Dynamics of federal cybersecurity management changing

Friday - 5/28/2010, 5:07pm EDT

Karen Evans and Mark Forman, former e-gov administrators

Click to hear hour 1 of the interview

Download mp3

Karen Evans and Mark Forman, former e-gov administrators

Click to hear hour 2 of the interview

Download mp3

By Dorothy Ramienski
Internet Editor
Federal News Radio

Now that President Obama's 60 Day Cyber Security Review is a year old, In Depth took a look at some of the changes that have come to cybersecurity management in the federal government.

Host Francis Rose spoke with former e-gov administrators Karen Evans and Mark Forman about some recent developments and got their opinions about where things need to go in the future.

As Federal News Radio has been telling you, NASA deputy CIO Jerry Davis recently told his staff to shift their focus from FISMA to looking for real-time threats.

Evans says she thinks thinking outside of the box like Davis is might be beneficial.

"I think it's great that they're not doing the 'check the box' mentality. I think they need to realize, and everyone needs to realize, that FISMA as it stands now is still on the books and there's nothing that precludes people from getting away from checklists. I think it's great that he's going about doing this, [but] I'm always a little hesitant because I always get into these big debates about -- is certification and accreditation the right process? I know that's a big taboo right now. I've been through several different presentations where they're not using that word anymore, and it's the risk management framework that NIST is working on. But, FISMA has always been about risk-based approach, and so if we get to the goal of managing the risk on information infrastructure, then I'm all for it."

Forman said he fears that some of the current mentality might go toward fixing the symptoms and not the problems themselves.

"You have to understand the genesis of FISMA. Back in 2001, [when] the first calculation of how secure we were [was done], very few of the applications had security built in. So, the real issue is, long term, how do we get the development community -- whether it's federal or it's the commercial -- to build in good security practices, good applications controls, and then obviously secure the network at the front end. We know it's always more expensive to do it at the back end, but we also know we had to go through several years of securing the applications that were running the missions, the finances, the transactions of the government. I think Mr. Davis is saying, 'time to move on'. I think what [CISO] John Streufert at the State Department has done is really exciting, because he's said, now that we not only can move on, we know these applications will continue to evolve. We haven't gotten the security practices right to build them into the front end, so let's adopt a continuous auditing, continuous monitoring, risk-based approach and prioritize our problems as they arise on a daily, hourly basis. That's exciting to me."

The application of performance metrics into a risk-based profile is something that Evans says was discussed during her time, but never really achieved. She says now the State Department is running on a dashboard, which allows employees to see problems in real time.

"A lot of the things that we used to talk about trying to get done, like the measurement of risk, or -- if I make this decision, what would the cost or the impact be? The State Department has a mechanism now where they can actually do that. They can now show [data like] -- 'The money that we were spending over here, we're now going to apply over here and measure the risk of how we're reducing it'. They're pretty mature in what they're doing, and what they're trying to do now is box it up so that other agencies can then emulate what they've done. They're sharing a lot of their best practices."

Foreman said that he would have liked to have seen some discussion of NASA's Nebula in Davis' memo, because Nebula is a platform-as-a-service model that acts as an applications development environment. These types of tools should not be left out of the discussion.

"You can't go to sleep because we secured the legacy apps. We've got to get the mentality and the applications development community top really focus on building in security at the front end. They've got a great opportunity with Nebula and the other platform-as-a-service models at NASA. So, I think that deserves as much focus as moving to the risk-based [mentality of] -- 'Alright, we've secured the apps, time to move on' paradigm."