Requirements to improve security may hurt more than they help

Requirements to improve security may hurt more than they help
Requirements to improve security may hurt more than they help

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

Federal Times
March 20, 2008 

With threats of cyber attacks mounting, federal chief information 
officers say ensuring data security is one of their most important 
roles. But in a survey released last month, many say the mandates they 
must comply with may be impeding =E2=80=94 rather than improving =E2=80=94 security.

The Federal Information Security Management Act became law five years 
ago requiring agencies to establish controls to protect sensitive data 
contained in information technology systems. It requires agencies to 
inventory systems and to develop standards for categorizing information 
contained within them by risk.

The Office of Management and Budget has complicated matters, some 
experts say, by placing even more demands on CIOs, including mandates 
that all laptops be encrypted and a governmentwide plan to cut down on 
the number of Internet connections.

In an annual survey released by the Information Technology Association 
of America in February, CIOs interviewed said they question whether the 
return on their investments is outweighed by the burdens of compliance. 
And though many CIOs reported efforts to reduce the costs associated 
with certifying and accrediting systems as secure, the survey=E2=80=99s summary 
report said some officials had not seen clear, measurable improvements.

 =E2=80=9CSometimes it does feel like they=E2=80=99re going overboard,=E2=80=9D said Richard 
Westfield, CIO at the National Labor Relations Board. =E2=80=9CBut, where do you 
draw the line?=E2=80=9D


Patrick Howard, chief information security officer for the Housing and 
Urban Development Department, said there is too much disconnect between 
what is required by OMB and what is necessary =E2=80=9Cright now.=E2=80=9D For example, 
he said he wonders why there is so much emphasis on having tested 
contingency plans for all systems =E2=80=94 including those that are considered 
low risk for managing sensitive information.

Such requirements, Howard said, may lead some CIOs to focus too much on 
achieving a good grade on the president=E2=80=99s management agenda (PMA) 
scorecard, which quarterly tracks how well agencies are doing in 
implementing policies in a number of areas including e-government, to 
the detriment of other agency projects.

=E2=80=9CIt kind of takes your ability to prioritize the use of your resources 
away from you and focuses it on someone else=E2=80=99s priority,=E2=80=9D Howard said. 
This week, Howard becomes the new chief information security officer at 
the Nuclear Regulatory Commission.

Some CIOs complain that OMB demands are usually unfunded and that 
agencies are given little time to meet demands. They also say OMB has 
done little analysis of the costs and benefits of those directives. 
Westfield, who also serves as co-chairman of the federal CIO Council=E2=80=99s 
Small Agency Council, said many CIOs struggle to explain the importance 
of their projects to other agency management officials.

=E2=80=9CThe average, everyday user on our network and probably every other 
network thinks that my job is supposed to make their jobs more difficult 
to do,=E2=80=9D he said.

With inadequate budgets =E2=80=94 listed as one of the top five barriers to 
CIOs=E2=80=99 effectiveness in three of the past four ITAA annual surveys =E2=80=94 
several CIOs said they must make improvements to promote greater savings 
and efficiency and not just to get the best score on the PMA.

=E2=80=9CWhen you go out and make a case for the budget and the need to do this, 
it can=E2=80=99t just be to get to green=E2=80=9D on the traffic-light-style scorecard, 
NASA CIO Jonathan Pettus said.

Pettus brought in officials from the National Institute of Standards and 
Technology to help NASA comply with OMB and FISMA demands because of 
inconsistent interpretations among its own IT officials. As a result of 
that help, Pettus said NASA was able to identify possibilities for 
consolidating some systems and developed a more efficient model for 
certifying and accrediting systems. It also determined the need for a 
core group of consultants to work with each of its regional offices on 
future compliance efforts.

Still, just like having an established building code will not prevent a 
house from collapsing, being compliant with FISMA does not necessarily 
mean your agency=E2=80=99s information is secure, Pettus warned.


Alan Paller, director of research for Bethesda, Md.-based SANS 
Institute, criticizes FISMA for that reason. Although he said he sees 
real results from OMB directives, FISMA is =E2=80=9Cwasteful=E2=80=9D because compliance 
is increasingly being done by contractors who have little incentive to 
promote efficiency. And, too many people with the technical skills 
necessary to handle compliance reporting have left for better-paying 
jobs in the private sector, Paller said. His group provides 
certification and accreditation training and other resources to IT 

=E2=80=9CThe solutions for most of these problems are common, but the agencies 
each hire different contractors for security,=E2=80=9D Paller said. CIOs across 
agencies need to do a better job of communicating best practices to 
build =E2=80=9Ca common answer rather than everyone building its own answer,=E2=80=9D he 

But some CIOs said they are working to develop automated processes to 
help streamline compliance in such a way that cuts cost and staff time =E2=80=94 
and will share that across agencies.

When CIO Joseph Klimavicz joined the National Oceanic and Atmospheric 
Administration in January 2007, he developed a 500-day plan to 
streamline computer security and catch up with the backlogged 
certification and accreditation of 135 IT systems.

The agency established some common controls for certification and 
accreditation that has allowed it to begin piloting a cyber security 
assessment and management software tool that allows users to input 
information to determine if a system complies. It will eventually 
provide the service to the Commerce Department, of which NOAA is a part, 
Klimavicz said.

=E2=80=9CThis is a Turbo Tax equivalent for [certification and accreditation],=E2=80=9D 
Klimavicz said.

Howard, NRC=E2=80=99s new chief information security officer, was a contractor 
in 2003 when he helped the Transportation Department certify and 
accredit about 200 systems =E2=80=94 mostly in financial and administrative 
areas =E2=80=94 over a two-year period. By identifying common controls across 
those systems, the agency was able to complete each for around $15,000 =E2=80=94 
much less than the $25,000 to $300,000 price tag that Howard said is 
often associated with such projects.

Howard said he approaches compliance as a risk management tool because 
of shrinking budgets for IT security.

=E2=80=9CCompliance is not going to go away,=E2=80=9D he said. =E2=80=9CIt=E2=80=99s a part of life.=E2=80=9D

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods