2 signs DHS is turning the corner on cybersecurity
The appointment of Mark Weatherford to a lead cybersecurity role in the Homeland Security Department is part of a trend that is transforming federal IT security from a paperwork exercise to effective defense of government systems, says long-time observer Alan Paller.
Weatherford, who became DHS’ first deputy undersecretary for cyber security on Nov. 21, is the first technologist with hands-on cybersecurity experience in government and the private sector in a DHS cybersecurity post, said Paller, director of research at the SANS Institute.
“Mark has been very good at hiring technology people in other jobs, and I think he’ll be able to do it here,” he said. “I believe that this is the first day of the rest of life at DHS.”
With new FISMA rules, security progress can be measured
The appointment comes as DHS’ role in enforcing the Federal Information Security Management Act is being clarified and strengthened, and FISMA is shifting from a periodic assessment and certification of information systems to a continuous monitoring of security status.
“Now they have to implement the second half,” Paller said, which is to use the information gathered from monitoring systems to correct security problems.
FISMA has long been criticized as a paperwork exercise rather than the foundation for a effective security programs, and DHS’s role in enforcing FISMA requirements has been problematical. Instructions for fiscal 2011 FISMA reporting to Congress say specifically that that DHS has operational responsibility for cybersecurity in executive branch agencies. But that assurance comes in a memo from the Office of Management and Budget, which has historically overseen FISMA compliance by virtue of its budget authority. Several bills before Congress would give DHS statutory authority for FISMA, but until one of them becomes law the department relies on authority delegated from OMB.
One of the most significant uses of that authority was the department’s determination that continuous monitoring of the security status of IT systems not only is required under FISMA, but that it also takes the place of the authorization required every three years under original FISMA guidance. OMB made this explicit in its 2011 instructions.
“Rather than enforcing a static, three-year reauthorization process, agencies are expected to conduct ongoing authorizations of information systems through the implementation of continuous monitoring programs,” the instructions say. “Continuous monitoring programs thus fulfill the three-year security reauthorization requirement, so a separate re-authorization process is not necessary.”
This requirement for continuous monitoring of systems is the greatest change in FISMA since it was enacted in 2002. Although the act has not been amended, the National Institute of Standards and Technology, which is charged with developing technical standards and specifications for compliance, has shifted its guidance from periodic assessments to continuous monitoring.
A handful of agencies, led by the State Department, have implemented programs to continuously monitor and update systems. Paller said he believes this will become the norm within a year, as budgets and tools become readily available for this.
“Technology adoption doesn’t happen lineally, it happens almost all at once,” he said. “We are within five or 10 months of everyone saying, ‘We were always going to do that’.”
The position of deputy under secretary for cyber security, in the National Protection and Programs Directorate at DHS, was created in September and Weatherford was named to it in October. Greg Schaffer, assistant secretary for cybersecurity and communications, had been acting in that position.
Weatherford came to DHS from the North American Electric Reliability Corp., where he directed the critical infrastructure and cybersecurity program for the nation’s power transmission systems. He left his position as California’s chief information security officer in July 2010 to join NERC, and prior to that had been Colorado’s CISO. He also is a former Navy cryptologic officer and led the Navy’s computer network defense operations and its Computer Incident Response Team.