Agencies soon will be told to change the way they certify and accredit their computer systems.
The Office of Management and Budget is drafting a memo to move agencies out of the once every three-year process under the Federal Information Security Management Act.
The goal of the memo is to implement the concept of ongoing authorizations as outlined in the fiscal 2012 FISMA guidance sent to agencies in September.
In the document, OMB says agencies are expected to conduct ongoing authorizations of information systems through the implementation of continuous monitoring programs. OMB says continuous monitoring programs fulfill the three-year security reauthorization requirement, so a separate re-authorization process is not necessary. In an effort to implement a more dynamic, risk-based security authorization process, agencies should follow the guidance in NIST Special Publication 800-37.
The Homeland Security Department is the first out of the gate in putting ongoing authorizations into place.
“We have multiple components that are now running pilots with ongoing authorization. It will be a three-month pilot,” said Jeff Eisensmith, the DHS chief information security officer, during a panel discussion Tuesday in Washington sponsored by ACT-IAC. “At the end of that, I hope to have the artifacts I will share with brethren, all the other departments who are thinking about doing this. In the meantime, OMB has put out a draft that changes the playing field and actually supports and embraces ongoing authorization. There is real change going on here.”
OMB didn’t respond to a request for comment on the draft memo.
Government sources say CIOs and CISOs are reviewing it and there is no timetable on when it could be released.
Real-time cyber health data
Meanwhile, DHS is conducting three pilots at its headquarters offices, at the Citizenship and Immigration Services and at the Immigration and Customs Enforcement components.
Eisensmith said the end goal is to give both the information security officers (ISOs), risk management officers and the senior leaders enough information to make decisions about the health of their networks.
“What ongoing authorization looks like is the ISOs are now head down, looking at audit logs instead of creating paper. They are prosecuting the anomalies that are coming at them,” he said. “With continuous monitoring, the goal is to have a dashboard out there that the ISO will look at. He or she can look at the top 10 bad boys every single day and say ‘This is what I have to prosecute today.’ The risk executives will have an idea in a much more near-real time way of saying ‘Can I do that today? Should I push that patch off for two weeks or is my hair on fire today?’ That’s the vision of the future and it’s not that far off.”
Eisensmith said ongoing authorizations create more consistent interactions between the authorizing official, who is the person in the agency that signs off on the system saying it meets the FISMA requirements, and the system owner, who’s responsible for keeping the system secure in the first place.
Eisensmith said some authorizing officials are looking at systems every two weeks, usually because of a triggering event, meaning something about the system changed.
IG is on board
He said DHS has key support of OMB, the Government Accountability Office, the National Institute of Standards and Technology and even the agency’s Inspector General to move to ongoing authorizations, which is a major reason they are able to test this concept out.
“We partnered with the IG and explained our processes,” Eisensmith said. “We asked the IG for help to make this something they are comfortable with and able to report on. The IG said we were right, the old paradigm isn’t getting the job done.”
The move to ongoing authorizations is part of the broader implementation of continuous monitoring and getting away from the historical approach to FISMA of reauthorizing systems every three years.
Congress has tried to update FISMA several times over the past few years. The House passed the latest version last month. The Senate’s attempt to modernize FISMA as part of a comprehensive cyber bill has stalled.
So instead, OMB and DHS are changing FISMA through policy and regulation. For example, the FISMA guidance is one way, as well as DHS issuing a continuous monitoring policy last June.
As part of the effort to implement continuous monitoring, several agencies are putting place the pieces that eventually will make up the process.
Closing the gaps
The Coast Guard brought together all 52 of its field offices a few months ago to reach agreement on taking a few specific steps to secure its networks. Mark Powell, the Coast Guard’s director of the command, control, communications, computers and IT service center, said he believes ongoing authorizations are a good idea and is following the pilots closely.
Powell said, in the mean time, the service wants to close its security gaps inside its network.
“What we’ll do is first of all is focus on configuration management. We’ve been working with all the field units, identifying standard configuration, which ports are open and which ports are blocked,” he said. “We are ensuring that all the systems attached to our network share that common configuration and we are able to identify any devices that are out of configuration on the network.”
Powell said the Coast Guard also will continue to implement host-based security system software.
“We will ensure all of our devices have that installed on them and that we have tuned that system so that we are getting accurate reports on what’s happening on the network and are able to identify any abnormalities that might occur,” he said.
The third area the Coast Guard will focus on is network mapping and scanning. Powell said the service no longer will just let employees hook up a system to the network and secure it later. Instead, they are looking to find these rogue systems and bring them into compliance.
Powell said the challenges the Coast Guard faces are not technology, but people. He said the goal is to instill best practices across the service by holding people more accountable than ever before.
Building in two-factor authentication
At the Citizen and Immigration Services, their focus is on identity management as one way to improve cybersecurity.
Larry DeNayer, the chief information security officer for CIS, said the bureau is in the middle of a transformation moving 90 paper-based processes online.
“This transformation initiative gives the perfect opportunity to use Identity, Credential and Access Management as the model architecture to drive forward with HSPD-12 implementation for internal customers and users,” DeNayer said. “Also, as we grow the external customer base, we can improve things like e-authentication, two-factor authentication for customers that are out there in cyber and execute in that fashion. In addition, we also see opportunity to tie identity management to credential issuance, account set up and the whole account management process that’s associated with that and it’s really going to help us with our physical and logical access controls in that space.”
DeNayer said these identity management tools will be integrated into systems as they are upgraded and redeveloped using the agile methodology.
He said CIS is using agile development, where they create software in small batches and on short time frames of a few weeks to a few months, and building in security during each of these sprints, instead security being an afterthought or something that is bolted on later.
The common theme among all the DHS components is security must be risk-based and use a defense in-depth approach.