Security deadline looms

Three months and counting. That's how long federal agencies have to providethe Office of Management and Budget, and thereby Congress, with a completeassessment of their ability to secure their computer systems and services.And that deadline has left agencies scrambling to find ways to squeeze inas much work as they can, while hoping that legislators do not express theirdispleasure over any shortcomings by denying future funding requests.

The Government Information Security Reform Act (GISRA), signed intolaw in October, does not ask agencies to do anything new when it comes tosecuring information technology. The law simply requires that the appropriateprograms, processes, technology and personnel be in place to provide adequatesecurity for the federal government's increasingly IT-dependent services,and that reports detailing that activity be submitted annually to OMB.

"Truly, a lot of it isn't new. This is all built from existing legislation,regulation and guidelines," said Marianne Swanson, a computer specialistat the National Institute of Standards and Technology's Computer SecurityDivision.

The act codifies requirements that, in some cases, have been in placesince 1987, when Congress passed the Computer Security Act — the underlyinglegislation for nearly everything that happens in the federal security arena.Appendix III of OMB's Circular A-130, the central guidance for all IT management,also includes detailed guidance on security. And last year, OMB officialsissued new requirements for IT funding requests, saying systems with inadequatesecurity plans would not be funded.

GISRA "puts teeth into accountability," said Terry Antonacci, directorof government services at Netsec, a Herndon, Va.-based information securitycompany. "Where the other acts say you should do things, the GovernmentInformation Security Reform Act says we [in Congress] know that computersecurity is important, and we're going to make sure you're doing the rightthings."

Congress set the tight Sept. 30 deadline because GISRA only asks agenciesto report on actions they should have taken already. Nevertheless, few agencieshave done much to prepare the reports, according to several government officials.And worse, some haven't even performed the underlying tasks they are supposedto be reporting on, such as assessing system vulnerabilities or updatingsoftware.

But the process takes time. "If you don't have any of this done, thenwe're talking about a three- to four-week effort" for each system, Swansonsaid. Failure to meet the deadline could jeopardize an agency's funding.

Early Displeasure

Taking early action on GISRA, Rep. James Greenwood (R-Pa.), chairmanof the House Energy and Commerce Committee's Subcommittee on Oversight andInvestigations, asked the 15 agencies under the subcommittee's jurisdictionwhether they had performed vulnerability assessments and what other securityactions they had taken. The agencies' reports, prepared in March, showedthat only a few had performed penetration tests, which were limited at best.And the ones that had performed tests were doing very little to correctthe problems they found.

"At this point, we are not surprised or pleased with what we are finding,"Greenwood said at an April 5 hearing on the security of government computersystems.

Greenwood did point out one important fact that agencies hope Congresswill take into consideration when reviewing the GISRA reports later thisyear: Agencies that test thoroughly usually identify more security problemsthan those that test less rigorously. So finding more problems does notnecessarily equate with doing a worse job at security.

"They should be commended for doing the tests at all," Greenwood said.

GISRA outlines some of the basic management principles behind good security,but it does not give detailed requirements when it comes to technology ortests.

Even follow-up guidelines from OMB do not provide specifics. For example,the first set of guidelines, dated Jan. 16, counsels agencies on the responsibilitiesof chief information officers, program managers and inspectors general andrecommends that they coordinate their efforts when producing the annualreport for OMB.

Another set of guidelines, released in draft form in May, lists 11 questionsagencies must answer in their reports to OMB (see box, right). The guidelinesmake it clear that OMB is looking for specific information about the stepsagencies have taken.

Officials at the General Services Administration are trying to help.GSA is the lead agency under Presidential Decision Directive 63, a May 1998mandate from President Clinton requiring agencies to secure the systemsthat support the nation's critical infrastructure, such as transportationand power.

In that role, GSA officials are holding meetings with agencies acrossgovernment to talk about their responsibilities under PDD 63 and GISRA,said Sallie McDonald, assistant commissioner of GSA's Office of InformationAssurance and Critical Infrastructure Protection.

"We want to facilitate bringing the agencies together to talk aboutGISRA, about what they need to do and to share best practices from otheragencies," she said.

To further help agencies with the specifics, OMB has recommended severalguides and publications that have been under development for some time.Top among those is the National Institute of Standards and Technology'sdraft publication "Self-Assessment Guide for Information Technology Systems."Released in draft form March 9, the 66-page checklist of security actionscovers 17 issues under the areas of management controls, operational controlsand technical controls.

It guides program officials through each step and helps them identifywhether they have sufficient security policies and procedures in place,whether they implemented those procedures and tested the effectiveness ofthat policy, and whether they have fully integrated the procedures intothe system's life cycle.

The publication is the follow-up to a joint NIST/CIO Council effort,the Federal IT Security Assessment Framework, which helps agencies prioritizeareas for improvement. NIST will issue the final version of the questionnairesoon, Swanson said. In the meantime, "use the draft; it's not going to changethat much," she said. "Don't wait, because the clock is ticking."

Out in Front

Several agencies, including the U.S. Agency for International Developmentand the Education Department, have already started using the questionnaire.Both have reported their experiences to NIST so they can be shared withthe rest of the federal community. USAID is one of the lead agencies onthe CIO Council's Best Security Practices initiative, and agency officialshope their example can be instructive to others, said Jim Craft, USAID informationsystems security officer.

Other agencies have been trying to establish good security managementfor some time and now need to measure their progress using the new guidance."We had started before we got the draft OMB guidelines, and we think itmaps fairly well," said David Nelson, deputy CIO at NASA and the agency'slead on security matters.

Those guidelines "were not pulled out of a hat," Nelson said. "Theydo map into the kind of program that you're supposed to be running."

Having already documented the security of many of their systems, NASAofficials are now working to fully integrate performance measures into howthey determine the effectiveness of those actions. With the full supportof the agency administrator, NASA has also developed comprehensive securitytraining and certification for all em.ployees, and even many contractors.

In many cases, agency officials are working closely with their counterpartsin the Defense Department, drawing on their expertise in both unclassifiedand classified arenas. But NASA officials developed their understandingof risk management — being able to figure out how much security is necessaryfor a system — internally.

A March 30 inspector general report praised NASA's processes to "ensure[that] information security is considered as a part of the agency's strategicinformation resource program planning." After being hit hard by the GeneralAccounting Office in recent years, NASA established many new IT securitypolicies and is now working to make sure they are followed across the agency.

NASA's next step is developing measures to test whether its policiesand processes actually improve security — something OMB and Congress hopeto see reflected in all agencies' GISRA reports.

In spite of their progress, even NASA officials expect to have troublemeeting the September deadline. "We are scrambling a bit to put it together,"Nelson said.

In talking to agencies about what they are doing to meet the GISRA deadline,NIST officials have discovered that agencies are taking many different approachesto compliance, Swanson said. Some are doing sampling — testing a set ofsystems that are representative of others and extrapolating from there —while others are testing every system across the agency.

But most agencies are taking at least one common step. "The majorityof [agencies] are using contractors to do this since we just don't havethe personnel to do a full-blown assessment," Swanson said.

GSA's Office of Information Assurance and Critical Infrastructure Protectionis also promoting the use of a contract GSA developed to help agencies meetthe requirements of PDD 63 but that could also be useful for complying withGISRA. The Safeguard contract lists 27 vendors, with many more subcontractors,that offer security services, including vulnerability assessments and penetrationtests.