The high cost of documenting and maintaining security plans to the point where there are few resources left to actually implement secure systems frustrates many of us in government. The Federal Information Security Management Act receives most of the blame, I think wrongly. Most frustrating is that industry providers have tremendous capabilities to support implementation of secure systems. The catch is that those of us responsible for secure systems must plan the use of limited resources to focus our implementation priorities.
Karen Evans, administrator for e-government and information technology at the Office of Management and Budget, has expressed concern at the high cost of security-compliance documentation and reporting. To address this problem, OMB created the Information Systems Security Line of Business to expedite partnering on common solutions so that agencies can stop paying for duplicative efforts.
The Justice Department will offer its Cyber Security Assessment and Management toolkit through the LOB. CSAM automates management of five services with authoring tools that can customize solutions for each area.
One: Risk-Based Policy and Implementation Guidance
The CSAM authoring tool can align threats and vulnerabilities to an agency’s operational situation. Risk-control requirements are defined using National Institute for Standards and Technology special publications as a foundation — but expand on that to include controls for national security systems, financial systems, privacy data protection and other needs.
It’s a common mistake to write policy without considering the agency’s implementation capabilities. This isn’t like the National Standards of Learning tests, where students aren’t told the answers in advance. Here, both implementers and testers are told exactly how to close the gap between what each of them thinks satisfies the requirement.
Two: Enterprise Program Management Plan
The management plan authoring tool lets users establish priorities and identify enterprise solutions that can be “inherited” by application systems. About 70 percent of risk-control requirements can be inherited from general support systems or sites.
Alan Paller of the SANS Institute advocates what he calls attack-based metrics. Paller recognizes that all risks will not be eliminated, but it’s crucial to identify those with the greatest potential threat and impact so performance can be measured based on risk controls to eliminate weaknesses.
Three: System Security Plans
In the IT world, system security plans (SSPs) all too often are pricey shelf-ware costing upwards of $100,000 to craft and thousands more to maintain. In CSAM, 95 percent of the SSP derives from the enterprise work accomplished during the policy and program planning and from the automated support in the system requirements assessment. The real work in completing any SSP is the assessment of control implementation status and development of funded action plans to complete the most pressing requirements.
Four: Management Reporting
CSAM generates management reports, including enterprise, system, compliance and ad hoc reports. Data entered once can support many varied reporting requirements, and a cost analysis feature allows enterprise and system cost tracking.
Five: Training and Quarterly Workshops
Training is the foundation that makes all the other areas work. Automated services within CSAM can support IT specialists. Training plus quarterly workshops ensure we provide the best support for our people. Their input means we can make continuous improvements.
The Justice effort focuses on moving away from reporting and instead getting IT security right from the get-go. If government managers have easy access to management and compliance status, then they will have the information needed to track implementation of security priorities that provide business value from compliance.