Feds Unite on Security BenchmarksBy Caron Carlson | Posted 2003-12-15 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
High-level tech officials team amid criticism of government cyber efforts.
A group of high-level IT officials in the federal government has begun collaborating on configuration benchmarks that government agencies could be required to use in future purchases of hardware and software.
The development of the benchmarks is at once an indication of the growing importance of security in Washington and of the government's intention to use its purchasing power as an agent of change inside the Beltway and in the vendor community.
"Yes, I believe the government is getting better at this," said Alan Paller, research director at The SANS Institute, based in Bethesda, Md., who has spoken with many of the federal CIOs involved in this effort. "This doesn't solve the entire problem, but it helps going forward. I believe a great deal of money was thrown away on reports that could've been spent on solving the problem."
The move comes at a time of heavy criticism of the government's security efforts, much of it tied to last week's release of an annual report card from the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census on the security of federal agencies' networks.
The government received an overall grade of Dup from an F last yearfor the state of its security, as measured against a set of criteria laid out in FISMA (Federal Information Security Management Act), signed by President Bush last December. Several large agencies, including the Department of Homeland Security, Department of Justice and Department of State, received failing grades. But observers say the test is not an accurate reflection of the agencies' security posture because the self-evaluation the agencies must perform can cost hundreds of thousands of dollars, depending on the size of the network. Many agencies had difficulty finding money in their budgets to complete the evaluation.
Despite cries of unfairness from some agencies that did not score well, Rep. Adam Putnam, R-Fla., who is the subcommittee's chairman, intends to continue the scoring process in the coming year and is planning to hold an oversight hearing in early March, said Bob Dix, staff director for the subcommittee.
"People knew what the scoring criteria would be," Dix said. "It is disappointing to us that a couple of the agencies have gone backward."
One of the biggest problems at the agencies is the continued inability to provide complete and reliable inventories of IT assets, which is required under federal law, Dix said. Additionally, it appears that the leadership at some agencies is not as involved in the process as it is at others.
"At the Department of Labor, the secretary is engaged in this issue. Their performance is evidence of that," Dix said.
A part of FISMA is a requirement that each federal agency establish a set of benchmarks for system configurations and that it complies with those standards. The act does not specify what those standards should be. The evaluation for 2003 did not test agencies on these benchmarks, but next year's will.
As a result, federal CIOs and other top IT officials have begun working together to develop such common configuration benchmarks. Those standards could eventually make their way to the private sector once they're finalized.
"This is good government. You need these benchmarks if you plan to buy software this way," said Roger Cressey, president of Good Harbor Consulting LLC, in Alexandria, Va., and former chief of staff of the President's Critical Infrastructure Protection Board. "It's not something where you place a call and snap your fingers, and the product is delivered securely. It's the right thing to do."
The standards could cover what services should be enabled or disabled by default, as well as more mundane items such as password length. This is not an entirely novel idea, however. Earlier this year, the Department of Energy announced a contract with Oracle Corp. in which the database vendor agreed to deliver its software in a secure configuration, as dictated by guidelines established by the Center for Internet Security. In addition, the National Institute of Standards and Technology has implementation guides and checklists available for various technologies.
But security experts and Washington insiders say this is an important step in the government's progression toward better security.
"They're not there yet, but the fact that they're talking about alternatives like benchmarks is a good thing," said Ron Sable, vice president of the public sector at Guardent Inc., a managed security services company based in Waltham, Mass. "They're dealing with it, but it is the government. There are enormous challenges."
Chief among those challenges is the limited budgets the individual agencies must contend with. But perhaps an even thornier issue is executing a complete inventory of an agency's IT assets, especially in large organizations such as the Department of Defense or the DOJ, which have dozens of remote locations and thousands of personnel working in the field.
Aside from the benchmarks, parts of the government are working on other aspects of security, such as moving quickly to IPv6. Improving end-to-end security is one of the objectives set forth by the DOD in mandating an agencywide transition to IPv6 beginning this year. As of Oct. 1, procurement for all net-centric operations and warfare assets must be IPv6-compatible.
However, the Pentagon is remaining quiet about the deployment and is not publicizing it as a model for other organizations to follow, much to the chagrin of IPv6 champions.
"I'm not sure how much [the DOD deployment] will impact the public at large. If they're not going to talk, I don't know if there's a big master plan [in the United States]," Alex Lightman, chairman of the IPv6 Summit, said, adding that the Pentagon opted not to issue a press release, despite keeping a high profile at last week's summit here.
Although IPv6 is not inherently more secure than IPv4, it comes with a mandatory security framework, promising fewer networking vulnerabilities.
"There is no advantage from a security protocol perspective of IPv6 over IPv4," said Jim Bound, chair of the IPv6 Forum Technical Directorate. "The advantage of IPv6 is that the implementation has to have IPSec [IP Security]."