OMB finds security leverage

Two years ago, if someone brought up information security in a meeting of agency managers, the most likely response would have been, "The technology folks are taking care of it."

But that attitude is changing. Now, federal security experts say, even some Cabinet-level secretaries could provide details about their agencies' security policies.

Not every top government executive is so well informed, but information security clearly is a topic agency managers outside the information technology office are discussing in detail. As a result, they are no longer just discussing specific security strategies — they are also planning for them and putting them into practice, said an administration official who asked not to be named.

"Now it is all about implementation," he said.

Many experts trace the change back to the Government Information Security Reform Act (GISRA) of 2000, which requires agencies to conduct annual assessments of their security programs and strategies and submit reports to the Office of Management and Budget.

"I think it started with the requirement that the department head had to sign your GISRA report, and therefore it had to be staffed through your executive management — who asked questions, who forced the business unit leaders and executives in the department to be accountable for cybersecurity," said Lisa Schlosser, assistant chief information officer for IT security at the Transportation Department.

Officials from the General Accounting Office, which has issued many scathing reviews on agencies' security practices during the years, have noticed the shift in attitude.

"All agencies had weaknesses in security program management, which can often lead to weaknesses in other control categories," said Robert Dacey, GAO's director of information security. "But at the same time, a number of actions to improve information security are under way, both at an agency and governmentwide level."

Dacey testified last month before the House Government Reform Committee's Government Efficiency, Financial Management and Intergovernmental Relations Subcommittee. At the hearing, Rep. Stephen Horn (R-Calif.), subcommittee chairman, released his latest security grades for agencies, giving the government an overall failing grade.

Dacey was cautiously optimistic about agencies' progress in securing systems. "Some of these actions may require time to fully implement and address all of the significant weaknesses that have been identified, but implementation of [GISRA] is proving to be a significant step in improving federal agencies' information security," Dacey said.

OMB's Big Stick

Federal IT security experts say agency IT managers have begun to make improvements in information security because they are focusing on security management, rather than security technology.

In the past, IT managers typically would focus on simply buying technology on an ad hoc basis to secure systems, but they learned that technology alone did not solve the problem. GISRA pushed managers to take a methodical approach to identify vulnerabilities across an organization and develop a comprehensive strategy to fix them.

In their GISRA reports, agencies must measure the performance of managers in charge of information security, the effectiveness of security training programs, the integration of security programs and the enforcement of security policies in agency contracts.

With help from those GISRA reports, OMB last winter began reinforcing a February 2000 policy as part of the fiscal 2003 budget process. According to the policy, programs will not receive funding unless "adequate" security plans are in place.

The policy had been in place, but GISRA made agency managers take notice. "This past summer, if you said 'GISRA,' people knew what you were talking about," said Sallie McDonald, assistant commissioner for information assurance and critical infrastructure protection at the General Services Administration. OMB's policy tends to get even the highest officials' attention, McDonald pointed out.

OMB's strategy forced agencies to think about security as part of a larger question of how they invest in information systems — one of the provisions of the Clinger-Cohen Act of 1996.

It has been a long struggle through both the Clinton and Bush administrations to "hitch the security program wagon to the Clinger-Cohen capital-planning train — [to] tie security so tightly to the budget process that no one could ignore it and when the opportunity came up, codify it in law," the administration official said.

Security will not improve unless agencies view it not only as one of the basic elements of any program, but also as an ongoing management focus, experts say.

"I believe that if you can demonstrate that you have a sound management strategy for cybersecurity, then you should get the appropriate funding," Schlosser said. "But if you can't demonstrate that, you shouldn't get increased funding."

OMB officials withheld fiscal 2003 funding for some IT projects, and the office is now working with agencies to straighten out the problems in their system and program designs, said Mark Forman, OMB's associate director for IT and e-government, testifying at Horn's hearing last month.

"Generally, the agencies would rather work through their security problems than not get funding, so that incentive structure seems to work," he said.

OMB is prepared to make life difficult for agencies that are not fixing existing security problems before tackling new ones.

"One of the recurring problems that we've seen is agencies' desire to invest in new IT, [but] at the same time they can't remediate legacy system problems," Forman said. "There's a trade-off to be made. We're making it very clear to the agencies that we're simply not going to fund new investments and short remediation or accreditation and certification."

OMB and agency officials have also incorporated information security into management score cards, which measure agency support for the President's Management Agenda.

Learning the Tricks

OMB may be getting involved at the front-end of agency planning right now, but agencies need to learn how to think about security measures as part of program planning, Forman said.

Some agencies have already gotten with the program. The Energy Department, for example, has included security in its Innovative Department of Energy E-Government Applications (IDEA) project, said John Przysucha, associate CIO for cybersecurity at DOE, speaking recently at a breakfast sponsored by the Bethesda, Md., chapter of AFCEA International.

Through the IDEA project, the department is investing in initiatives that demonstrate how e-government can support agency operations. Some of the 19 initiatives focus on security problems, but none of the initiatives will be successful without good security, he said.

Numerous agencies now require programs to pass through system certification and accreditation reviews, which forces program managers to focus on security upfront. It's similar to OMB's strategy: If a program fails a review, it cannot go forward.

Still, security problems will occur, despite the best planning, so agencies are working with industry to find ways to detect and respond to problems within systems and across departments.

Transportation officials recently signed an enterprise license for Foundstone Inc.'s vulnerability scanning and management solution. The department also uses Computer Associates International Inc.'s eTrust intrusion-detection system and several other companies' security products.

Now the department is working with those industry partners to bring those products together into a single, departmentwide incident-management solution.

"We're piloting that, working with industry right now to facilitate that next evolution," Transportation's Schlosser said. "The government isn't usually the leading edge on these kind of new initiatives, but in this case, we're trying to be. This is what we've challenged our industry partners to put together: Tell us, show us, integrate your point solutions so that we have a management perspective on vulnerability management and remediation."

GSA, which houses the Federal Computer Incident Response Center, has been tackling the same challenge governmentwide, developing an analysis tool that can pull together incident reports across civilian agencies.

Predicting the Future

The further agencies push into security management, however, the tougher it gets.

A good management strategy makes it easier to deploy solutions for detecting and responding to attacks. But the ultimate goal is prevention. "If you can predict what the threat's going to be and [assess] your vulnerability, you can go back to making better...and smarter investments," Schlosser said.

The FedCIRC data analysis tool is also intended to help with this effort, McDonald said.

Another boost will come from increased investments in cybersecurity research and development by the federal government.

Last month, Congress passed the Cyber Security Research and Development Act, authorizing more than $900 million during the next five years for grants through the National Science Foundation and other agencies. This will help immensely, experts say.

"Government scholarship programs that have started are a step in the right direction, but they need to be expanded over the next five years to help build the university infrastructure we need for the long-term development of trained security professionals," said Richard Pethia, director of the CERT Coordination Center at Carnegie Mellon University.

The fight has already begun to make sure that the authorization is followed with appropriations. Basic security education will require sustained attention and resources.

Agencies are working to raise the awareness of all their employees, making everyone understand that security is the responsibility of anyone who uses a computer and works on a network. More specific training for program managers and security staff are also being developed.

Online IT security training and coursework are available at the government level, Forman said. And the e-Training Initiative, led by the Office of Personnel Management, will soon incorporate additional security courses, he said.

Many security experts have spent much of their time during the past few years making the same speeches, pointing out the same problems and calling for the same fixes. The mindset is changing, but it has not changed completely. The speeches will not end anytime soon, McDonald said.

"Those of us who are out there proselytizing need to continue," she said.