The State Department is the first agency to test the new Consensus Audit Guidelines to close up the 20 biggest holes in federal networks.
The guidelines, issued Monday by public and private sector cybersecurity experts, are considered the low-hanging fruit to help agencies improve their network security immediately, says John Gilligan, a former Air Force and Energy Department chief information officer. Gilligan is now a consultant in the private sector. He also led the Obama Defense and Intelligence technology transition team.
Gilligan says State volunteered to map the controls detailed in the Consensus Audit Guidelines (CAG) against their current security baseline.
“The mapping against their attack patterns is completed and shows CAG matches closely to what State sees on global basis,” says Gilligan during a press conference introducing the final draft of the guidelines. “Their second effort to map individual controls and the ability to automate them against their current controls is progressing well.”
He adds State will make an assessment and see if the guidelines will improve their ability to protect their networks.
Gilligan says State’s experience hopefully is the first step toward wide acceptance of the guidelines.
“They like the ability to identify high priority areas,” he says. “We are reasonably comfortable that the controls serve as model for other federal agencies s as we look at the broader implementation of these tools.”
The controls describe the vulnerability and how it can be detected and shored up. Some of the guidelines include: white lists of software, secure configurations for desktops, firewalls, routers and switches, incident response and data recovery capabilities.
Gilligan and the other experts, which includes the Sans Institute and the Center for Strategic and International Studies (CSIS), are working with the CIO Council and the National Institute of Standards and Technology (NIST) to push for these recommendations to be mandatory for all agencies.
“The guidelines will change the way federal agencies measure security,” says Alan Paller, director of research at Sans. “The guidelines use actual attack information that has been and are being launched against government and industry. Before CAG, agencies had to choose the controls from what NIST calls a catalog of controls. Agencies didn’t have the information on attacks so they didn’t know which controls were most important, and they didn’t know how to implement them or measure their effectiveness.”
Gilligan says he briefed the CIO Council’s Security and Identity Management Committee and plans to brief the full committee once Vivek Kundra, who will be the next Office of Management and Budget administrator for e-government and IT, is officially nominated. Kundra will lead the CIO Council.
“We asked the CIO Council to identify some pilot agencies that we could use to test the CAG and gain experience using it,” Gilligan says. “The pilots would help identify any difficulties with it. We are hopeful the pilots would influence the CIO’s ability to make a decision on expanding the use of CAG across government.”
Gilligan adds that NIST also has reviewed the document and commented on it.
Without NIST accepting the guidelines, it would be difficult to make it mandatory for all agencies.
“NIST is doing an internal evaluation of how CAG maps to their current guidelines,” Gilligan says. “In fact, some portion of the updates of special publication 800-53 have been influenced by CAG. NIST is anticipating additional comments from government and industry to help inform their decision on how to proceed.”
Paller adds that another approach to making CAG mandatory is through legislation. Sen. Tom Carper (D-Del.), chairman of the Homeland Security and Governmental Affairs Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security, is expected to re-introduce legislation to update the Federal Information Security Management Act this spring. The legislation passed the committee last session.
“Clearly the work we’ve done here is the essential foundation for immediate implementation of the bill,” Paller says. “Once people test it and see it is a lot better than trying to meet a set of unauditable controls, they will put pressure on the CIO Council to accept it.”
Jim Lewis, a director and senior fellow in the Technology and Public Policy Program at CSIS, says FISMA has outlived its usefulness and the audit guidelines give people some idea of what could be next.
Paller adds that other industries are seriously considering using the guidelines, including banking, health care and the defense industrial base.
“We are in such a state of emergency that we need to proceed as quickly as possible,” Gilligan says.