Article
Government Agencies on Compliance Fast Track
Not surprisingly, cyber security has become a high-priority IT
challenge for U.S. federal agencies. With the drive toward e-government,
requiring agencies to share data and application services, and the post-9/11
emphasis on agency continuity of operations planning, most agencies have either
significantly increased, or plan to increase, their IT and network security
capabilities.
After all, in an increasingly vulnerable environment (1.4 million cyber attacks against agencies were reported in 2003), what's more important than protecting the integrity of a nation's mission-critical information?
A U.S. federal mandate is helping to drive the process toward a safer e-government, with guidelines, metrics and specific recommendations for protecting the federal IT infrastructure. The Federal Information Security Management Act (FISMA), introduced in 2002 and managed by the Office of Management and Budget (OMB), has helped put cyber-security processes on the fast track at many agencies and has already spawned many tangible benefits.
According to Bob Collet, vice president of engineering at AT&T Government Solutions, FISMA has provided agencies the statutory and functional framework to secure their systems and data. Solid progress has been made toward implementing this mandate. In fact, while many agencies received poor security grades two years ago, a growing number have not just "passed" this year, but have been granted grades impressive by any standards. Agencies are striving to earn a "green" rating on the E-Gov Scorecard, which requires proving that their IT infrastructures are at least 90 percent secure.
"While only a few agencies have so far met this standard, other agencies are heading in the right direction," said Collet. "It hasn't been an easy road, but the journey itself has been more rewarding than anyone could have anticipated because it has advanced the goals of e-government."
FISMA provides uniform standards and mandatory measures that must be met by all agencies. But, in addition to doing just the required work, many agencies have also used FISMA compliance to advance their IT capabilities and to create more "security conscious" cultures.
According to Collet, FISMA has awakened agencies to the fact that cyber attacks are growing in sophistication and frequency. It has also prompted them to increase their security expenditures. In addition, thanks in part to FISMA, a growing number of agencies now have direct oversight of cyber-security activities by the agencies' top leadership.
"The most recent E-Gov Scorecards demonstrate that cyber security has become a real management priority at the agencies," said Collet. "More than ever, it appears that IT managers have the support they need from senior leadership."
In addition to OMB's FISMA mandates, agencies are also guided by NIST (National Institute of Standards and Technology) security standards. Products meeting those standards are now available via the General Services Administration's (GSA) Multi-Tiered Security Profile and Access Certificates for Electronic Services contract vehicles.
"The federal government, and the GSA in particular, has surely provided agencies with a robust toolbox to help them meet their security objectives," Collet said.
One of the most daunting, time-consuming, budget-draining challenges facing IT managers has been patch management. Keeping up with the latest fixes, from one attack to the next, requires constant system monitoring and attention to CERT (Computer Emergency Readiness Team) announcements, as well as early warning systems from software and network vendors and the agencies' own laboratories.
Under FISMA's system configuration requirements, agencies are required to keep the most current patches on hand. According to a Government Computer News survey of agency IT managers, 80 percent say their agencies have developed standardized patch management programs, and most of those rate the programs as effective. The survey notes that nearly 85 percent described these security fixes as now fully integrated into their security programs.
"But even the best software may not be comprehensive enough for the fight against organized crime, hostile foreign governments and the next generation of cyber-savvy hackers," said Collet. "It may be time for federal agencies to think about more integrated IT and network security solutions."
By using network-centric defenses from service providers, agencies can significantly reduce the amount of effort in patching their systems. Intelligent networks have natural security advantages and, when combined with traditional solutions from the data center to the desktop, can put up the strongest line of defense.
