Interior secretary downplays FISMA flaws

The head of the Interior Department told the White House’s Office of Management and Budget that her agency conforms to federal security requirements, despite the vulnerabilities stressed by her inspector general in Interior’s fiscal 2005 annual compliance report.

A redacted version of Inspector General Earl Devaney’s assessment states that penetration testing repeatedly revealed systems were susceptible to cyberattacks. In addition, the IG pointed out that there is no strategy in place to supervise DOI-issued security policies. Some personnel, including Bureau of Indian Affairs contractors, were unaware these policies even existed.

Interior’s IT security is under the microscope because of a long-running dispute concerning the security of Indian trust fund information. A class-action lawsuit filed nine years ago criticizes Interior’s oversight of Indian trust funds. Plaintiffs have accused department officials of doing a poor job of protecting data from hackers.

The yearlong Federal Information Security Management Act of 2002 evaluation performed by Devaney concludes that DOI does not comply with the requirements of the FISMA. In the same report, Interior’s Chief Information Officer Hord Tipton said Devaney’s requirements for security compliance exceed FISMA’s requirements, and the findings of the IG office do not take into account progress made throughout the year.

Interior Secretary Gale Norton concurs with the CIO in the FISMA assessment, reporting to OMB that Interior’s IT program meets the basic requirements of FISMA.

“I have confidence in the CIO’s opinion that, while IT security at DOI is not perfect, risks and vulnerabilities still remain, and improvements need to be made, nonetheless, the policies and process to address those risks are adequate, improvements have and been and will continue to be made, and therefore, DOI substantially complies with FISMA,” she writes.

Today, Tipton said that the IG does not have the money or the responsibility to recheck all IT systems periodically.

As FISMA standards develop -- and improve every year -- the CIO and IG will become better at comparing apples to oranges, he said.

In the meantime, Norton is unclear on whether the agency should be spending money to correct defects that may pose minimal risk. In her letter to OMB she requests a clearer definition of “adequate” security.

“I ask for your assistance in determining where, between these two perspectives, your intent in measuring FISMA compliance lies…. The determination has significant funding and operational implications to DOI…” writes Norton.

The discrepancy between the IG and the CIO is a predicament all CIOs face in filing annual FISMA reports, Tipton adds.

“The big thing is the timing of the data,” he said, noting that some of the IG’s observations date back to October 2004. Since then, the agency has fixed the root cause of those problems by strengthening its procedures. “He didn’t get a chance to validate the fixes that we made. As long as we are in a system of not having our chronologies aligned, this presents a dilemma for the secretary.”

Today, Devaney reaffirmed his opinion that Interior’s systems are in jeopardy.

“The [Office of the Inspector General] stands by its October 2005 annual evaluation of the department’s information security program. Regardless of the requirements of FISMA, OIG’s IT security efforts found significant weaknesses in DOI’s IT security program. If these weaknesses are not corrected, DOI IT systems will remain vulnerable,” he stated.

A court injunction, issued Oct. 20, called for a shutdown of any computers, networks, handheld computers and voice-over-IP equipment that access trust fund data. The judge in the ongoing lawsuit had granted American Indian plaintiffs a motion for a preliminary injunction to prohibit Interior employees, contractors, tribes and other third parties from using those systems.

However, it is not known when or if a shutdown will occur. An appellate court postponed the judge’s order, after Interior officials requested an administrative stay Oct. 21 to temporarily suspend the shutdown, pending appeal.

The government filed the fiscal 2005 FISMA document with the federal court last Thursday. Subsequently, the plaintiffs posted it on their Web site www.Indiantrust.com to make it available to the public.

In the report, Devaney writes, “Perhaps most troubling has been the lack of an effective agencywide strategy to implement and oversee the various DOI-issued policies and procedures. Fieldwork continues to demonstrate that bureaus do not adhere to DOI policy – and in many cases are unaware of its existence – and self-report IT security metrics with little validation.”

Although DOI issued a policy for contractors in 2004,as mandated, none of the personnel involved with the three contractor-operated systems that the OIG reviewed were aware of the policy. One of these systems belongs to the Bureau of Indian Affairs.

Department officials placed the Bureau of Land Management’s Web sites off-line for two months this spring after the IG issued a report warning that its IT systems are vulnerable to cyberattacks.

In an attachment to the FISMA report, a penetration-testing score card shows that BLM had the highest penetration risk in each of the four categories evaluated: vulnerabilities, impact, ease of exploitation and overall penetrations risk.

In 2001, the judge in the Indian trust fund case ordered Interior to disable Internet connections on all computers that employees -- and hackers -- could use to access trust fund data. He ordered two subsequent shutdowns, but Internet access returned to the department following a federal appeals court ruling that blocked the second order.