GCN’s July 27 issue featured 10 great government Web sites, holding them up as examples of federal, state and local organizations were putting Web technology to some cutting-edge uses.
But by no means do we presume that these are the only 10 great government sites. Readers offered their own suggestions of sites that are doing a great job of providing services and connecting with citizens. True, in some cases, they suggested the sites of their own agencies, but that doesn’t mean those are not worth checking out.
Great dot-gov Web sites: 10 sites that take online government to the next level
Some of the reader suggestions:
“I'm not normally a 'rah-rah' kind of guy, especially for our own agency, but our Web people do a pretty danged good job for both external and internal users. Metro's stated purposes are well delivered and our pages provide a wealth of information about the agency's offerings. www.oregonmetro.gov.” --Chari Anang
“The National Institutes of Health (NIH) Office of Human Resources (OHR) is pleased to announce the new look and exciting new features of the public OHR Web site! The redesigned site is more user-friendly and has features such as two-level tabbed navigation, left-hand contextual navigation, and a top 10 quick links section that reflects the most visited pages on the site. The site is being launched Friday, July 17 at 5pm, so please take a moment to view it on or after that date on: http://hr.od.nih.gov.” -- Jennifer Levithan
“Check out DisasterAssistance.gov, which launched 12/31/2008 as a one-stop shop to help disaster survivors. Since launch, the site has had over 262,000 visitors providing assistance from 17 federal agencies. More than 4,200 results are produced when performing a Google search for “www.disasterassistance.gov” And many major organizations provide a direct link to DisasterAssistance.gov, including: DHS, OPM, DoEd, SBA, DOL, SSA, DOS, Treasury, HUD, USDA, American Bar Association, Disability Rights California, National Disaster Legal Aid, National Voluntary Organizations Active in Disaster (NVOAD).”
“NOAA is best by far. Better than the commercial weather Web sites as well. http://www.noaa.gov/.” -- G. Holubec
“The FDIC Web site is packed full of helpful up-to-date consumer and market information. There are helpful plain-English FAQ's and interactive applications available to answer nearly any question a bank, investor or consumer may want to know concerning insured deposits, as well as comprehensive information about the FDIC's mission and services during these difficult times. The site is kept current and fresh with new information posted daily: www.fdic.gov.” -- Mike Bartell
“http://www.federalreserve.gov/.” -- Robert VanOrmer
“Web Manager University could also be helpful to Visual Information folks, Audiovisual Production teams and Public Affairs Officers within government because they all have a stake in communication as a strategy on behalf of an agency.”
“I would also be very interested in seeing your picks for government-related Web sites that are not run by official representatives of the gov't. Here are some of my picks: GovTrack - http://www.govtrack.us/, LittleSis - http://littlesis.org/, NPR's Dollar Politics - http://www.npr.org/templates/story/story.php?storyId=105878862.”
Posted on Jul 31, 2009 at 9:39 AM3 comments
Federal Chief Information Officer Vivek Kundra’s push to update
how agencies measure compliance with the Federal Information Security Management Act seemed to strike a nerve this week with readers.
In a letter to the Government Accountability Office, Kundra wrote that the reporting requirements for FISMA, enacted in 2002, were outdated and “largely compliance based. They are trailing, rather than leading, indicators. We need metrics that give insight into agencies’ security postures and possible vulnerabilities on an on-going basis.”
His letter was prompted by a GAO report that found disparities between agencies’ FISMA compliance and their actually security status. He suggested that one way to improve reporting was to replace spreadsheets with an online database.
Reader comments ranged from hopeful to skeptical.
“Hurray! We have a Federal CIO who has the vision and is acting like a real CIO!” wrote one commenter. “The current government IT security environment is too focused on checking off boxes and being defensive. Kundra understands technology, its potential, and how to use it. I can only hope that his ideas and policies sink in at the agency level.”
However, one writer seemed to wonder if his approach was practical. “Kundra may know technology, but it doesn't appear that he's familiar with FISMA … the disconnect is very clear where Kundra argues with the GAO recommendation for OMB [to] use its authority to disapprove failing security programs; this hasn't ever happen[ed], should be the tool for OMB to get agencies to produce ‘real world’ rather than checkbox plans, and yet Kundra says OMB is doing fine as-is... Ha!”
Still another put the burden not on FISMA, but on the people in charge of security at agencies: “Since FISMA is a risk-management framework which requires Agencies to produce their own information security plan, the 'FISMA/Security' gap is really an 'Agency CIO/CISO failure to develop their own adequate security plan' gap. Let us thank that fact that we have FISMA, since without its mandatory system inventory and reporting there's no telling whether these non-performing agency CIO/CISO's would even bother with security."
Can security and new Web technologies coexist? One writer was doubtful: “It's clear that Kundra is not serious about security. All of us our being pushed to field Web 2.0 technologies, and anybody who raises any issue about security gets blown out of the water as being an obstructionist. OMB needs to get its act together. Their automated tool for FISMA reporting (developed without any inputs from the community) will not help. Wonder if their wonderful new tool could pass an OIG or GAO FISMA compliance audit. I doubt it.”
One a Web 2.0-related note, Kundra told an audience at the Open Government and Innovations Conference this week that, "[t]his notion of thinking about data in a structured, relational database is dead.”
He said agencies should be ready for explosion of new data and that "[s]ome of the most valuable information is going to live in video, blogs and audio, and it is going to be unstructured inherently."
That prompted this commenter to point out the difference between how data is produced and how it is presented: “... aren't most all Web 2.0 apps built on a relational database management system platform anyway? Is this sort of like saying ‘we don't need farms any more because now we have grocery stores’? ”
Posted on Jul 24, 2009 at 9:39 AM4 comments
In the old days, certifying software to run on classified systems was a (relatively) easy task: Follow the configuration instructions from appropriate security technical guide and you were good to go. But what if you wanted to run that same software in a virtual container? Doing could require a lot of unnecessary set-up time in many agencies, warned Adam Rossi, president of IT consulting firm Platinum Solutions, which does work for intelligence agencies.
"The regulations haven't really caught up with virtualization," he said.
We encountered this issue while writing our article on building a private cloud. During our interview, Rossi had mentioned the certification and accreditation (C&A) process as a potential roadblock for widely and quickly deploying software in virtual environments. At least some Defense Department officials are mulling the potential appeal of using virtualization as a security tool. Platinum is working with government customers who want to reduce the size and power consumption of their data centers, and virtualization is a natural route to go.
However, the software security regulations and policies could be updated to better use virtualization software, Rossi said.
Systems that run in classified environments must follow the Defense Department Security Technical Implementation Guides (STIGs), he explained. STIGs specifies a list of secure settings, such as what services can be run, what ports are open, and so on. There are STIGs for operating systems, application servers, database and all sorts of other software. A list of STIGs can be found here.
In order to check to see if software is configured correctly, the Defense Information Systems Agency (DISA) offers a set of scripts, called the Security Readiness Review (SRR) guides that can test a system. Once software is configured to meet STIG requirements, it can then be copied onto as a master disk (or "a gold disk") and copied across different servers, with the implied assurance that each copy of that program is running securely.
Except if that program is running in a virtualized environment.
Here is the problem: At least in some agencies, every time a piece of software is spun up in a virtualized container, it must be tested again against SRR again. And this is a time-sink. "If you C&A it once and you deploy it and don't alter it, it should be C&A'ed again," Rossi said. "You see a lot of extra labor to go in to rescan the image."
At least part of the issue is that the military is still writing STIGs for virtualization software. When more software is certified, the more virtualization can be used in a speedy fashion, without retesting each app in a virtual environment. Last year, DISA released a STIG for VMWare ESX Server version 1, the publication of which Rossi called "a big step forward."
This is only one of a wide range of virtualization products that could be used, however. Moreover, many agencies still have to catch up with the guidelines that are in place. "Each agency generally has a set of information security guidelines, and although they generally incorporate the STIGs, it takes time for them to catch updates, and for their security professionals to become comfortable with new technologies," Rossi explained.
Posted on Jul 16, 2009 at 9:39 AM1 comments