Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:42 PM
Connect Directly

Possible 'Patch' For Policy On Protecting Government Agency Systems

CSIS report due tomorrow will recommend revising a longtime OMB policy with 'continuous monitoring' of government systems and networks

A new national cybersecurity law may not be on the horizon anytime soon, but there could be a simpler and less politically charged way to shore up security, at least among U.S. government agencies. Former Office of Management and Budget (OMB) officials and others are proposing changes to an OMB policy they say would better protect agencies from today's advanced attacks.

The Center for Strategic and International Studies (CSIS) Technology and Public Policy Program tomorrow will issue recommendations for updating 12-year-old OMB requirements to call for continuous monitoring in federal agencies to help thwart today's attacks. The goal is to replace a current compliance checkbox approach and mentality with a method that automates the monitoring and patching of vulnerabilities in government systems as a way to improve security, according to authors of the report, three of whom are former OMB officials.

"Government security experts have told us that the current regime of periodic reports and certifications requires them to spend tens of millions of dollars on reports and processes that do little to enhance security. Agencies can better implement continuous monitoring through work led by chief information officers (CIOs) and chief information security officers (CISOs)," the report says.

This would require revising OMB Circular A-130, called Management of Federal Information Resources. "Under the current policy regime, oversight organizations, like the inspectors general and the Government Accountability Office, produce reports on compliance against outdated policies, wasting time and energy and incentivizing exactly the wrong behavior among agencies. There is hard evidence that continuous monitoring, measurement, and mitigation are far more effective in addressing real threats in an environment in which those who seek to do us harm move quickly," the report says.

Federal agencies would still report annually to the OMB and Congress as required by the Federal Information Security Management Act of 2002 (FISMA), however.

"This has been cooking for about six months or so. We were [becoming] pessimistic about the prospect of legislation this year, and believe a lot of things can be done without legislation," says former OMB and White House official Frank Reeder, one of the authors of the report and co-founder and director of the Center for Internet Security and the National Board of Information Security Examiners.

"All of us are convinced that legislation is absolutely necessary to deal with privately owned infrastructure ... but the executive branch has ample authority" to address the government side of the infrastructure picture, he says.

Reeder says he hopes the CSIS's recommendations will help encourage a possible executive order for shoring up the cybersecurity of agency networks and systems, but making these changes to FISMA doesn't require an executive order, either. "The OMB has ample authority under FISMA to do what needs to be done. An executive order would give any such guidance more moral weight," he says.

And unlike the partisan split over regulating the security of private critical infrastructure, tightening the security of the government's computing infrastructure has been more of a nonpartisan issue, he says.

[Eighty percent of critical infrastructure operators say they have experienced a large-scale attack. See Cyberattacks On Critical Infrastructure Are Increasing, Study Says. ]

CSIS's new white paper, called "Updating U.S. Federal Cybersecurity Policy and Guidance: Spending Scarce Taxpayer Dollars on Security Programs that Work," follows on the themes and recommendations raised by the Commission on Cybersecurity for the 44th Presidency, which was issued in 2008. Continuous monitoring and mitigation of threats also speed response to potential risks and attacks, according to the report. The report also says that the Department of Homeland Security (DHS) would be a major resource for providing agencies with security control priorities, risk and vulnerability reports, as well as mitigation strategies.

Reeder says CSIS has been in conversations with OMB and other players mentioned in the report about the possibility of changing the OMB circular to specify continuous monitoring. "Our next step is to continue to engage in conversations with DHS, OMB, and others in the administration, and to brief folks on the Hill," he says.

It shouldn't be a major undertaking to make the change, he says. "We can't continue to spend money on things that don't work," he says.

The CSIS report also calls for finding a way to bridge the gap between national security and non-national security systems to better protect the nation's critical infrastructure. That means finding a way for the government to work with the civilian side in protecting public utilities, banking systems, or other critical infrastructure. "The threat to infrastructure is not just about weapons systems," he says.

Tony Sager, a former NSA senior official, weighed in on the CSIS recommendations: "The Federal government is spending substantial sums on security measures that are either marginally effective, or unmeasured in their effectiveness. This report recommends ways that government policy can help lead agencies to improve their security as part of the management of risk across the entire Federal enterprise," Sager said in a statement.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.