Eye on Security

By now, chief information officers throughout the federal government clearly understand the importance of network security. Between the 2002 E-Government Act and the President's Management Agenda, and the relentless quarterly evaluations by the Office of Management and Budget, no agency is immune to the constant quest for more effective network security. It can only become more important as large contracts consolidate and integrate telecommunications throughout government, making interconnections between systems more complex and vulnerable. Consider, for example, the Federal Technology Service's Networx or the Homeland Security, Justice and Treasury departments' joint Integrated Wireless Network.

To ensure that networks are secure, agencies must comply with the Federal Information Security Management Act, which is part of the

E-Government Act. FISMA sets guidelines for making federal networks secure, with the goal of zero downtime and zero incidents that interrupt agency business. The bottom line is to ensure that networks are available and that data is confidential and reliable.

FISMA has done a great deal to impress the importance of network security on agencies, and many have made great strides, says Karen Evans, administrator of OMB's Office of E-Government and Information Technology.

But even with compliance on the rise, there is much more to be done. For the past two years, OMB has focused on getting 90 percent of agencies' systems certified and accredited-a goal it has yet to reach. In the summer of 2004, Evans says, about 70 percent were secure. Although that number fell short of the 90 percent goal, it was drastically better than the 26 percent compliance rate of three years ago, she notes.

Evans says federal leaders should first realize that there is no "one thing" agencies can do to reach their goal. Instead, as explained in FISMA, security is about implementing a methodical, risk-based approach.

"That means every management decision you make has to be risk-based and cost-effective," Evans says. "Every recommendation you make is a balance of how much risk you're willing to take to provide that service."

The Transportation Department is ahead of the curve on network compliance. Getting there hasn't been easy, but the hard work is paying off, says Lisa Schlosser, the agency's chief information security officer and associate CIO for investment management.

From a management standpoint, success rests on executive leadership and buy-in, Schlosser says. Transportation leaders made FISMA and other OMB security requirements part of the performance plan and performance metrics to ensure compliance down the line.

As challenging as the managerial side of the equation may be, the technical side is far more complex. The National Institute of Standards and Technology has developed Federal Information Processing Standard 199, a security categorization that should be the first step in risk assessment, says Ron Ross, NIST's project leader for FISMA implementation. The standard helps agencies categorize each system in terms of having a low, medium or high impact on the agency's mission. "It allows agencies to focus their scarce information security resources in the most important areas," he says.

NIST has developed other security-related guidelines building on FIPS 199. One will define the security controls needed to protect each category of system, Ross says.

Commercial software can greatly help network security. With an automated vulnerability remediation or scanning tool, for example, agencies can conduct enterprisewide vulnerability scanning.

"If you are going to invest in any tool to improve your program and minimize your network risks, implement an enterprise vulnerability testing and remediation software solution," she says. "They aren't that expensive, and you get the most bang for your buck." In fact, two are free-Nessus (www.nessus.org) and Microsoft Baseline Security Analyzer. These can help agencies discover all devices on a network, many of which they might not have known existed, says Jeff Harrell, product marketing manager at nCircle, a San Francisco-based provider of vulnerability management solutions, such as the FISMA Compliance Solution. Other vendors offering FISMA compliance tools include AppScan, WatchWire, Preventys and BindView.

"Once they know what's out there, they can find out what kind of shape they are in and what kind of vulnerabilities they have, and then compare that information to the policies they set in place," he says. "For example, maybe all your Windows machines should be running Microsoft XP ServicePack 2. This type of software would show you that all your machines are running ServicePack2 except five. Then you can fix those machines."

Other vulnerability remediation tools include QualysGuard from Qualys Inc., Class 5 Automated Vulnerability Remediation (AVR) from Secure Elements Inc., Hercules from Citadel and McAfee's Entercept.

Tools that check security configurations are useful in setting the required baseline configurations on all technology. These are free from the Center for Internet Security (www.cisecurity.org), as well as from Microsoft and others.

To track progress on FISMA metrics, the Transportation Department uses an enterprise security portal, which provides a "dashboard" approach. "I can sit at my desk . . . and determine where we were last week in meeting our certification and accreditation goals all the way through which assets are being patched and which aren't," Schlosser says. Vendors offering enterprise security portals include LURHQ and NetForensics.

Evans believes using FISMA compliance tools, studying the regulations and applying old-fashioned diligence will go a long way toward increasing the level of network compliance. "This year's goal again," she says, "is to have 90 percent of all IT systems properly secure."