GCN INTERVIEW

Patricia Titus | At TSA, a clean slate benefited cybersecurity efforts

Former TSA CISO Titus discusses security and the pros and cons of FISMA

Patricia TitusPatricia Titus, chief information security officer at Unisys Federal Systems, joined the company a year ago after six years at the Transportation Security Administration, where she was the new agency’s first CISO. During her tenure at TSA, she focused on creating, implementing and maintaining an information technology security program that earned the agency an A grade for compliance with the Federal Information Security Management Act. Before joining TSA, Titus had been a technical adviser to the deputy chief information officer at the Treasury Department.

She recently talked with GCN senior writer William Jackson about security at the agency and new directions for FISMA.

GCN: What was the status of IT security at TSA when you arrived in 2002?

Titus: When I started at TSA, I was brought on board as the wireless program manager. There wasn’t an IT security officer at the time we were standing up TSA. About five or six months after I arrived, I took the additional burden of the IT security program office, and then two months after that, I was officially designated as chief information security officer. It was a very interesting time, very dynamic.

There was no Homeland Security Department at that time. There was an Office of Homeland Security, but TSA fell under the Transportation Department. We were an offshoot basically of the Federal Aviation Administration. When TSA was stood up, we inherited a very small amount of legacy systems. Our infrastructure was very clean, very new, and it was all built basically from the ground up. I recall government people actually building laptops so that we could get them shipped out to the field. It was a dynamic environment; everybody did what they needed to do to get the job at the moment done.

Was it an advantage to be working at a newly created agency, in a greenfield environment?

I wouldn’t really call it a greenfield because there were still plenty of rules and regulations we had to follow. TSA had several exemptions so we could get stood up quickly and wouldn’t have the normal red tape. But we still had plenty of regulations. We still fell under the policies of DOT. And we still were very mindful at the time of the Government Information Security Reform Act, which was being sunsetted, and FISMA was just coming onto the playing field.

Nevertheless, we had an opportunity to do things differently from any other federal organization because everything was new. So it was an advantage. We were able to build our entire information security program based on the [National Institute of Standards and Technology] framework and methodology. I don’t know if any other federal agency could claim that.

What did you do to make TSA FISMA compliant?

The first thing we had to do was determine what was a system.… Everybody’s terminology of a system was just a little bit different. At that time, Bob West was put into place as the departmental CISO [at DHS] and…he enlisted the assistance of an external consulting company to help develop a methodology that would define what was a system and to help us interview every program official and all the people in the executive team to determine where and what those systems were. This gave us the ability to target those systems for FISMA compliance. That follows the NIST methodology of identifying your assets.

There is always negotiation about what a system is. A lot of little pilots were stood up, and maybe it was testing something on a server. To us, that wasn’t a system; that was someone testing a piece of software. We came down to a digestible number; there were about 77 systems, I believe.

That allowed us to move into the next phase of the NIST methodology, and that is categorizing the data. We were able to take FISMA and lay out those processes and build our entire security program and processes around that. We built a tremendous educational program. When you’re looking at FISMA or any kind of compliance, one of the challenges is educating people about what you’re doing, why you’re doing it, what the outcome is going to be and telling them the success factors.

What was the biggest challenge you faced?

FISMA was just coming out, so the framework was still immature. As we stood up the infrastructure, there were a lot of adaptations that we needed to make as we started to make this environment fit TSA’s risk profile, which was slightly different than DOT’s. We had to do a lot of tweaking of the security controls and changes, and at the same time, new security controls were coming out. And this was during the time frame that malicious code and worms really started to hit the Internet. We had to do not only the strategic pieces of writing the policies, but we had to do the tactical pieces of trying to adapt our infrastructure to meet the demands of the new threats that were starting to hit us.

FISMA is a great starting place, but it is a step in continually monitoring and defending your infrastructure. We got really good around the 2005 time frame of beefing up our security perimeter, getting the firewalls locked down, [putting intrusion detection systems] in place and making sure we had a good build.

You had a chance to, in a sense, grow up with FISMA. It has been criticized as a paperwork drill that focuses on compliance rather than real system security. Do you agree or disagree with that assessment?

I agree and disagree. FISMA is a framework that gives you flexibility based on your risk profile and based on a full risk management program. Part of the reason why people look at it as a paper drill is because they are focusing on the wrong parts of it. They are focusing on counting how many systems are certified and accredited and how they get graded. That score-carding methodology maybe forced us to count the wrong things. FISMA includes a phase called continuous monitoring. That is really the last phase, and once people get authorized and enter that, that’s when they think they are through. But they’re not. That’s when the real hard stuff starts.

People based their certifications and accreditations on a three-year cycle and said, “Every three years, we will reassess the system.” Back in the 1990s, that may have been OK. But with the threats now coming at us daily, we recognized very quickly at TSA that that wasn’t going to work, that we needed to have a continuous monitoring capability. I built an internal audit team that did the annual assessments, and they also did ad hoc assessments. It was a small, nimble team. I would be able to say, “Something doesn’t feel right about this particular system. I’d like you guys to go scan it today.”

What changes are needed to FISMA?

I would like to see a better educational program for senior executives and program managers, an intense FISMA deep-dive as part of the onboarding process. They need to know what the threats are, first of all. I think people need threat briefings and [briefings on] what we are doing to stop those threats through repeatable processes. I think that education would go a long way toward keeping compliance from being a paper drill.

I have heard some discussion that they want to empower the CISOs further. That would have to be a very careful, well-thought-out piece of legislation because we may have created almost too much segregation already between the CIO and the CISO. They are both really trying to achieve the same thing: confidentiality, integrity and availability of data.

The CIO is interested in availability first. If we have too much segregation, we may create two opposing factions that might never get to a blended ability balancing operations and risk management. I think that can only be accomplished by the two of them coming together. The CISOs do need to have a seat at the table to understand the real mission. If you empower a CISO to turn off a mission-critical system because it is not secure, you might have unintended consequences.

One of the things I got to do at TSA was to go every morning to the security intelligence briefing. That gave me a good view of what the entire organization was dealing with. It helped me understand the whole security picture.

FISMA stops at the departmental level, and I don’t think it reaches as far down into the component level as it needs to. It might help get funding to those components that are the weakest. Bob West did that. He pushed accountability of FISMA to the individual components, and I took it upon myself to push it to the individual systems. And I’ll tell you, when senior executives see that their program is red and their colleague’s program is green, that is a power tool.

Are you encouraged by the direction cybersecurity is taking under the Obama administration?

I’m really encouraged by some of the first steps that have been taken. I think the [Center for Strategic and International Studies’ cybersecurity] report, the Consensus Audit Guidelines and several other initiatives that have started to crop up will help our new president make some smart decisions. I’m very encouraged by [acting senior director for cyberspace] Melissa Hathaway’s work. Several of our industry institutes have been asked to provide some comment. I think that initiative is going to get a lot of good feedback.

I think the appointment of a federal CIO is great. I would love to see [Vivek] Kundra pick a CISO because I think that would send the right message that there is a point/counterpoint to everything, and that operations have a security sidecar to the motorcycle.

But we’ve got a lot of work to do. Part of the issue is we’ve got to figure out who is in charge. Who do we reach out to — is it [the Office of the Director of National Intelligence, National Security Agency, National Transportation Safety Board], DHS?

Reader Comments

Thu, May 28, 2009 Jim

This is the best article on FISMA that I have read, because Patricia gets to the heart of the matter, "Risk Management". If I could choose, I'd like to hear more details about TSA criteria for determining system's in the inventory (major, minor and GSS). I think a problem exists with FISMA when low impact or minor applications are outsourced to vendor hosted application providers and agencies are forced to apply resources on vendors that really don't have an importance to the business or enterprise mission. If you apply the letter of the law of FISMA, then resources can sometimes be redirected away from systems that matter. In otherwords, there is no very low category or minor vendor hosted category, so you have to review everything, including the vendor's infrastructue, physical security, and personnel for an application that does not have importance in terms of mission.

Wed, May 27, 2009

In the interests of balanced reporting, TSA has had a lot of IT security problems, even during Ms. Titus's tenure: IG: Weak controls jeopardize TSA's financial data
By Gautham Nagesh 05/27/2009

Lax control of access to information technology systems makes the Transportation Security Administration's financial statements vulnerable to tampering, according to a new inspector general report.

An audit by the consulting firm KPMG identified 15 control deficiencies that could affect the reliability of TSA's financial data, 13 of which were repeats from fiscal 2008, the Homeland Security Department IG noted in the report.

"Collectively, the IT control weaknesses limited TSA's ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity and availability," the report stated. "In addition, these weaknesses negatively impacted the internal controls over TSA financial reporting and its operation, and we consider them to collectively represent a material weakness for TSA."

TSA does not review computer accounts to ensure people who have left the agency are locked out, and does not check the privileges associated with each active account regularly to ensure that level of access remains necessary, the IG found. The report also noted weaknesses related to security patch and security configuration management for the financial reporting system.

"The weaknesses identified within TSA's access controls increase the risk that employees and contractors may have access to a system that is outside the realm of their job responsibilities or that a separated individual, or another person with knowledge of an active account of a terminated employee, could use the account to alter the data contained within the application or database," the IG said.

Auditors also noted cracks in TSA's procedures for recovering data following a disaster. The agency made strides in testing recovery procedures during fiscal 2008 and improved emergency response training for personnel with data center access, but failed to incorporate the results of the tests in its continuity of operations plan, the report said.

TSA officials generally agreed with the report's findings and said they plan to implement the IG's recommendations.

Wed, May 27, 2009 Joe Washington, DC

Interesting perspective. Suggesting that FISMA compliance and getting a FISMA good grade actually leads to better security as compared to measured outcomes. It is apparent that the Clean Slate approach did not benefit some of the Agency's cybersecurity programs when you look at actual past performance, http://www.wired.com/threatlevel/2008/02/tsa-security-of/

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above