Homeland Security tops FISMA scorecard. How do they do it?

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

The Department of Homeland Security earns top scores in FISMA compliance, thanks in part to the continuous monitoring program built by the department's Office of Inspector General.

Over the past 18 months, the Homeland Security Department’s Office of Inspector General has established a system of continuous monitoring that has kept the multi-faceted agency at the top of the government’s list of performers in federal IT security standards compliance.

DHS received the top score in the Federal Information Security Management Act report to Congress for fiscal 2013, the only agency to get a score of 99 two years in a row. The OIG uses commercial vulnerability scanning products and open source management tools in a platform that routinely scans  systems for compliance with FISMA metrics.

The system recently was recognized by ISC2 with a Government Information Security Leadership Award.

“Our process was one of making security a part of the operational unit,” and not just an IT function, said Jaime Vargas, the OIG’s chief information security officer. Identifying shortcomings quickly on an ongoing basis means persons can be held accountable for results. “We can ask very pointed questions. We are telling them not only that something is broken, but what is broken.”

So DHS now is getting high marks for FISMA compliance. Is the department more secure?

“That’s always a difficult question,” Vargas said, because compliance does not equal security. But the new system is helping his office move from a process-driven to a results-driven program that provides greater visibility into the systems. “I think we are moving in the right direction.”

Although the inspector general performs departmentwide evaluations on FISMA performance, each operational component in DHS – including the OIG – manages its own IT systems and is responsible for their security. That puts pressure on the IG’s office, Vargas said.

“One of the challenges the IG has is that we don’t set our own policies, we follow the policies of the department at large,” he said. “At the same time, we are expected to set an example in order to be credible.”

One of the biggest hurdles in FISMA compliance is the shifting metrics on which each agency is measured. Although the FISMA legislation has not been updated since its enactment in 2002, the security guidance and reporting requirements change and mature each year, setting new targets for mitigating and managing risk, remediating vulnerabilities and reporting. And IT security itself is a work in process.

“Traditionally, security has been a tradeoff,” Vargas said. Every advance in security comes at a cost, and every cut in resources results in more risk being accepted. But the constant drumbeat of high profile security breaches in recent years has led to demands for greater security even in a time of budget austerity.

OIG’s security tool chest

To meet this challenge, the OIG leveraged products already available to the office, such as the Nessus vulnerability scanner from Tenable Network Security (“That is our workhorse,” Vargas said) and Microsoft’s Active Directory tools, together with open source tools.

Active Directory, which includes identities of network devices, is the source of record for the scanning system. In setting the system up, a physical inventory of devices was created in conjunction with the office’s accounting system, which matched IT assets with what has been bought. From this baseline inventory, compliance policies were developed for each type of device, which drives the imaging process for servers, workstations and other devices.

“Once we have that, we have a pretty good starting point,” Vargas said.

A number of open source tools were also developed to work with Active Directory to identify everything that is active on the network during a scan and to direct the scanning process, ensuring that the appropriate policy is applied to each type of device. “By doing that we are able to get very accurate results,” Vargas said. In addition, a controller application manages the workflow of tests, determining what is needed for each device, how failures or anomalies are treated, when to come back and retest and what bucket the test results go into. Organizing the test process this way allows the system to address medium- and low-level vulnerabilities as well as high-level ones.

There was some resistance to adopting open source tools, Vargas said. But they are cheap and available. “Nothing is perfect,” he said. “But when you get some code and some smart people working on it, they can actually leverage it and get something that works.”

The OIG now can scan its IT infrastructure every 10 days, getting about 90 percent of the devices on each scan (depending on how many are connected to the network at the time). It is also meeting the FISMA security metrics required by the Office of Management and Budget, which includes reporting on  the number of vulnerabilities found, baseline configuration and the speed of deploying security patches. The system also supports the National Institute of Standards and Technology’s Risk Management Framework.

Making the connection between compliance and security remains a challenge, but Vargas said he believes the transparency provided by the scanning system has improved security. “Whether the metrics address security is outside my purview,” he said. “That is decided by the administration and department policy. But this allows us to know what should be on the network, what should not be on the network, what is normal and what is not.”

NEXT STORY: Mobile forensics tools hammer out evidence

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.