http://federaltimes.com/index.php?S=3425020 By COURTNEY MABEUS Federal Times March 20, 2008 With threats of cyber attacks mounting, federal chief information officers say ensuring data security is one of their most important roles. But in a survey released last month, many say the mandates they must comply with may be impeding — rather than improving — security. The Federal Information Security Management Act became law five years ago requiring agencies to establish controls to protect sensitive data contained in information technology systems. It requires agencies to inventory systems and to develop standards for categorizing information contained within them by risk. The Office of Management and Budget has complicated matters, some experts say, by placing even more demands on CIOs, including mandates that all laptops be encrypted and a governmentwide plan to cut down on the number of Internet connections. In an annual survey released by the Information Technology Association of America in February, CIOs interviewed said they question whether the return on their investments is outweighed by the burdens of compliance. And though many CIOs reported efforts to reduce the costs associated with certifying and accrediting systems as secure, the survey’s summary report said some officials had not seen clear, measurable improvements. “Sometimes it does feel like they’re going overboard,” said Richard Westfield, CIO at the National Labor Relations Board. “But, where do you draw the line?” Problems Patrick Howard, chief information security officer for the Housing and Urban Development Department, said there is too much disconnect between what is required by OMB and what is necessary “right now.” For example, he said he wonders why there is so much emphasis on having tested contingency plans for all systems — including those that are considered low risk for managing sensitive information. Such requirements, Howard said, may lead some CIOs to focus too much on achieving a good grade on the president’s management agenda (PMA) scorecard, which quarterly tracks how well agencies are doing in implementing policies in a number of areas including e-government, to the detriment of other agency projects. “It kind of takes your ability to prioritize the use of your resources away from you and focuses it on someone else’s priority,” Howard said. This week, Howard becomes the new chief information security officer at the Nuclear Regulatory Commission. Some CIOs complain that OMB demands are usually unfunded and that agencies are given little time to meet demands. They also say OMB has done little analysis of the costs and benefits of those directives. Westfield, who also serves as co-chairman of the federal CIO Council’s Small Agency Council, said many CIOs struggle to explain the importance of their projects to other agency management officials. “The average, everyday user on our network and probably every other network thinks that my job is supposed to make their jobs more difficult to do,” he said. With inadequate budgets — listed as one of the top five barriers to CIOs’ effectiveness in three of the past four ITAA annual surveys — several CIOs said they must make improvements to promote greater savings and efficiency and not just to get the best score on the PMA. “When you go out and make a case for the budget and the need to do this, it can’t just be to get to green” on the traffic-light-style scorecard, NASA CIO Jonathan Pettus said. Pettus brought in officials from the National Institute of Standards and Technology to help NASA comply with OMB and FISMA demands because of inconsistent interpretations among its own IT officials. As a result of that help, Pettus said NASA was able to identify possibilities for consolidating some systems and developed a more efficient model for certifying and accrediting systems. It also determined the need for a core group of consultants to work with each of its regional offices on future compliance efforts. Still, just like having an established building code will not prevent a house from collapsing, being compliant with FISMA does not necessarily mean your agency’s information is secure, Pettus warned. Solutions Alan Paller, director of research for Bethesda, Md.-based SANS Institute, criticizes FISMA for that reason. Although he said he sees real results from OMB directives, FISMA is “wasteful” because compliance is increasingly being done by contractors who have little incentive to promote efficiency. And, too many people with the technical skills necessary to handle compliance reporting have left for better-paying jobs in the private sector, Paller said. His group provides certification and accreditation training and other resources to IT professionals. “The solutions for most of these problems are common, but the agencies each hire different contractors for security,” Paller said. CIOs across agencies need to do a better job of communicating best practices to build “a common answer rather than everyone building its own answer,” he said. But some CIOs said they are working to develop automated processes to help streamline compliance in such a way that cuts cost and staff time — and will share that across agencies. When CIO Joseph Klimavicz joined the National Oceanic and Atmospheric Administration in January 2007, he developed a 500-day plan to streamline computer security and catch up with the backlogged certification and accreditation of 135 IT systems. The agency established some common controls for certification and accreditation that has allowed it to begin piloting a cyber security assessment and management software tool that allows users to input information to determine if a system complies. It will eventually provide the service to the Commerce Department, of which NOAA is a part, Klimavicz said. “This is a Turbo Tax equivalent for [certification and accreditation],” Klimavicz said. Howard, NRC’s new chief information security officer, was a contractor in 2003 when he helped the Transportation Department certify and accredit about 200 systems — mostly in financial and administrative areas — over a two-year period. By identifying common controls across those systems, the agency was able to complete each for around $15,000 — much less than the $25,000 to $300,000 price tag that Howard said is often associated with such projects. Howard said he approaches compliance as a risk management tool because of shrinking budgets for IT security. “Compliance is not going to go away,” he said. “It’s a part of life.” ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Mon Mar 24 2008 - 10:55:24 PST