Federal Government Has A Ways To Go To Secure Systems

[InfoSec News <isn () c4i org>]

http://www.informationweek.com/story/showArticle.jhtml?articleID=10800126

By Eric Chabrow 
June 24, 2003

Since January, the State Department has wiped out more than 155,000
viruses on its IT systems. Between Oct. 1 and May 31, the first eight
months of fiscal year 2003, the department recorded more than 700
attempts to hack its IT systems.

Those are just two examples of the vulnerabilities the government's
thousands of IT systems face. At a hearing before a House panel
Tuesday, government IT experts testified that progress in securing
systems is being made, but at a slower pace than many had hoped.

"While some progress is clearly being made at federal agencies, going
from an F to a D or D to a C isn't saying much," Rep. Adam Putnam,
R-Fla., chairman of the House Subcommittee on Technology, Information
Policy, Intergovernmental Relations, and the Census, said in opening
remarks at an oversight hearing on cybersecurity. Putnam said
Congress, the Bush administration, and agencies must work together to
provide a relative degree of comfort that IT systems are secure. "We
are a long way from that point today."

Putnam's lament was backed up by a report from the General Accounting
Office, the investigative arm of Congress, that showed significant
challenges remain in implementing information security requirements.  
For instance, eight of 24 agencies reported that they hadn't assessed
security risks for half of their IT systems.

Robert Dacey, GAO director of information security issues, said
various agencies inspectors general have noted that even when agencies
develop plans to correct security problems, their usefulness is
limited because they don't identify all weaknesses, provide realistic
completion estimates, or prioritize actions. Nine of 14 agency
inspectors general surveyed by GAO said their organizations'
corrective action plans failed to identify significant cybersecurity
weaknesses. "Overall, agencies aren't effectively implementing and
managing their information security programs," he testified.

Treasury Department CIO Drew Ladner conceded that it's slow going. A
review required by the Government Information Security Reform Act
revealed 14 major weaknesses. "Central to the IT security material
weaknesses is that the department hasn't yet achieved the goal of full
certification and accreditation of mission-critical systems and major
applications," Ladner said. "In addition, specialized IT security
training and incorporation of security into the capital investment
planning process needs improvement."

What's Treasury doing to correct the situation? First, Ladner said,
it's implementing an aggressive oversight and compliance program in
which each bureau evaluates security policy and guidance, computer
incident handling and response, security training, managing plan of
actions and milestones, integrating security into capital planning,
and getting systems certified and accredited.

Funding isn't a problem. The State Department, for instance, spends
more than $1 in $5 of its IT budget on IT security. Acting State
Department CIO Bruce Morrison testified that the flagship of its new
cybersecurity efforts is a program to certify and accredit all of its
150 IT systems by September 2004, adding that one-third of the systems
should be accredited by Sept. 30.

Legislation requiring government organizations to get their IT
security in order has resulted in top agency officials buying into the
plan. That's seen as progress by some officials. "The most positive
impact has resulted from the laws' requirements to view the agency's
IT security posture as a whole, rather than as separate parts," said
National Aeronautics and Space Administration inspector general Robert
Cobb. "The legislation and related Office of Management and Budget
guidance have provided NASA with a framework for more effectively
managing IT security. As a result, NASA senior management is
increasing the attention given to IT security."

But Cobb cautioned that NASA must change its decentralized culture--in
which power is often found within agency centers--by attacking IT
security centrally through its OneNASA concept. If implemented
correctly, he said, centralization and a revised architecture will
improve the agency's information-security posture. "However, as long
as NASA governance structure is such that center CIOs and security
officials report to center directors--who are program
officials--rather than to the NASA CIO and the agency's assistant
administrator for security management and safeguards, a fully
integrated approach to information security will be impossible at
NASA."

OMB E-government and IT administrator Mark Forman, the federal
government's top IT officer, reminded the committee that agencies must
develop security plans and get their systems certified and accredited
if they want to receive money to fund IT programs. In the coming
fiscal year, Forman said, nearly 500 government IT systems have been
deemed at risk either solely or in part due to IT security weaknesses
because they haven't been properly certified or accredited. By fiscal
year 2004, which begins Oct. 1, the administration plans for 80% of
the federal government's major IT investments to integrate security
into the life cycle of the investment. That's a big challenge, Forman
said. "Failure to appropriately incorporate security in new and
existing IT investments automatically requires the business case to be
scored as 'at-risk,'" he said. "As a result, that system isn't
approved for the fiscal year in which the funds were requested until
the security weaknesses are addressed."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.