Karen Evans has about six weeks left as the administrator of e-government and information technology in the Office of Management and Budget. But that doesn’t mean she is packing her things and taking it easy.
In fact, Evans says her expectations around what agencies need to accomplish and by when have not waned even a little.
“OMB is looking at agencies policies to make sure they are doing what they said they would do,” says Evans at a conference Thursday on the Trusted Internet Connections (TIC) initiative in Washington sponsored by Juniper.
Part of the way OMB is doing that is with the General Services Administration, which is running the Policy Utilization Assessment tool for the Federal Desktop Core Configuration (FDCC) for Microsoft Windows XP and Vista.
Evans says this second test will analyze how the 25 major agencies have implemented the FDCC.
When GSA ran the first test with a smaller number of agencies earlier this year, only 30 percent of the agencies had fully installed the FDCC on their computers. Evans says she hopes for at least 50 percent this time around.
The correct implementation of the FDCC is one of the basic things agencies can do to improve cybersecurity.
Evans says basic configuration management, patch management and having a security operations center (SOC) that operates 24 hours a day, 7 days a week are fundamental steps agencies should be taking.
“Not all agencies have a 24/7 SOC even if they say they do,” she says. “When we find out those agencies that say they have a 24/7 SOC and don’t, I e-mail those chief information officers and ask them ‘what’s going on?'”
Some agencies may not have SOCs yet because they are waiting on GSA to add TIC services to the Networx telecommunications contract.
GSA expected to add these services by the end of November, but it delayed modifications to Networx until Dec. 14.
Once GSA makes awards, vendors have 60 days to certify and accredit their systems, meaning agencies will not be able to purchase these services until February at the earliest.
Evans says part of the reason for the delay is the Homeland Security Department needed to make sure they developed the correct requirements for secure gateways.
She says she is frustrated that it will take longer to offer TIC services, but there are plenty of things that agencies can do including implementing some of the basic security requirements.
DHS, meanwhile, is developing a program to constantly monitor and analyze agency Internet connections. Should one not meet the TIC requirements, Evans says DHS can pull that agency offline until the problem is fixed.
“With any major change in your configuration, you need to redo your certification and accreditation,” she says. “This is the difference between compliance and achieving results.”