The Impact of DHS's FISMA AuditReport Highlights IT Security Strengths, Weaknesses Federal Information Security Management Act audit of the Department of Homeland Security furnishes fodder for both sides of the argument over whether Congress should codify Obama administration actions that have granted DHS sway over other federal civilian agencies.
Legislation to reform FISMA, the law that governs federal information security, and other cybersecurity-related bills have stalled in the Senate, in part, because of concerns from some lawmakers - mostly Republicans - about whether DHS should enforce IT security standards for other civilian agencies, as the president has directed.
The new inspector general report "makes it clear that significant progress has been made in enhancing DHS's information security efforts," says Sen. Tom Carper, D-Del., who chairs the Senate Homeland Security and Governmental Affairs Committee, which provides oversight over federal government IT security. "Despite these gains, though, [the inspector general] highlighted some very important areas in which DHS, like many other federal agencies, can and should improve."
But the ranking member of the committee, Republican Sen. Tom Coburn of Oklahoma, was far less charitable than the chairman, saying the audit shows gaps in DHS's own cybersecurity, including some basic protections "that would be obvious to any 13-year-old with a laptop. President Obama has called on the private sector to improve its cybersecurity practices to ensure that our nation's critical infrastructure is not vulnerable to an attack. DHS and other agencies must be held to at least the same standard."
In DHS's annual FISMA audit, Assistant Inspector General Frank Deffer credits DHS for creating a process to help improve IT security through a new risk management approach that transitions DHS from a static, paper-driven, security authorization process to a dynamic framework "that can provide security-related information on demand to make risk-based decisions based on frequent updates to security plans, security assessment reports and hardware and software inventories."
Deffer says DHS developed and implemented an information security performance plan that defines performance requirements, priorities and overall goals for the department and has taken actions to address the administration's cybersecurity priorities, which include the implementation of trusted Internet connections (see What's Happening with the Trusted Internet Connection?), continuous monitoring and strong authentication.
One role the Obama administration has given DHS in aiding other agencies is the implementation of continuous monitoring to assure the security of government IT systems. The Continuous Diagnostic and Mitigation program, part of a $6 billion initiative, is headed by John Streufert, director of Federal Network Resilience within DHS's National Protection and Programs Directorate and former State Department chief information security officer (see Feds Tackle Continuous Monitoring).
"While these efforts have resulted in some improvements, components are still not executing all of the department's policies, procedures and practices," Deffer says, referring to units within DHS.
Areas of Concern
The IG review also identified what Deffer characterizes as "more significant exceptions to strong and effective information security," including systems operated without proper authorization, plans of action and milestones not being created for known IT security weaknesses and baseline security configuration settings not being implemented for all systems.
Jim Crumpacker, director of the DHS's GAO-OIG Liaison Office, placed a positive spin on the audit, saying DHS is pleased to note the inspector general's recognition that the department continues to improve and strengthen its information security program. He specifically cites the continuing authorization process DHS developed to help improve the security of its information systems through a new risk management approach. "This ongoing authorization methodology will help [DHS] components improve near real-time risk management, obtain greater efficiencies in resource management, and improve the maintenance of security controls of information systems and data that support the DHS mission," he says.
To address shortfalls, the IG recommends DHS:
- Establish a process to ensure implementation and maintenance of baseline security configuration settings on all workstations and servers, including non-Windows platforms. In response, DHS says 11 of 12 DHS units use baseline settings and says the 13th unit will adopt them by the end of December.
- Ensure that all operational information systems have current authorization to operate. DHS says it has acquired a new security authorization tool with more dynamic settings to improve visibility into its security posture, so it expects to meet the IG's recommendation by Dec. 31.
- Improve the information security officer's plan of action and milestones review process to ensure that DHS remediates all plans and milestones, including top-secret systems, in a timely manner. DHS says it's exploring options within an automated compliance tool that can be leveraged to improve the review process and expects to deploy it by Feb. 28.
- Institute enterprisewide security training requirements to ensure all privileged users receive necessary role-based specialized security training. DHS says its information security officer will seek to better address privileged user role-based specialized security training requirements in the DHS Sensitive Systems Handbook. Crumpacker says the privileged user training metric in this year's performance plan will be enhanced by tracking specific categories of privileged users, such as database administrators or system administrators.
- Strengthen the DHS's oversight of top-secret systems by performing critical control reviews on selected systems to ensure the required controls are implemented. DHS says its information security office will strengthen its oversight of top-secret systems by conducting modified critical control review of select systems. These modified critical control reviews will act as external spot checks that will accompany DHS's on-site quality reviews of security authorization artifacts of these systems, Crumpacker says.
Carper, who co-authored the Cybersecurity Act of 2012 and will be the lead sponsor on cybersecurity legislation emanating from his committee, says he's pleased DHS has taken steps to implement all five recommendations. "I look forward to working with them to ensure that these initiatives are put in place in a timely manner," he says. "The effectiveness of IT security, though, is a shared responsibility."
Carper says he and Coburn are working on bipartisan cybersecurity legislation, but neither senator has provided details on what provisions would be included in the measure and when it would be introduced. With the clock ticking on 2013, any action on cybersecurity legislation in the Senate would occur next year, the second session of the 113th Congress.
One hang-up on getting cybersecurity legislation through the Senate is a difference between Democrats and Republicans on the role DHS should play in enforcing IT security standards for other civilian agencies. Most Democrats favor such a role, as outlined by the president, while many Republicans don't trust the department in carrying off such a job.
Sen. John McCain, the Arizona Republican who sits on the Senate panel, is a big critic of DHS's capabilities. In a speech opposing comprehensive cybersecurity legislation last year, he said that granting the department cybersecurity authority over other agencies would hand over "one of the most technologically complex aspects of our national security to an agency with an abysmal track record.
"They can't even screen airline passengers without constant controversy. ... I, for one, am not willing to take such a broad leap of faith, and entrust this complex area of our national security, and so many vibrant parts of our economy, to this ineffective, bloated government agency."
Time's a Changin'
But Mark Weatherford, former DHS deputy undersecretary for cybersecurity, contends that McCain's viewpoint is out of date. "There was probably a point in time where DHS probably wasn't the place where you would think that the cyber talent and the cyber [defense] should be, but that has changed," Weatherford said shortly before leaving DHS earlier this year (see Defending DHS as a Cybersecurity Leader). "We are more mature now. We are developing the talent. We have the chops to do this, and we are proving it on a daily basis."
Tom Ridge, the first Homeland Security secretary, sees a role of the Department of Homeland Security as a focal point for collaboration among the various agencies on cybersecurity but stopped short of endorsing legislation to grant DHS special status.
"I could argue that among all the agencies they may be assigned responsibility, I'm not quite confident that they have the breadth and depth of experience to oversee what the rest of the federal government is doing," Ridge said in an interview earlier this year with Information Security Media Group (see Cybersecurity: The Role of DHS). "Having said that, I think they can be a focal point for collaboration among the various agencies."