By Mary Mosquera
May 30, 2008
A House measure to authorize NASA's programs for fiscal 2009 would also
direct the space agency to report to Congress on the effectiveness of
its network security controls.
Also, if the legislation as written becomes law, the Government
Accountability Office would test NASA's network for vulnerabilities and
provide the results in a restricted report to NASA's oversight
committees. The space agency would also detail the corrective actions it
has put in place to prevent such intrusions.
The House Science and Technology Committee's Space and Aeronautics
Subcommittee approved the measure May 20. The full committee is
scheduled to consider the legislation June 4, a committee spokeswoman
Agencies already report annually to the Office of Management and Budget
on how they comply with the Federal Information Security Management Act,
including activities such as conducting certification and accreditation
of their major systems. However, some security experts criticize FISMA
compliance as a checklist exercise. FISMA merely measures whether
someone has written a policy or a report, said Alan Paller, research
director of SANS Institute.
"This is much better than FISMA because they are actually measuring the
network's ability to perform security missions," he said.
Under the authorization measure, NASA would also report to the House and
Senate committees with jurisdiction over the agency on how well its
security controls support:
* The network's ability to detect and monitor access to its
resources and information.
* Authorized physical access to the network.
* The encryption of sensitive research and mission data.
Attempts to attack agencies' systems are increasing, and the risks are
clear, said Mark Udall (D-Colo.), the subcommittee's chairman. For
example, GAO recently reported on weaknesses at the Tennessee Valley
Authority that could disrupt the utility's basic operations.
"For NASA, computer networks are the backbone of almost all operations
and are critical to the safety of our astronauts, the success of space
missions and the use of satellites," Udall said, adding that "we must do
all we can to protect these resources."
Agencies need to determine through risk assessment the specific security
controls that would block current attacks that affect their mission,
Paller said. The National Institute for Standards and Technology
provides guidance on FISMA, but it is too general, he said, adding that
network security guidance needs to be specific.
"You have to put your money into the right controls," he said.
"Generalized security policies are the same as no security policies."
NIST has produced a risk-management framework that agencies can use to
better assess priorities for their systems and information. OMB also has
encouraged agencies to use a risk management approach to information
security and has initiated efforts, including reducing the number of
Internet gateways through the Trusted Internet Connections and
standardizing security components through shared services providers in
the Information Systems Security Line of Business. Both initiatives
include continuous monitoring of systems and external connections.
Paller said he believes that information security oversight could be
included in appropriations bills.
"I think as soon as we get it in one appropriations bill, that will be
the last nail that's needed to get NIST to fix the way it implemented
FISMA," he said.
Lawmakers also receive information about the network security of the
agencies that they oversee from classified briefings, Paller said.
"When they find out how badly defended the federal government is, after
the classified briefings, people ask different questions," he said.
Rep. Tom Davis (R-Va.), ranking member on the Oversight and Government
Reform Committee, found in the most recent report card he issues on
agencies' compliance with FISMA that half of the major agencies got a C
grade or lower on information security, while half earned B or above.
The highest grade is an A-plus. Davis has advocated more oversight over
agency information security practices, incentives for agency success and
funding penalties for agencies. poor security performance, said Brian
McNicoll, a spokesman for Davis,
"With high-profile security breaches and continually sagging FISMA
scores, it should come as no surprise that we'll see more and more data
security language folded into authorizing and appropriating bills,"
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com