Agencies have been slow to invest in tools that continuously monitor federal systems and networks for cyber intrusions, 43,889 of which agencies reported to the Department of Homeland Security last fiscal year. (File photo / Getty Images)
Agencies have been slow to invest in tools that continuously monitor federal systems and networks for cyber intrusions, 43,889 of which agencies reported to the Department of Homeland Security last fiscal year.
A little more than half of the government's information systems — 56 percent — were monitored in near real time to detect software flaws, required patches, devices operating on the network and other key security metrics, according to 2010 data in a Federal Information Security Management Act (FISMA) report to Congress. Agencies increased that number to 78 percent last fiscal year, but continuous monitoring capabilities are still lagging at some agencies, including the Small Business Administration and Commerce Department.
"Federal departments and agencies must defend their information systems in a resource-constrained environment, balancing system security and survivability while meeting numerous operational requirements," White House cybersecurity coordinator Howard Schmidt said in a March 23 blog post.
Schmidt is working with agency chief information officers to increase continuous monitoring and other safeguards on government information systems to 95 percent by 2014. Schmidt, who is leading the effort, will coordinate with the National Institute of Standards and Technology, Department of Homeland Security and Office of Management and Budget to implement and track the goal.
Performance tracking data won't be available until next fiscal year, said Caitlin Hayden, spokeswoman for the National Security Council.
"That's a lofty goal, but I think you need 100 percent," Brent Conran, chief security officer at security company McAfee, said about the administration's goal.
Government and industry experts agree that accurately tracking progress is challenging because agencies have not yet figured out what should be monitored and how often. There is also some disconnect between auditors and agencies on how much flexibility they should have in implementing minimum security standards set by NIST and required by the 2002 FISMA law, and how often agencies should monitor the effectiveness of their security practices.
"This is an area that is still being fleshed out," said Leo Scanlon, chief information security officer at the National Archives and Records Administration.
OMB in 2010 designated DHS as the lead to oversee agencies' compliance with FISMA and security reporting. DHS has been working with agencies to shift from compliance-based paper reports to automation tools that electronically generate reports on their security levels. DHS uses that information to identify common security challenges across government and ways to address them.
As budgets decrease, "agencies need to know where they should spend their dollars," Scanlon said.
DHS is encouraging agencies to secure their information systems based on the cyber threats they are facing, rather than investing in technology or processes that comply with FISMA but do not enhance security.
DHS is also working with inspectors general, who report to Congress, to ensure that agencies have flexibility in applying security standards.
Agencies and IGs have to be on the same page early in the process, said Jerry Rainwaters, IT division director in the State Department's IG office.
Despite State's reputation of being a leader in continuous monitoring, the department's self-reported scores were lower than most large agencies, including the Veterans Affairs and Agriculture departments.
The IG's 2011 FISMA report says State "does not have an effective means of implementing continuous monitoring at the organization level or the system level." The report found that State's software tools do not assess its most common database management system, Oracle, for security weaknesses.
Rebecca Ann Batts, IG at the Pension Benefit Guaranty Corp., said when agencies assess which security measures to put in place, the agency and IG should understand and consider the agency's security environment and what best meets the security needs.
"We're in a state of compliance fatigue," Dan Galik, chief information security officer for the Health and Human Services Department, said at an IT event last month. But moving away from "heavy compliance" isn't easy, Galik said. It requires investments in technology and other considerations.
The Justice Department is among the agencies working to increase continuous monitoring capabilities. Chief information security officers (CISOs) at the department receive weekly security reports from an online dashboard on the security of networks, said Holly Ridgeway, deputy CISO and program manager at Justice. A beta version of the dashboard was installed six months ago.
Ridgeway said the department is trying to determine what security practices best meet its needs. Security reporting, which accounts for the number of IT assets within an agency, was manual, Ridgeway said. Sometimes the data was fairly accurate and other times it was a "best guess," she said.
The dashboard "has enlightened us — for the first time — to know exactly what's on our network at any given moment," she said.