New proposed FISMA metrics suggest key technology recommendations
Earlier this month, the National Institute of Standards and Technology issued a request for comments on a draft set of proposed security metrics that OMB is considering using for agencies’ annual reporting as required under the Federal Information Security Management Act (FISMA). The comment period runs through January 4, 2010, giving all interested parties, including members of the public, the chance to point out aspects of information security management that OMB and NIST may be overlooking. Taking a quick read through the draft recommended metrics (easy to do since they are presented in bullet-point form in a 22-page slide presentation) can provide a sense of where the government is evolving its thinking on information security, and also gives and indication of some of the technologies and practices that OMB thinks agencies should be adopting, even where formal recommendations (in the form of a memorandum) have not been issued.
In the past, information security reporting by government agencies has focused on historical perspectives produced at relatively infrequent (annual or quarterly) intervals, so one interesting theme in the proposed metrics is the emphasis on real-time reporting capabilities in general, and automated capabilities for achieving situation awareness in particular. OMB proposes asking agencies whether they can provide real-time feeds about system, hardware, and software inventories; external connections including Internet and remote access channels; the number of employees and contractors with log-in credentials, security awareness training, and significant information security responsibilities; and integrated security status and monitoring. In every category, the questions as currently worded allow for the possibility that a given agency does not have real-time or even automated capabilities for reporting the requested information, but in most cases, if no capability exists agencies are asked to provide a date by which they will have such capabilities in place. This language implies a recommendation or expectation that certain practices and technologies be implemented, at least to facilitate reporting (an online reporting tool called CyberScope went live in October). Moving in the direction of continuous monitoring and reporting is a consistent trend from NIST, seen most recently in the revisions to its Special Publication 800-37, which among other things announce an intention to move away from tri-annual certification and accreditation and towards more continuous monitoring of security controls for information systems.
One possible way to interpret some of the questions in OMB’s proposal is that agencies may be expected in the near future to acquire and implement more technical measures to help enforce information security policies, regulations, and obligations that already exist. For example, questions under hardware inventory ask about agency abilities to detect and block the introduction of unauthorized hardware to any device on agency networks, and under software inventory similar questions ask about the ability to prevent unauthorized software from being installed on network-connected devices. These capabilities are most often associated with technical security measures such as network access control, end-point security, and monitoring of USB ports and other workstation I/O channels. Many agencies have policies in place forbidding, for instance, the use of USB thumb drives or other removable storage media, but not all have implemented the corresponding technical controls to monitor and enforce compliance with such policies. Similar disconnects between policy and enforcement exist at many agencies where third-party or even personal computers can be connected to government networks. In some cases agencies rely on employee and contractor execution of rules of acceptable use or rules of behavior agreements, rather than technology to monitor network connections, scan clients attempting to connect, and alerting when violations occur. The proposed FISMA reporting questions also ask about use and validation of standard configurations for computing platforms, presumably to determine to what extent agencies are following the Federal Desktop Core Configuration (FDCC) mandated beginning in early 2008 or similar secure configuration guidelines.
In proposed questions about incident detection, the wording may indicate a shift, however subtle, about expectations for agency practices and the need to include those in FISMA reports. For example, in the OMB draft metrics, the language presumes that agencies are conducting controlled network penetration testing. This has always been a requirement under FISMA, but FISMA reporting to date has limited questioning to incident detection tools in use, and has never asked specifically about agency penetration testing. In a format similar to previous FISMA report questions on incident detection and response, the proposed metrics include a category for data leakage protection, asking agencies what technologies (if any) are used to prevent sensitive information from being sent outside agency network environments. Aside from a directive issued in 2006 (OMB Memorandum 06-16) that instructed agencies to encrypt agency data stored on laptops and other mobile devices, no comprehensive guidance or requirement has been issue for federal agencies regarding data leakage protection (or as more common seen in the security market, “data loss prevention”), although it has been a popular topic in government security policy discussions by the Information Security and Privacy Advisory Board (ISPAB) and other bodies debating government information security priorities.
On balance, the new metrics proposed by OMB appear to be a small step forward in reporting information more representative of agency security posture than previous FISMA report requirements, although they are likely to be insufficient to support some of the more significant revisions to FISMA that have been proposed in by Sen. Tom Carper and others in Congress over the past 18 months. To their credit, NIST and OMB do appear to be positioning to leverage relevant government-wide initiatives, such as HSPD-12 credentials and the consolidation of agency external connections under the Trusted Internet Connection program. Practically speaking, the intended benefit from information addressed in the proposed metrics will not be realized until a greater proportion of agencies take action to implement the capabilities and security best practices NIST recommends.