Energy, DOD rethink security rules

OMB GISRA report

The Energy and Defense departments are making major changes in their information security policies following last year's mandated self-assessments, particularly in programs to enforce those policies, officials told Congress earlier this month.

Many agencies knew their security policies were outdated or insufficient before performing the assessments required by the Government Information Security Reform Act (GISRA) of 2000.

But the GISRA assessment provided a detailed examination that was not available before, said Robert Gorrie, deputy director of the Defensewide Information Assurance Program, testifying March 6 before the House Government Reform Committee's Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations.

The senior-level attention has made it possible for significant changes to occur, said Mark Forman, associate director for information technology and e-government at the Office of Management and Budget.

Not only did agency heads have to approve the assessment reports sent to OMB last October, but they also personally received and responded to follow-up letters from OMB Director Mitchell Daniels Jr.

DOD officials are already issuing new information security directives and instructions to replace the 1992 directive that currently governs DOD security, and the capstone directive will be released soon, Gorrie said. But "without question, the biggest single lesson learned during the [GISRA assessment] was the problems associated with our security certification and accreditation program," he said.

The DOD Information Technology Security Certification and Accreditation Program (DITSCAP) is the departmentwide enforcement tool. It is used to make sure every system on the Defense network meets the department's security policies. But it is a complex program, and that complexity has led to many compliance problems as managers try to circumvent the DITSCAP process.

DOD officials already were aware of this problem, but there was no documented proof of it until the GISRA assessment, Gorrie said.

Now DITSCAP is undergoing "dramatic modification" to streamline and clarify the process, he said. DOD officials are also looking for automated tools to make it easier for security and systems managers to comply with the documentation requirements, he said.

At Energy, officials are also updating and enhancing old security policies, including the department's security training and awareness program, which will be expanded "so that every member of the DOE infrastructure is aware that cybersecurity is an integral part of his or her job," said Karen Evans, who became Energy's chief information officer in January.

But Energy officials are also developing many new security programs, particularly the first departmentwide certification and accreditation program for unclassified systems, which is essential to making security a part of every system's life cycle management, she said.

The fact that GISRA focused management attention on security is an important step, but subsequent agency actions will make the difference, said Alan Paller, research director at the SANS Institute, a security education and consulting organization. Currently, those actions are required by OMB guidance, not legislation, he pointed out.

And until corrective actions are mandated, such as those in the Federal Information Security Management Act proposed by Rep. Tom Davis (R-Va.), which would reauthorize and enhance GISRA, there is no way to ensure that agencies will continue to make necessary changes and that Congress will back them up with funding, said Shannon Kellogg, vice president for information security programs at the Information Technology Association of America.

To ensure continued attention from senior officials, "OMB will soon meet with all 24 large agencies and departments to discuss their work in implementing their corrective action plans," Forman said.

***

Hardening DOD's and Energy's systems

Changes in security policy at the Defense Department include:

* Modifying the DOD Information Technology Security Certification and Accreditation Program, which is used departmentwide to ensure that all information technology systems meet DOD security requirements.

* Publishing a series of new information assurance directives and instructions to replace a single 1992 directive. Some are already available; others, including the "capstone" directive, will be released soon.

Changes at the Energy Department:

* Enhancing the department's security training and awareness program to make sure every DOE employee is aware of his or her security responsibilities.

* Developing a departmentwide certification and accreditation process for DOE's unclassified information systems and networks. DOE already has a similar process for its classified systems.

* Implementing an independent validation and verification process for all of the department's critical information systems.

* Improving the department's IT capital planning process to ensure security is seamlessly integrated into each system's life cycle costs.