Patricia Titus | At TSA, a clean slate benefited cybersecurity efforts
Former TSA CISO Titus discusses security and the pros and cons of FISMA
- By William Jackson
- May 27, 2009
Patricia Titus, chief information security officer at Unisys Federal Systems, joined the company a year ago after six years at the Transportation Security Administration, where she was the new agency’s first CISO. During her tenure at TSA, she focused on creating, implementing and maintaining an information technology security program that earned the agency an A grade for compliance with the Federal Information Security Management Act. Before joining TSA, Titus had been a technical adviser to the deputy chief information officer at the Treasury Department.
She recently talked with GCN senior writer William Jackson about security at the agency and new directions for FISMA.
GCN: What was the status of IT security at TSA when you arrived in 2002?
Titus: When I started at TSA, I was brought on board as the wireless program manager. There wasn’t an IT security officer at the time we were standing up TSA. About five or six months after I arrived, I took the additional burden of the IT security program office, and then two months after that, I was officially designated as chief information security officer. It was a very interesting time, very dynamic.
There was no Homeland Security Department at that time. There was an Office of Homeland Security, but TSA fell under the Transportation Department. We were an offshoot basically of the Federal Aviation Administration. When TSA was stood up, we inherited a very small amount of legacy systems. Our infrastructure was very clean, very new, and it was all built basically from the ground up. I recall government people actually building laptops so that we could get them shipped out to the field. It was a dynamic environment; everybody did what they needed to do to get the job at the moment done.
Was it an advantage to be working at a newly created agency, in a greenfield environment?
I wouldn’t really call it a greenfield because there were still plenty of rules and regulations we had to follow. TSA had several exemptions so we could get stood up quickly and wouldn’t have the normal red tape. But we still had plenty of regulations. We still fell under the policies of DOT. And we still were very mindful at the time of the Government Information Security Reform Act, which was being sunsetted, and FISMA was just coming onto the playing field.
Nevertheless, we had an opportunity to do things differently from any other federal organization because everything was new. So it was an advantage. We were able to build our entire information security program based on the [National Institute of Standards and Technology] framework and methodology. I don’t know if any other federal agency could claim that.
What did you do to make TSA FISMA compliant?
The first thing we had to do was determine what was a system.… Everybody’s terminology of a system was just a little bit different. At that time, Bob West was put into place as the departmental CISO [at DHS] and…he enlisted the assistance of an external consulting company to help develop a methodology that would define what was a system and to help us interview every program official and all the people in the executive team to determine where and what those systems were. This gave us the ability to target those systems for FISMA compliance. That follows the NIST methodology of identifying your assets.
There is always negotiation about what a system is. A lot of little pilots were stood up, and maybe it was testing something on a server. To us, that wasn’t a system; that was someone testing a piece of software. We came down to a digestible number; there were about 77 systems, I believe.
That allowed us to move into the next phase of the NIST methodology, and that is categorizing the data. We were able to take FISMA and lay out those processes and build our entire security program and processes around that. We built a tremendous educational program. When you’re looking at FISMA or any kind of compliance, one of the challenges is educating people about what you’re doing, why you’re doing it, what the outcome is going to be and telling them the success factors.
What was the biggest challenge you faced?
FISMA was just coming out, so the framework was still immature. As we stood up the infrastructure, there were a lot of adaptations that we needed to make as we started to make this environment fit TSA’s risk profile, which was slightly different than DOT’s. We had to do a lot of tweaking of the security controls and changes, and at the same time, new security controls were coming out. And this was during the time frame that malicious code and worms really started to hit the Internet. We had to do not only the strategic pieces of writing the policies, but we had to do the tactical pieces of trying to adapt our infrastructure to meet the demands of the new threats that were starting to hit us.
FISMA is a great starting place, but it is a step in continually monitoring and defending your infrastructure. We got really good around the 2005 time frame of beefing up our security perimeter, getting the firewalls locked down, [putting intrusion detection systems] in place and making sure we had a good build.
You had a chance to, in a sense, grow up with FISMA. It has been criticized as a paperwork drill that focuses on compliance rather than real system security. Do you agree or disagree with that assessment?
I agree and disagree. FISMA is a framework that gives you flexibility based on your risk profile and based on a full risk management program. Part of the reason why people look at it as a paper drill is because they are focusing on the wrong parts of it. They are focusing on counting how many systems are certified and accredited and how they get graded. That score-carding methodology maybe forced us to count the wrong things. FISMA includes a phase called continuous monitoring. That is really the last phase, and once people get authorized and enter that, that’s when they think they are through. But they’re not. That’s when the real hard stuff starts.
People based their certifications and accreditations on a three-year cycle and said, “Every three years, we will reassess the system.” Back in the 1990s, that may have been OK. But with the threats now coming at us daily, we recognized very quickly at TSA that that wasn’t going to work, that we needed to have a continuous monitoring capability. I built an internal audit team that did the annual assessments, and they also did ad hoc assessments. It was a small, nimble team. I would be able to say, “Something doesn’t feel right about this particular system. I’d like you guys to go scan it today.”
What changes are needed to FISMA?
I would like to see a better educational program for senior executives and program managers, an intense FISMA deep-dive as part of the onboarding process. They need to know what the threats are, first of all. I think people need threat briefings and [briefings on] what we are doing to stop those threats through repeatable processes. I think that education would go a long way toward keeping compliance from being a paper drill.
I have heard some discussion that they want to empower the CISOs further. That would have to be a very careful, well-thought-out piece of legislation because we may have created almost too much segregation already between the CIO and the CISO. They are both really trying to achieve the same thing: confidentiality, integrity and availability of data.
The CIO is interested in availability first. If we have too much segregation, we may create two opposing factions that might never get to a blended ability balancing operations and risk management. I think that can only be accomplished by the two of them coming together. The CISOs do need to have a seat at the table to understand the real mission. If you empower a CISO to turn off a mission-critical system because it is not secure, you might have unintended consequences.
One of the things I got to do at TSA was to go every morning to the security intelligence briefing. That gave me a good view of what the entire organization was dealing with. It helped me understand the whole security picture.
FISMA stops at the departmental level, and I don’t think it reaches as far down into the component level as it needs to. It might help get funding to those components that are the weakest. Bob West did that. He pushed accountability of FISMA to the individual components, and I took it upon myself to push it to the individual systems. And I’ll tell you, when senior executives see that their program is red and their colleague’s program is green, that is a power tool.
Are you encouraged by the direction cybersecurity is taking under the Obama administration?
I’m really encouraged by some of the first steps that have been taken. I think the [Center for Strategic and International Studies’ cybersecurity] report, the Consensus Audit Guidelines and several other initiatives that have started to crop up will help our new president make some smart decisions. I’m very encouraged by [acting senior director for cyberspace] Melissa Hathaway’s work. Several of our industry institutes have been asked to provide some comment. I think that initiative is going to get a lot of good feedback.
I think the appointment of a federal CIO is great. I would love to see [Vivek] Kundra pick a CISO because I think that would send the right message that there is a point/counterpoint to everything, and that operations have a security sidecar to the motorcycle.
But we’ve got a lot of work to do. Part of the issue is we’ve got to figure out who is in charge. Who do we reach out to — is it [the Office of the Director of National Intelligence, National Security Agency, National Transportation Safety Board], DHS?