USAID plans to rebound from dramatic drop in cybersecurity scores

Thursday - 6/21/2012, 9:20pm EDT

Jerry Horton, CIO, USAID

Download mp3

For years, the U.S. Agency for International Development stood out among agencies when it came to cybersecurity and meeting the requirements under the Federal Information Security Management Act (FISMA).

But last year, USAID went from an "A" grade to a "F."

The Office of Management and Budget's report to Congress on how agencies are implementing FISMA requirements found USAID dropped 36.6 points to a score of 53.8. In 2010, the agency earned a 90.8 score.

Jerry Horton, USAID's chief information officer, said the reason for the dramatic drop is because the agency didn't have a continuous monitoring program in place.

USAID was one of five agencies not to submit cyber data feeds to the Homeland Security Department's cyberscope program. The OMB report stated USAID didn't implement a configuration management capability at all, but had a fully capable vulnerability management functionality, and an 80 percent capability for asset management.

Horton said the agency also got marked down because they weren't using their secure identity card, under Homeland Security Presidential Directive-12, for logical access.

"We have plans in place to handle both so we will get our score back up this year," Horton said. "It's not really budget issue. It's really a change in the way the score is tracked from OMB's perspective."

Network upgrades key to cyber

Horton said USAID has an opportunity to improve its security as it upgrades its network. He said the goal is to build security into all of the agency's applications.

The biggest challenge for the department with implementing continuous monitoring was the process.

"We were a little behind in getting it running and I think that's what caused the FISMA score last year," he said. "It's not really a difficult proposition. Most of what we do on a security basis isn't that difficult. It's just a matter of getting it done."

Horton said his office has been upgrading USAID's network around the world for several years.

He said USAID has been moving more toward the cloud and mobility.

"We are basically making our applications, our services available from any network, at anytime from anywhere in the world," he said. "The cloud is a huge piece of this as is virtualization. We revolve it around mobility. The ability for a person to have a tablet, a smartphone, a laptop and even a desktop in a foreign location to be able to access our network infrastructure remotely, safely and securely."

He said the end goal is to make it easier for employees no matter where they are to access data and systems.

Lightweight apps to overcome latency

Part of USAID's upgrade plan is to consolidate networks with the State Department at posts around the world. Horton said his agency is eliminating three separate networks at three posts around the world.

"We are trying to head to the fact it runs on any network. A network infrastructure is becoming a commodity with the Internet so available and so easy to access, whether we use the Internet for our access or the State Department or anyone else, it doesn't really matter," he said.

Horton said because employees often are in countries without consistent electricity or Internet service, USAID is trying to solve some of the long- standing challenges from working in those countries.

He said the agency is consolidating its data centers to be closer to the point of presence for all network infrastructure coming into the U.S. Horton said that will eliminate many of the latency and speed issues.

"As we move our applications to be more Internet available, they can hit them from any access point, any wireless network, anything so it gives us an opportunity to tune our applications to work in a lot of places where latency is an issue or where just time is an issue," Horton said. "For example, some of our applications running in the cloud are actually faster to run over a local Internet connection or over a satellite link than it is to run over AIDNet or over the State Department's network or over anyone else's network because they are tuned more toward that capability."

He said a large number of employees, about one-third, have access to online email through a tablet or smartphone in places such as Sudan or Afghanistan. He said the agency expects to save about $4 million a year through online email.

But Horton said vendors need to do more to move older software to the mobile and cloud environment.

This story is part of Federal News Radio's daily Cybersecurity Update. For more cybersecurity news, click here.

RELATED STORIES:
Ask the CIO: USAID
USAID crowdsources to clean up aid data
Agencies met 77 percent of cyber requirements in 2011