Federal auditors recognize the government needs a better way to truly measure how agencies are protecting their computers and networks.
The current approach varies too much across the government. It relies on special publications, a 10-year-old law and negotiations with agency chief information officers.
But change may be on the horizon. Both the Council of the Inspectors General on Integrity and Efficiency and the National Institute of Standards and Technology are considering ways to close the gap between the auditors and agencies over the most important metrics to more accurately evaluate the security of the government’s computer networks and systems.
The end goal of these efforts could bring more consistency to the cyber auditing process and engender more confidence in its results.
A recent example of this disconnect comes from the State Department. The IG issued a management alert about long-standing problems within the department’s cyber operations. But at the same time, State has long been held as the model for others for its use of continuous monitoring and risk-based scoring.
These paradoxical views are part of the reason why some experts are calling for the government to change the way it measures cybersecurity and the impact of the billions of dollars agencies spend each year on it.
“If the IG wants to bring value to the discussion, they need to be certain in what they are measuring and it’s respectful of where things are going or have gone over the past year,” said a government official familiar with State’s cyber efforts, who spoke on the condition of anonymity because the official was not allowed to talk to the press. “They need to look at relevant issues, whether continuous diagnostic and mitigation, or Federal Information Security Management Act reforms, or whatever agencies really are focusing on based on their priorities and risks.”
Ever-increasing number of metrics
But it’s not just the IGs. Each year, the Homeland Security Department provides federal inspectors general and agencies with an update to what they will be measured against as part of their annual audit under FISMA.
That yearly exercise builds on previous metrics, as well as those published by the NIST and any new agency-specific focus areas. In short, IGs and agencies face a growing list of cyber requirements that many experts say are almost impossible to fully implement.
Experts say since the goals are nearly unattainable, agency resources are diverted from focusing on the 10 or 20 or however many items that really could make a difference in securing their networks.
Instead, some experts say agencies spend billions of dollars that may or may not make a difference. And auditors continue to write reports that highlight problems that rarely change year after year.
Alan Paller, the director of research at the SANS Institute, which offers cybersecurity training, said the reason the number of requirements continue to climb is simple.
“There’s no accountability. You can say anything you want if you’re an IG or GAO unless Congress says, ‘You auditors are responsible for looking at the right stuff or our guys are going to do the wrong thing,'” he said. “It doesn’t have to be legislative. It can be through hearings. By bringing the IG in to explain why those problems are not being fixed, what will happen is the IG will be forced to be accountable for the problems not being fixed as opposed to why they exist. So right now, you can come in as a GAO guy and talk about how bad the stuff is, but you haven’t been responsible for actually telling Congress why you have written the same report six times and it hasn’t gotten fixed. I’m going to tell you the reason is because your guidance is irrelevant or impossible to implement. And as soon as you have to say that, ‘Oops, we told them to do the wrong thing,’ you’ll fix it.”
Paller said in large organizations, both public and private sector, the auditors drive the behavior. He said until the auditors understand the cyber issues more deeply, agencies, IGs and Congress will continue to be unsure of their network security.
“If you want to fix this, you have to change the way you think about cybersecurity in the federal government, from ‘Those CIOs are doing the wrong thing,’ to “Who’s telling them what they have to do? And is there any responsibility on the part of the people telling them what they have to do to ensure they are prioritizing them?'” Paller said. “Until you say there is accountability for the people writing those reports and they have to at least prove that these things can be done. If you’re NIST and you write this stuff, you have to prove it can be done in your own agency. You have no right to tell someone else what to do if you don’t do it yourself.”
Paller added the head of NIST shouldn’t allow the computer security folks to write something his own folks can’t implement.
Cyber maturity model in the works
While not everyone may agree with Paller’s opinion, there is a recognition that the current process is lacking.
“To the extent that an IG might conclude that their agency doesn’t have proper patch management or some other different individual issues. I think that’s probably an accurate assessment of that particular issue at that particular agency,” said Kathleen Tighe, the chairwoman of the IT committee of the Council of the Inspectors General on Integrity and Efficiency and the IG at the Education Department. “But I think what it doesn’t do is give really a good picture, particularly across government, of where different agencies are in terms of security maturity.”
Tighe said the IGs have been pushing DHS for the last few years to do something different in regard to the annual FISMA evaluation.
“We’ve been trying to get them to adopt what we call a maturity model. Now this isn’t something the IGs dreamed up, and I think NIST actually has some guidance on security maturity levels. What it means is you take a baseline at each agency and under criteria, are they level 1, the most basic? Or are they up to level 2 or level 3 in terms of IT security maturity?” she said. “We think a model like this would so much better tell both the agencies themselves and OMB and others who look at information security issues across government of where do those agencies actually stand.”
She said DHS hasn’t been receptive so far to this idea. So the IT committee is trying one more time to convince DHS and the Office of Management and Budget about the value of this maturity model approach.
“We just think it makes much more sense,” Tighe said. “We know that OMB does a report every year after they look at all the FISMA reports and makes conclusions like 30 percent of all agencies don’t have any idea what their IT inventory is like, or they have patch management issues, or they have access control issues. You’d say that sounds really bad, but how do we know that’s really bad? Where do these agencies fall in terms of what’s really important? I think the IGs would all be in favor of doing something a little different.”
Tighe said the IT committee will develop a written framework to present to DHS and OMB in the next month or so.
“There will probably be a long time coming before IGs and the agency CIOs and CISOs all agree on everything. That’s probably something that may never happen,” she said. “But I do think something like the maturity model is a way of assessing, what does that mean if the IG says ‘This is a problem,’ and the CIO says ‘Well, this might still be a problem, but look at all of these other things we’ve done.’ Where does it fall within security maturity levels? Are we really talking really basic levels where the CIO needs to focus on these criteria, which are the important ones? Or are they at a different plane?”
Quicken the pace of new controls
The maturity model also could take into account the changing threats and priorities among agencies based on the risks it sees.
Tighe said the governmentwide dashboard DHS is developing through the continuous diagnostics and mitigation (CDM) initiative also will give IGs a better view of what’s going on across government. She said the dashboard also could change the way auditors review FISMA compliance.
At the same time, NIST is trying to accelerate how it makes new security controls available to agencies and businesses through its special publications.
“If there’s a new threat that pops up tomorrow, we have to have a better system than waiting until [SP 800-53] Revision 5 comes out to get that control into our catalog,” said Ron Ross, a fellow at NIST focusing on FISMA implementation. “One of the things we are considering is putting on our website a control beta test area, where we could post new controls we would like to offer up to get public comment on, kind of kick the tires and see how the controls work. And then put them into Rev 5 when Rev 5 comes out, but we don’t want to slow down the ability of our customers to get those controls and put them into practice sooner than later.”
NIST is working with the Defense and intelligence communities on developing the test site and coming up with the first set of controls to run through the new process. Ross said the beta test control site could be available by the summer time.
Additionally, Ross said NIST plans to release a new systems security engineering guideline in April. He said the draft guidance will help agencies and vendors build systems that are penetration resistant and more resilient.
“Today, we ask our CISOs, our CIOs and our mission owners to defend systems that are very susceptible to cyber attacks. They’re fragile. We’ve got to do a much better job of strengthening the underlying infrastructure,” he said. “Chasing these vulnerabilities and patching is going to be an endless activity. We will never get ahead of this problem unless we fundamentally do some of the things dealing with architecture and engineering, reducing managed complexity, and then we’ll have fewer things to worry about at the back end. Right now, I think the CIOs and CISOs are being overwhelmed because the complexity is generating so many vulnerabilities that you almost can’t patch quickly enough to stay ahead of the problem.”
Ross said staying ahead of the problem must be a combination of understanding your risks and prioritizing those areas that are mission critical.
But other experts say until some fundamental changes are made to let auditors and agencies focus on those highest priority cybersecurity challenges, the disconnect between the two groups will continue to cost billions of dollars for questionable results.