[ISN] Lawmakers want stronger NASA IT security

From: InfoSec News (alerts@private)
Date: Mon Jun 02 2008 - 00:10:13 PDT


http://www.fcw.com/online/news/152700-1.html

By Mary Mosquera
FCW.com
May 30, 2008

A House measure to authorize NASA's programs for fiscal 2009 would also 
direct the space agency to report to Congress on the effectiveness of 
its network security controls.

Also, if the legislation as written becomes law, the Government 
Accountability Office would test NASA's network for vulnerabilities and 
provide the results in a restricted report to NASA's oversight 
committees. The space agency would also detail the corrective actions it 
has put in place to prevent such intrusions.

The House Science and Technology Committee's Space and Aeronautics 
Subcommittee approved the measure May 20. The full committee is 
scheduled to consider the legislation June 4, a committee spokeswoman 
said.

Agencies already report annually to the Office of Management and Budget 
on how they comply with the Federal Information Security Management Act, 
including activities such as conducting certification and accreditation 
of their major systems. However, some security experts criticize FISMA 
compliance as a checklist exercise. FISMA merely measures whether 
someone has written a policy or a report, said Alan Paller, research 
director of SANS Institute.

"This is much better than FISMA because they are actually measuring the 
network's ability to perform security missions," he said.

Under the authorization measure, NASA would also report to the House and 
Senate committees with jurisdiction over the agency on how well its 
security controls support:

    * The network's ability to detect and monitor access to its 
      resources and information.

    * Authorized physical access to the network.

    * The encryption of sensitive research and mission data.

Attempts to attack agencies' systems are increasing, and the risks are 
clear, said Mark Udall (D-Colo.), the subcommittee's chairman. For 
example, GAO recently reported on weaknesses at the Tennessee Valley 
Authority that could disrupt the utility's basic operations.

"For NASA, computer networks are the backbone of almost all operations 
and are critical to the safety of our astronauts, the success of space 
missions and the use of satellites," Udall said, adding that "we must do 
all we can to protect these resources."

Agencies need to determine through risk assessment the specific security 
controls that would block current attacks that affect their mission, 
Paller said. The National Institute for Standards and Technology 
provides guidance on FISMA, but it is too general, he said, adding that 
network security guidance needs to be specific.

"You have to put your money into the right controls," he said. 
"Generalized security policies are the same as no security policies."

NIST has produced a risk-management framework that agencies can use to 
better assess priorities for their systems and information. OMB also has 
encouraged agencies to use a risk management approach to information 
security and has initiated efforts, including reducing the number of 
Internet gateways through the Trusted Internet Connections and 
standardizing security components through shared services providers in 
the Information Systems Security Line of Business. Both initiatives 
include continuous monitoring of systems and external connections.

Paller said he believes that information security oversight could be 
included in appropriations bills.

"I think as soon as we get it in one appropriations bill, that will be 
the last nail that's needed to get NIST to fix the way it implemented 
FISMA," he said.

Lawmakers also receive information about the network security of the 
agencies that they oversee from classified briefings, Paller said.

"When they find out how badly defended the federal government is, after 
the classified briefings, people ask different questions," he said.

Rep. Tom Davis (R-Va.), ranking member on the Oversight and Government 
Reform Committee, found in the most recent report card he issues on 
agencies' compliance with FISMA that half of the major agencies got a C 
grade or lower on information security, while half earned B or above. 
The highest grade is an A-plus. Davis has advocated more oversight over 
agency information security practices, incentives for agency success and 
funding penalties for agencies. poor security performance, said Brian 
McNicoll, a spokesman for Davis,

"With high-profile security breaches and continually sagging FISMA 
scores, it should come as no surprise that we'll see more and more data 
security language folded into authorizing and appropriating bills," 
McNicoll said.


_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon Jun 02 2008 - 00:25:38 PDT