Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:42 PM
Connect Directly

Possible 'Patch' For Policy On Protecting Government Agency Systems

CSIS report due tomorrow will recommend revising a longtime OMB policy with 'continuous monitoring' of government systems and networks

A new national cybersecurity law may not be on the horizon anytime soon, but there could be a simpler and less politically charged way to shore up security, at least among U.S. government agencies. Former Office of Management and Budget (OMB) officials and others are proposing changes to an OMB policy they say would better protect agencies from today's advanced attacks.

The Center for Strategic and International Studies (CSIS) Technology and Public Policy Program tomorrow will issue recommendations for updating 12-year-old OMB requirements to call for continuous monitoring in federal agencies to help thwart today's attacks. The goal is to replace a current compliance checkbox approach and mentality with a method that automates the monitoring and patching of vulnerabilities in government systems as a way to improve security, according to authors of the report, three of whom are former OMB officials.

"Government security experts have told us that the current regime of periodic reports and certifications requires them to spend tens of millions of dollars on reports and processes that do little to enhance security. Agencies can better implement continuous monitoring through work led by chief information officers (CIOs) and chief information security officers (CISOs)," the report says.

This would require revising OMB Circular A-130, called Management of Federal Information Resources. "Under the current policy regime, oversight organizations, like the inspectors general and the Government Accountability Office, produce reports on compliance against outdated policies, wasting time and energy and incentivizing exactly the wrong behavior among agencies. There is hard evidence that continuous monitoring, measurement, and mitigation are far more effective in addressing real threats in an environment in which those who seek to do us harm move quickly," the report says.

Federal agencies would still report annually to the OMB and Congress as required by the Federal Information Security Management Act of 2002 (FISMA), however.

"This has been cooking for about six months or so. We were [becoming] pessimistic about the prospect of legislation this year, and believe a lot of things can be done without legislation," says former OMB and White House official Frank Reeder, one of the authors of the report and co-founder and director of the Center for Internet Security and the National Board of Information Security Examiners.

"All of us are convinced that legislation is absolutely necessary to deal with privately owned infrastructure ... but the executive branch has ample authority" to address the government side of the infrastructure picture, he says.

Reeder says he hopes the CSIS's recommendations will help encourage a possible executive order for shoring up the cybersecurity of agency networks and systems, but making these changes to FISMA doesn't require an executive order, either. "The OMB has ample authority under FISMA to do what needs to be done. An executive order would give any such guidance more moral weight," he says.

And unlike the partisan split over regulating the security of private critical infrastructure, tightening the security of the government's computing infrastructure has been more of a nonpartisan issue, he says.

[Eighty percent of critical infrastructure operators say they have experienced a large-scale attack. See Cyberattacks On Critical Infrastructure Are Increasing, Study Says. ]

CSIS's new white paper, called "Updating U.S. Federal Cybersecurity Policy and Guidance: Spending Scarce Taxpayer Dollars on Security Programs that Work," follows on the themes and recommendations raised by the Commission on Cybersecurity for the 44th Presidency, which was issued in 2008. Continuous monitoring and mitigation of threats also speed response to potential risks and attacks, according to the report. The report also says that the Department of Homeland Security (DHS) would be a major resource for providing agencies with security control priorities, risk and vulnerability reports, as well as mitigation strategies.

Reeder says CSIS has been in conversations with OMB and other players mentioned in the report about the possibility of changing the OMB circular to specify continuous monitoring. "Our next step is to continue to engage in conversations with DHS, OMB, and others in the administration, and to brief folks on the Hill," he says.

It shouldn't be a major undertaking to make the change, he says. "We can't continue to spend money on things that don't work," he says.

The CSIS report also calls for finding a way to bridge the gap between national security and non-national security systems to better protect the nation's critical infrastructure. That means finding a way for the government to work with the civilian side in protecting public utilities, banking systems, or other critical infrastructure. "The threat to infrastructure is not just about weapons systems," he says.

Tony Sager, a former NSA senior official, weighed in on the CSIS recommendations: "The Federal government is spending substantial sums on security measures that are either marginally effective, or unmeasured in their effectiveness. This report recommends ways that government policy can help lead agencies to improve their security as part of the management of risk across the entire Federal enterprise," Sager said in a statement.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.