Compliance focus is hampering cybersecurity, critics say

Federal officials on Thursday took up a long-standing and simmering debate over how the government protects its computer networks, arguing the Office of Management and Budget should focus less on complying with cybersecurity processes as they have done for years and more on monitoring and conducting tests to learn how their systems withstand attempts to break in.

"It seems like OMB thinks that a snapshot of agency preparedness every three years will defend our critical networks," said Sen. Thomas Carper, D-Del., during a hearing of the Senate Federal Financial Management Subcommittee, which he chairs. "But instead, billions of dollars are spent every year on ineffective and useless reports. Meanwhile, we continue to get attacked."

His criticism was targeted at the 2002 Federal Information Security Management Act, which requires agencies to identify and inventory their IT systems and determine how sensitive the information is that is stored on those systems.

For example, the State Department spent $133 million during the past six years amassing 95,000 pages of certification and accreditation documentation for about 150 major information systems, said John Streufert, chief information security officer at the department. The electronic working files that support this process during the same period contain 18 gigabytes of documents with more than 33,000 working files.

"This does not include databases for tracking system inventory, and tracking plans of action and milestones to resolve pending weaknesses," he said. "Most compliance-driven snapshots produce results on paper [that] are often extraordinarily accurate, but out of date within days of being published and are only indirectly connected to the new threats heading toward the department minute by minute."

To supplement FISMA reporting requirements, State implemented a widely lauded risk-scoring program that scans every computer and server connected to the department's network no less than every 36 hours to identify security vulnerabilities and twice a month to check software configurations. The program assigns points on a scale of zero to 10, with 10 being the riskiest security threats. Points are deducted once issues are resolved. Since July, overall risk on the department's key unclassified network measured by the scoring program has been reduced by nearly 90 percent at overseas sites and 89 percent at domestic sites.

"These methods have allowed one critical piece of the department's information security program to move from the snapshot in time previously available under FISMA to a program that scans for weaknesses continuously, identifies weak configurations [every] 15 days, recalculates the most important problems to fix in priority order daily, and issues letter grades monthly to senior managers tracking progress for their organization," Streufert said.

Tom Davis, a former Virginia congressman who championed FISMA in 2001 and 2002 and was chairman of the House Committee on Oversight and Government Reform, said the legislation is due for a rewrite. "While I believe the requirements FISMA enumerated would be components of any sound information security plan, the need at present is to operationalize its implementation," he said.

That would include penetration tests and performance measures such as the time between when someone breaks into a system and when the agency learns of the unauthorized access, the time it takes to deploy a security patch, or complete an analysis of how someone broke into the system.

When FISMA was first enacted, the metrics "were lagging indicators focused on compliance rather than outcomes," said Vivek Kundra, federal chief information officer. "Agencies reported infrequently ... in an environment where threat vectors change daily [and] the information collected does not reflect the readiness of the agencies to deal with the reality of modern threats. Even information as basic as the cost of compliance or the number of days to apply a critical patch is not readily available."

OMB is making changes, Kundra said. This month, the office launched CyberScope -- an interactive data collection platform for reporting FISMA requirements that will provide greater opportunity for trend analysis and tracking of information security spending by agencies. OMB also is working with the federal Chief Information Officers Council and agencies' chief information security officers, inspectors general, and the National Institute of Standards and Technology to develop metrics that predict security vulnerabilities and reflect their information security status.

"Metrics will be focused on game-changing ways that we can address real security," including penetration testing, Kundra said. "The key is to move away from this culture of compliance to execution."

The Government Accountability Office recommended that OMB issue revised guidance to CIOs for developing security measures within their own agencies and reporting FISMA compliance that provides better status information on the security posture of the federal government.

"OMB is the only one that can make this happen, absent Congress passing a bill," Carper told Kundra. "Take a hard look at what you can do, and make sure you don't waste another month or another billion dollars or more on a [process] that doesn't work."