Grade-Makers 'Talk About Their Walk'

How do agencies that combined to score an overall “D” in complying with the Federal Information Security Management Act (FISMA) bring systems up to a superior grade for themselves and the federal government overall?

Maybe they should listen to the few agencies that scored A’s and B’s this year.

At a session during the recent GovSec conference in Washington, leaders from three overachieving agencies shared some tips on how to dazzle on your FISMA compliance report card.

Nuclear Regulatory Commission (Grade: A)
 

Lou Numkin, senior computer security specialist with the Nuclear Regulatory Agency (A), echoed the comments of two other conference participants when he urged that agencies develop an ongoing working relationship with their own Inspector General.

Before an agency’s security posture faces congressional or the Office of Management and Budget scrutiny it will have to pass IG muster, the security leaders stressed. NRC’s IG tests different systems each year in the agency’s inventory, Numkin said.

Hack attempts on NRC systems average hundreds per day. The agency is, of course, assumed to be a repository of information on nuclear materials and WMD-related technology, and thus is a high profile target for terrorists and other politically-driven malcontents.

A “friendly relationship” with the IG will mean that IG’s will not hesitate to inform system managers of problems as they are uncovered—even when the problem might be as specific as just one employee surfing unauthorized sites, Numkin said.

NRC stresses in-house security training for all its employees, and the agency received an A grade in part because its staff returned a whopping 98.5 percent completion rate on all training last year, most of which occurred online.

Numkin said NRC established a competitive atmosphere from office to office where training completion rates were concerned, keeping score of which offices were leading and which were trailing as the year progressed. “The competitive atmosphere really motivated people,” he said.

NRC also exploits the NIST Special Publication 800-26 guidelines for self-evaluation but tailors parts of the generic checklist to its own particular needs, Numkin said. The agency has been sponsoring an in-house Security Awareness Day for several years now, and promotes security via its “Cyber Tiger” PR campaign, in which a cartoon figure appears on posters and emails passing along security tips and reminders.

Despite NRC’s high grade, its own IG has already warned the agency IT leadership that it must do a better job of delivering a complete inventory and accounting of all systems and applications this year, Numkin said.

National Science Foundation (Grade: A-)
 

Bobbi Spitzberg, a security leader with the smallish National Science Foundation (A-), reinforced the notion that security must be looked at “culturally,” and is achieved at a level commensurate with the vigilance officials maintain. “Risks are assessed, understood, and then appropriately mitigated,” she said. But then the process recurs, ad infinitum.

NSF relies on two tiers of security working groups that already have their sleeves rolled up as policy is being formulated in advance of system implementation. IT security must be factored into the capital planning phase, the overachiever agency reps advised at GovSec.

Spitzberg said the best security is often achieved in a “collaborative” process that occurs throughout an agency. The specific technology mantra of NSF systems follows from a process in which system designers build processes that “deter, detect, delay, defend, deny and defeat” black hats and hackers.

Social Security Administration (Grade: B+)

Bill Garvins of the Social Security Administration (B+) advised that fastidious documentation is a key grade-maker for agencies—who can not prove their case to IGs or other oversight officials unless their system security is documented. Garvins is a deputy chief security officer at SSA. He said the massive agency’s security posture improved when a CIO from the private sector “who was comfortable with innovation” came on board.

Central policies and standard practices are the order of the day at SSA, which confronts a large enterprise of IT assets spread around the nation. With more applications being developed for the Internet, and regional and local offices sometimes inclined to develop their own systems for dealing with task-specific issues, the agency is a stickler for certifying and accrediting most everything that runs on their networks and hardware, he said.

SSA is not afraid to pursue best practices. It uses the EPA-developed ASSET tool for pre-compliance testing support, Garvins noted. The Automated Security Self-Evaluation Tool is a favorite of NIST security policy- and standards-makers, and is part of the NIST 800-26 guidelines used by NRC too.