Homeland Security tops FISMA scorecard. How do they do it?
- By William Jackson
- Jun 19, 2014
Over the past 18 months, the Homeland Security Department’s Office of Inspector General has established a system of continuous monitoring that has kept the multi-faceted agency at the top of the government’s list of performers in federal IT security standards compliance.
DHS received the top score in the Federal Information Security Management Act report to Congress for fiscal 2013, the only agency to get a score of 99 two years in a row. The OIG uses commercial vulnerability scanning products and open source management tools in a platform that routinely scans systems for compliance with FISMA metrics.
The system recently was recognized by ISC2 with a Government Information Security Leadership Award.
“Our process was one of making security a part of the operational unit,” and not just an IT function, said Jaime Vargas, the OIG’s chief information security officer. Identifying shortcomings quickly on an ongoing basis means persons can be held accountable for results. “We can ask very pointed questions. We are telling them not only that something is broken, but what is broken.”
So DHS now is getting high marks for FISMA compliance. Is the department more secure?
“That’s always a difficult question,” Vargas said, because compliance does not equal security. But the new system is helping his office move from a process-driven to a results-driven program that provides greater visibility into the systems. “I think we are moving in the right direction.”
Although the inspector general performs departmentwide evaluations on FISMA performance, each operational component in DHS – including the OIG – manages its own IT systems and is responsible for their security. That puts pressure on the IG’s office, Vargas said.
“One of the challenges the IG has is that we don’t set our own policies, we follow the policies of the department at large,” he said. “At the same time, we are expected to set an example in order to be credible.”
One of the biggest hurdles in FISMA compliance is the shifting metrics on which each agency is measured. Although the FISMA legislation has not been updated since its enactment in 2002, the security guidance and reporting requirements change and mature each year, setting new targets for mitigating and managing risk, remediating vulnerabilities and reporting. And IT security itself is a work in process.
“Traditionally, security has been a tradeoff,” Vargas said. Every advance in security comes at a cost, and every cut in resources results in more risk being accepted. But the constant drumbeat of high profile security breaches in recent years has led to demands for greater security even in a time of budget austerity.
OIG’s security tool chest
To meet this challenge, the OIG leveraged products already available to the office, such as the Nessus vulnerability scanner from Tenable Network Security (“That is our workhorse,” Vargas said) and Microsoft’s Active Directory tools, together with open source tools.
Active Directory, which includes identities of network devices, is the source of record for the scanning system. In setting the system up, a physical inventory of devices was created in conjunction with the office’s accounting system, which matched IT assets with what has been bought. From this baseline inventory, compliance policies were developed for each type of device, which drives the imaging process for servers, workstations and other devices.
“Once we have that, we have a pretty good starting point,” Vargas said.
A number of open source tools were also developed to work with Active Directory to identify everything that is active on the network during a scan and to direct the scanning process, ensuring that the appropriate policy is applied to each type of device. “By doing that we are able to get very accurate results,” Vargas said. In addition, a controller application manages the workflow of tests, determining what is needed for each device, how failures or anomalies are treated, when to come back and retest and what bucket the test results go into. Organizing the test process this way allows the system to address medium- and low-level vulnerabilities as well as high-level ones.
There was some resistance to adopting open source tools, Vargas said. But they are cheap and available. “Nothing is perfect,” he said. “But when you get some code and some smart people working on it, they can actually leverage it and get something that works.”
The OIG now can scan its IT infrastructure every 10 days, getting about 90 percent of the devices on each scan (depending on how many are connected to the network at the time). It is also meeting the FISMA security metrics required by the Office of Management and Budget, which includes reporting on the number of vulnerabilities found, baseline configuration and the speed of deploying security patches. The system also supports the National Institute of Standards and Technology’s Risk Management Framework.
Making the connection between compliance and security remains a challenge, but Vargas said he believes the transparency provided by the scanning system has improved security. “Whether the metrics address security is outside my purview,” he said. “That is decided by the administration and department policy. But this allows us to know what should be on the network, what should not be on the network, what is normal and what is not.”