Inconsistency among how inspectors general review agency cybersecurity is causing a reality gap.
The progress many agencies are making to secure their systems is not reflected in the annual reports auditors submit to Congress. And this disconnect causes uncertainty around just how well protected federal computers and networks are from attacks.
A recent State Department cybersecurity management alert epitomizes the challenges agencies and IGs face in deciding just how secure their computers are.
On one hand, the Office of Management and Budget, Congress and private sector experts have celebrated State’s as a model for the government. The department began continuously monitoring the health of its networks and using risk to make decisions in 2010.
In fact, the Homeland Security Department is modeling the governmentwide continuous diagnostics and mitigation (CDM) program after State’s success.
But the recent report by the agency’s IG says for the third year in a row, State has similar and significant information management problems. Auditors say State is facing undue risk because of weaknesses in scanning and configuration management, baseline controls and risk management and continuous monitoring.
So who’s correct?
Well both are — and that’s the rub many agencies are facing.
A government official familiar with the State Department’s cyber efforts said the IG’s report is absolutely accurate. But the source added, the IG doesn’t take into account the fact that State, like most agencies, is facing dozens of recommendations and must prioritize which ones to address based on the associated risks. The official spoke on condition of anonymity because they didn’t get permission to speak to the press.
At the same time, IGs are bound by the Federal Information Security Management Act (FISMA) to measure certain cyber compliance areas, some of which are more than a decade old. This means they have to look at certain requirements whether or not the agency decides those changes are a top priority.
“I think DHS tries every year and we provide input to them to make sure they take into account recent trends in information security, known cyber attacks and other information. We try to gauge what they are going to require us to do every year,” said Kathleen Tighe, the chairwoman of the IT committee of the Council of the Inspectors General on Integrity and Efficiency and the Education Department’s IG. “But sometimes there is a disconnect. But I think IGs try to use within the confines of the FISMA metrics try to target on a risk based way the work they need to and the issues they need to.”
Tighe said IGs have to fill out a Federal Information Security Management Act, or FISMA, evaluation form, but they also have flexibility to look at other issues.
Hard skills needed
Alan Paller, the director of research at the SANS Institute, which offers cybersecurity training, said the problem isn’t having enough flexibility. Rather, it’s a lack of understanding by the IGs about what they are reviewing.
He said IGs, and even those people writing the guidances, don’t have the technical skills necessary to truly understand how to best secure the systems.
And therefore, IGs often times are pointing out problems whose solution may or may not improve the agency’s security, he said.
“The challenge for the IGs is they have only one set of directions. Their set of directions comes from National Institute of Standards and Technology. That set of directions at this time is something in excess of 13,000 pages. No organization has ever implemented those, including NIST, GAO and the IG shops,” Paller said. “They are using a set of measures that are impossible to implement, impossible to even to read all the way through for normal human beings, and because of that, they can look in any direction and find fault, and force people to spend money to do things that may or may not stop attacks.”
David Kotz, the former IG for the Securities and Exchange Commission and now director with the Berkeley Research Group, said his experience mirrors the problem Paller described.
“I think the IGs try to take into account the changing cyber requirements, but it’s often difficult. It’s a big challenge these types of issues for IGs. IGs often don’t have the background in information security, and it’s difficult for them to really understand the issues,” Kotz said. “I remember when I was IG at the SEC struggling with the FISMA audits, because it was hard for me to understand exactly what the issues were. I felt like many times I was almost forced to take the agency’s word for it, because I wasn’t in a position to understand it and really argue with them. So I think IGs try, but because it’s so difficult, often they look at standard metrics, governmentwide standards, and don’t necessarily always take into account all the different changing cyber requirements.”
Kotz added he spent a lot of time with contractors and others trying to grasp the complexities of cybersecurity.
Who controls the discussion?
Pat Howard, a former chief information security officer at the Department of Housing and Urban Development and the Nuclear Regulatory Commission and now a program manager for Kratos SecureInfo, said the knowledge of IGs around cyber has improved over the last few years, but it really comes down to the agency chief information officer and the CISO taking charge of the discussion.
“When the IG comes in, then the CIO and CISO need to be right there with them, making sure there are no surprises on the evaluation instructions, what they will be looking at and how they will be looking at it and stepping in and filling in any gaps, because the instructions only go so far,” he said. “The agency has to explain how they should be translated and employed in their environment, in their agency.”
That fact is one of the reasons why NIST tells agencies to tailor their implementation of the FISMA guidance.
“The mission and business owners are really in command of this situation. They understand what the mission space looks like, what systems they need, the level of protections those systems must have in order to support the missions,” said Ron Ross, a fellow at NIST focusing on FISMA implementation. “In our most recent update to the Special Publication 800-53, Rev 4, this is our security control catalog, we now have 861 controls, and people say, ‘that’s a tremendous number of controls and how can we deal with them all?'”
Ross said NIST’s implementation guidance gives agencies flexibility to apply the controls based on the system’s categorization-high, medium or low.
“You can eliminate certain controls that are not going to support your mission,” he said. “There are many times when you can make risk-based decisions, not only eliminating controls, but also adding controls where there are specific and credible threats that are on the radar for your particular organization.”
Ross added CIOs and CISOs must negotiate with the IGs on what is most important and what needs to get fixed first.
Senate report finds continued problems
But Paller said that puts CIOs in a catch-22 situation.
IGs still are bound by the law to focus on specific areas called out by NIST and in FISMA. Meanwhile, CIOs must decide whether to focus on other areas they deem most risky, despite facing the strong possibility of getting a bad IG report and being hauled up to Capitol Hill.
Paller said this is the reason why agencies spend billions of dollars each year on cybersecurity and their systems remain insecure.
In fact, Sen. Tom Coburn (R-Okla.), ranking member of the Homeland Security and Governmental Affairs Committee, released a report Tuesday detailing the review of 40 FISMA audits and a wide variety of recent data breaches among agencies. Coburn said since 2006 agencies spent more than $65 billion on cybersecurity, and yet continue to be vulnerable to attacks because they aren’t doing the basics to protect their systems.
Which brings the discussion back full circle to the State Department: Does the IG’s report truly mean the agency is facing imminent doom?
The government official familiar with State’s cyber efforts said several of the areas the IG pointed out are not among those areas that the agency determined to be a top priority.
The official said until the IGs change their approach to how they review agency cybersecurity, the disconnect between policy and reality will continue.
In part 2 of this special report on Thursday, Federal News Radio’s will explore approaches to close the measurement gaps between auditors and agencies when it comes to cybersecurity progress.