The Center for Strategic and International Studies (CSIS) Technology and Public Policy Program tomorrow will issue recommendations for updating 12-year-old OMB requirements to call for continuous monitoring in federal agencies to help thwart today's attacks. The goal is to replace a current compliance checkbox approach and mentality with a method that automates the monitoring and patching of vulnerabilities in government systems as a way to improve security, according to authors of the report, three of whom are former OMB officials.
"Government security experts have told us that the current regime of periodic reports and certifications requires them to spend tens of millions of dollars on reports and processes that do little to enhance security. Agencies can better implement continuous monitoring through work led by chief information officers (CIOs) and chief information security officers (CISOs)," the report says.
This would require revising OMB Circular A-130, called Management of Federal Information Resources. "Under the current policy regime, oversight organizations, like the inspectors general and the Government Accountability Office, produce reports on compliance against outdated policies, wasting time and energy and incentivizing exactly the wrong behavior among agencies. There is hard evidence that continuous monitoring, measurement, and mitigation are far more effective in addressing real threats in an environment in which those who seek to do us harm move quickly," the report says.
Federal agencies would still report annually to the OMB and Congress as required by the Federal Information Security Management Act of 2002 (FISMA), however.
"This has been cooking for about six months or so. We were [becoming] pessimistic about the prospect of legislation this year, and believe a lot of things can be done without legislation," says former OMB and White House official Frank Reeder, one of the authors of the report and co-founder and director of the Center for Internet Security and the National Board of Information Security Examiners.
"All of us are convinced that legislation is absolutely necessary to deal with privately owned infrastructure ... but the executive branch has ample authority" to address the government side of the infrastructure picture, he says.
Reeder says he hopes the CSIS's recommendations will help encourage a possible executive order for shoring up the cybersecurity of agency networks and systems, but making these changes to FISMA doesn't require an executive order, either. "The OMB has ample authority under FISMA to do what needs to be done. An executive order would give any such guidance more moral weight," he says.
And unlike the partisan split over regulating the security of private critical infrastructure, tightening the security of the government's computing infrastructure has been more of a nonpartisan issue, he says.
[Eighty percent of critical infrastructure operators say they have experienced a large-scale attack. See Cyberattacks On Critical Infrastructure Are Increasing, Study Says. ]
CSIS's new white paper, called "Updating U.S. Federal Cybersecurity Policy and Guidance: Spending Scarce Taxpayer Dollars on Security Programs that Work," follows on the themes and recommendations raised by the Commission on Cybersecurity for the 44th Presidency, which was issued in 2008. Continuous monitoring and mitigation of threats also speed response to potential risks and attacks, according to the report. The report also says that the Department of Homeland Security (DHS) would be a major resource for providing agencies with security control priorities, risk and vulnerability reports, as well as mitigation strategies.
Reeder says CSIS has been in conversations with OMB and other players mentioned in the report about the possibility of changing the OMB circular to specify continuous monitoring. "Our next step is to continue to engage in conversations with DHS, OMB, and others in the administration, and to brief folks on the Hill," he says.
It shouldn't be a major undertaking to make the change, he says. "We can't continue to spend money on things that don't work," he says.
The CSIS report also calls for finding a way to bridge the gap between national security and non-national security systems to better protect the nation's critical infrastructure. That means finding a way for the government to work with the civilian side in protecting public utilities, banking systems, or other critical infrastructure. "The threat to infrastructure is not just about weapons systems," he says.
Tony Sager, a former NSA senior official, weighed in on the CSIS recommendations: "The Federal government is spending substantial sums on security measures that are either marginally effective, or unmeasured in their effectiveness. This report recommends ways that government policy can help lead agencies to improve their security as part of the management of risk across the entire Federal enterprise," Sager said in a statement.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.