management. We also are looking at tools or expanding the use of tools in the area of vulnerability management. We are expanding the use of tools for inventory management, in other words, identifying what devices and information resources we have on the network and identifying information resources, new ones, as they come to light on the network so we can identify those.
Tools that help us with Federal Desktop Core Configuration, which has actually, I believe, has changed to USGCB, United States Government Configuration Baseline, tools that help us in that area as well. Then we use a number of internal infrastructure tools and services that were already in the environment. Things like active directory, IP address management also helps us with inventories and things of that nature.
A lot of those tools that I have just mentioned are tools that most agencies already use. They key is bringing the information that those tools produce all together in more or less a single database to tell you about the security posture of your systems. Then we can use those tools very, very frequently, whether it's daily or hourly or weekly, to continuously monitor the security controls that we put in place based on the assessment of risk.
CHABROW: This shift over from traditional FISMA to the continuous monitoring, where are you in the process? How long of a process is this?
DAVIS: Where we are to date in the process is we are finalizing the concept of operations. We have most of the tools; let's say just for a numbers game, eight out of the 10 tools are already deployed. We are going with some new tools.
The tools that we have had in the past, they have reached the end of life and we have been looking at replacing those tools for the last year. We are looking at the next six months or sooner, where we will actually start producing real time monitoring of the environment with a dashboard view that tells us what the state of a particular system's security posture is in and from that stage, six to eight months from now at the maximum, we will be producing risk scorecards for all of the NASA centers.
Those risk scorecards will have a drill down capability that will let a center know why they have a particular score for their center; they can drill down to a single system. Let's say if they got a C for the week and they can drill down and see why they got a C; it may be because there is a particular system that needs a critical patch and our policy says you have got to patch it in X number of days and it has now gone past those number of days and that has brought their score down and then they have the opportunity to bring their scores up by applying those patches.
We are at the point right now where most of the tools are deployed. We are going to finish up the concept of operations. We are going to get our folks trained on the concept of operations and then in the next six months or so we will start producing those scorecards real time and start managing risk from that perspective.
CHABROW: Are the scorecards automated too? Is this all programmed to do the calculations and to provide the score?
DAVIS: Absolutely. We work very closely with (Deputy CIO/Security) John Streufert from the State Department on the scorecards that they use and the mathematics behind that. We are working with our folks at Jet Propulsion Laboratories on the math side of it again. It is all automated, what I call middleware or this engine that does correlation. It takes all of this information from the various tools and information about the systems and it crunches it and does some magic and out comes the score.
CHABROW: And you are convinced that this is going to make NASA systems far more secure than the old FISMA process?
DAVIS: Yeah, we are convinced that what we will be able to do is we will be able to make security measurably better because we are designing and implementing the proper tools and monitoring those security controls that are purely based on risk and that risk is based on a pretty comprehensive risk assessment that we have been working on for quite a number of months.
CHABROW: Okay, you mentioned John Streufert and, of course, under his leadership at the State Department, they moved to continuous monitoring several years ago. I believe they said they saved $133 million dollars by eliminating FISMA reporting requirements. What kind of savings do you expect at NASA? (Clarification: In an e-mail, Streufert writes the $133 million represents the cost of certification and accreditations studies over six years at the State Department.)
DAVIS: It is kind of hard to say in terms of savings. We know what we spent roughly in 2007 to do independent third party assessments, now some of that money is not necessarily that you save it but we have asked folks to repurpose some of that money to acquire continuous monitoring tools beyond perhaps what we provide at the agency level.
It's not so much that you save the money but you repurpose the money to really give you a better security postures. It's not necessarily a savings but a repurpose of the money. There may be minor savings here or there, but again, the money is being repurposed from a risk management perspective, and put that money back into continuous monitoring.
CHABROW: Anything that gives you pause about this process?
DAVIS: You know no, not at all. It's always a little scary when you first step out there and do something that is a little different that may be against the grain, but the timing I thought was absolutely perfect with Office of Management and Budget coming out with their 2010 reporting instructions with the heavy focus on continuous monitoring. I think the agency was ready for it.
I think the federal governmentwide was absolutely ready to do this and I think we just needed some folks to kind of step out there and say we are going to do this. I am extremely excited. The NASA CIO Linda Cureton, she's excited. The administrator and deputy administrators, they are all excited. As long as they are happy, I'm a happy camper as well.
CHABROW: To fellow CISOs around the government, what kind of words or wisdom can you provide?
DAVIS: I'm am providing words of wisdom along the lines of you don't have to run out and buy a bunch of tools that more than likely the tools are already out in their organizations. They may not necessarily own those tools, those tools may be owned by, let's say, network operations, and they need to partner and do what they need to do to get access to the data from those tools.
They need to make sure that they do a very, very good risk assessment and truly understand what the risks are and do a very good selection of security controls to mitigate that risk. And, whatever monies that they potentially are going to not use for third party assessments, to put that money to repurposing for tools that they don't have where they may have gaps. That's the best advice I can give them.
Also check out:
NASA's 'Yes' Man, our summer 2009 interview with Davis on NASA's IT security organization.
Leaving FISMA in the Dust: A True Metric for IT Security, our interview with State Department CISO John Streufert, the federal government's pioneer in moving an agency to continuous monitoring.
FISMA Reporting Moves Into the 21st Century, a story about the Office of Management and Budget replacing paper-based compliance with automated tool.