Sharing Information to Boost Security

New IT security compliance plan highlights growing partnership among federal agencies and security industry professionals

A central tenet of past year’s U.S. Comprehensive National Cybersecurity Initiative (CNCI) is that ‘offense must inform defense.’

In the security vernacular, this means that knowledge of actual attacks on systems provides the essential foundation for an effective defense.  The U.S. Senate Homeland Security and Government Affairs Committee moved to make this tenet central to the Federal Information Security Management Act, in drafting FISMA 2008.

The newly proposed CAG provides specific audit guidelines that CISOs, CIOs, IGs, and the U.S. Computer Emergency Readiness Team (US-CERT) can adopt to ensure agency systems have critical baseline security controls in place.  The guidelines take advantage of the knowledge gained in analyzing a myriad of attacks that have been successfully launched against federal systems and U.S. defense industrial base systems. The many partners in the CAG effort have identified key controls considered critical to stopping the attacks.  This combined effort also takes advantage of the insights from the
development and usage of standardized concepts for identifying, communicating and documenting security-relevant characteristics. 

The Key Players
The team considered crucial to the transformation of federal IT security compliance is made up of players from industry, government and academia, including:
*U.S. National Security Agency Red Team and Blue Team;

*Department of Homeland Security, US-CERT;

*The Department of Defense (DoD) Computer Network Defense Architecture Group;

*DoD Joint Task Force on Global Network Operations (JTF-GNO);

*DoD Defense Cyber Crime Center (DC3);

*Department of Energy, Los Alamos National Lab, along with three other National Labs;

*Department of State, Office of the Chief Information Security Officer (CISO);

*Air Force;

*Army Research Laboratory;

*Department of Transportation, Office of the Chief Information Officer (CIO);

*Department of Health and Human Services, Office of the CISO;

*Government Accountability Office (GAO);

*MITRE Corp.;

*The SANS Institute;

*Testing and forensics experts at InGuardians and Mandiant.


Efforts of this combined team led to the creation of the CAG, which includes 20 security controls considered essential for blocking known high-priority attacks.  Fifteen of the controls can be monitored, at least in part, automatically and continuously.  The consensus effort also identified a second set of five controls considered essential, but without technological solutions to aid in continuous monitoring.

Initiated a year ago, the CAG is a direct response to the extreme data losses experienced by leading suppliers in the U.S. defense industrial base (DIB). Using knowledge culled from DoD Red Teams along with reknown security and forensics experts, this team was able to build this set of consensus guidelines for federal agencies to use as a risk-based minimum standard for IT security.

What They Found
Very early in the process, participants in this information sharing mission recognized that the attacks targeting the DIB were nearly identical to those used to target federal agencies, along with information-sensitive organizations in developed and developing countries around the world. That’s when the project took on a greater significance and more organizations agreed to get involved. Since then, according to industry observers, the security partnership has grown to include NIST which is working with the CAG team to help agencies and federal auditors work toward achieving these standard guidelines for IT security.

The coming NIST update to the FISMA 800-53 documentation will incorporate new guidance for federal agencies to make sure they prioritize the 20 controls based on individual agency goals and requirements. “The prior NIST documentation offered no guidance on prioritization, and agencies have struggled to implement all FISMA controls, no matter how well they fit in with agency IT security requirements,”said Alan Paller, director of research at the SANS Institute.