Yesterday, the United States Office of E-Government and Information Technology released the FY 11 Report to Congress on the Implementation of the Federal Information Security Management Act of 2002 (FISMA). The report, which essentially outlines all the major efforts, progress, and ongoing threats regarding IT security in the entire US government, not only serves to inform Congress of the current state of federal cybersecurity, but it helps enterprises get a handle on what they should be thinking about in terms of security as well.
For those who depend one way or another on the US government, you’ll be gratified to know that significant progress was made from FY 2010 to FY 2011. Improvements have been made in the use of mobile encryption, secure connections, tracking the status of assets, and credentialing. However, the report states that “because of the relentless dynamic threat environment, emerging technologies, and new vulnerabilities,” the defense posture must always be shifting. Currently, the government is concentrating on three major priorities -- continuous monitoring, Trusted Internet Connection (TIC), and HSPD-12 implementation for access control.
Of the three, continuous monitoring is the one most likely to already be implemented in the enterprise. The continuous automated monitoring of assets is relatively new to the federal government: Only 17 percent of departments could do so in 2010, but that number rose significantly, to 75 percent, in 2011. The National Institute of Standards and Technology (NIST) is in the midst of working out guidelines for continuous monitoring. Three documents it is circulating for public comment can be found here. The situational awareness that comes from automated monitoring can quicken response times to threats, reveal unknown threats, and allow you to track larger patterns of events and threats. In the case of the government, data is not only reported at the department level but to an automated feed called Cyberscope, which compiles the data across departments, allowing the government to see whether persistent threats exist across multiples parts of the government.
Another issue that the federal government wanted to work on was consolidating the number of external telecommunications connections to the federal government. It did this by creating Trusted Internet Connection Access Portals (TICAP). Each TICAP includes firewalls, malware protection, and network security, and a total of 51 security requirements. Through this initiative, the government was able to consolidate external connections by 85 percent and make sure more of its traffic was going through secured connections.
The final issue is the safe credentialing required by Homeland Security Presidential Directive 12 (HSPD-12). This requires the use of PIV cards that have two-factor authentication (usually a smart card and a PIN). Eighty-nine percent of government employees have now been issued the cards, but strangely enough, only 66 percent (up from 55 percent in 2010) are actually required to use them. Two-factor authentication is significantly safer than single-factor authentication and could be used just as easily in the enterprise. The relatively small progress in the use of the cards is a major hurdle that both the federal government and an enterprise will encounter, and it mostly has to do with user resistance to the perceived inconvenience of two-factor authentication.
Another HSPD-12 requirement has been more of a success. Portable device encryption is now up to 89 percent from 54 percent in FY 2010. In 2011, the list of devices was extended to include every major enterprise mobile device including laptops, smartphones, and even USB devices. The obvious goal is 100 percent, and that's very doable. Total encryption is also a reachable goal in the enterprise. Portable devices are the number-one source of lost data in the government and the enterprise. Encryption would significantly lower that percentage. Fortunately, some departments in the government including the Treasury and the State Department have 100 percent encryption. Sadly, the Department of Defense is still lagging at 84 percent.
Of course, not everything in your enterprise is going to require protecting it with two-factor authentication, encryption, and special connection portals. However, nearly every enterprise, just like the government, needs to protect sensitive data. The savvy CIO will read this article (and the report) for pointers on what he should be doing to protect his company's most sensitive data. The best-practices in security are being created right now by Homeland Security.