Agencies join effort to promote use of critical controls for cybersecurity
The Homeland Security Department is launching an initiative to implement automated monitoring of a set of critical security controls in government IT security this year, to provide a standardized cybersecurity baseline for agencies.
The effort will include a set of technical specifications developed in cooperation with industry that would enable the automation of the controls in off-the-shelf products. There also would be a governmentwide dashboard to provide visibility into each agency’s status on the controls and help establish priorities for improvement during the current fiscal year.
The plans were unveiled in conjunction with the release on Nov. 5 of the latest version of the top 20 Critical Controls for Effective Cyber Defense and the announcement of a new international organization to oversee development of the consensus controls and promote their use in government and industry.
DHS, along with the National Security Agency, the Defense Department, the Defense Information Systems Agency and the DOD Cyber Crime Center, are among the members of the Consortium for Cybersecurity Action, which will maintain and update the list.
The critical controls, formerly the Consensus Audit Guidelines, are a set of security requirements developed in cooperation by government and private sector experts and published by the Center for Strategic and International Studies (CSIS) and the SANS Institute. Growing adoption of the controls in both government and industry has created the need for a more formal organization to house and maintain them, said former NSA official Tony Sager, who will lead the effort.
“It had to be a little more standardized,” said Sager, who retired as chief operating officer of the NSA’s Information Assurance Directorate in June. “If major organizations are going to make IT policy and spending decisions based on it, they have to know it will be there in two or five years.”
The critical controls are a reflection of the 80/20 rule at work in cybersecurity: Twenty percent of the effort produces 80 percent of the results. The controls are an effort to identify the 80 percent payoff that can prevent or mitigate the bulk of the attacks against IT systems today. By automating the application and monitoring of these basic security functions, resources and manpower could be freed to address remaining challenges that are more sophisticated and require greater attention.
Development of the critical controls began in 2008 under the auspices of the CSIS in cooperation with other groups including NSA, US-CERT, DOD, Energy Department Nuclear Laboratories and the State Department. Their use at the State Department has gained attention as a way to measure and reduce meaningful vulnerabilities in widespread IT systems. The new consortium will have no power to require use of the control list, and its authority will come from the combined weight of its members.
The critical controls are not intended to replace more comprehensive frameworks such as the Recommended Security Controls for Federal Information Systems from the National Institute of Standards and Technology, but provide a high-value starting place, Sager said.
The latest version of the controls, 4.0, reflects the growing importance of threats to Web clients and mobile applications and adjusts the expected maturity levels of some controls needed to effectively address problems. By defining various levels of maturity for each control as they are implemented in a system, the list lets administrators measure the current level of maturity for each control in their systems, identify the level of maturity needed to provide adequate security, and use the resulting gap to set priorities for improvements to each system.
Such a system does not provide complete security, but advocates say it helps focus security investment in the most needed areas and frees needed resources for more complex threats. By updating the list regularly to reflect changes in the threat landscape, the consortium will try to ensure that priorities remain properly focused.
The DHS program for implementing an initial set of five critical controls has been funded for fiscal 2013, which began Oct. 1. Capabilities will be expanded to other controls if funding is available. The department expects to issue a request for proposals that would provide a blanket purchase agreement for off-the-shelf automated monitoring tools for the initial set of controls:
- Hardware asset management
- Software asset management
- Configuration management
- Vulnerability management
- Network access control management
The BPA will be available to state and local governments as well as federal agencies.