Statement of Gregory C. Wilshusen Director, Information Security Issues United States Government Accountability Office
Committee on House Science and Technology Subcommittee on Technology and Innovation
June 25, 2009
Chairman Wu and Members of the Subcommittee:
Thank you for the opportunity to participate in today`s hearing on computer-based (cyber) security activities at the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST). Cybersecurity is a critical consideration for any organization that depends on information systems and computer networks to carry out its mission or business. The need for a vigilant approach to cybersecurity has been demonstrated by the pervasive and sustained cyber attacks against the United States and others that continue to pose significant risks to computer systems and networks and the operations and critical infrastructures that they support.
In my testimony today, I will describe cybersecurity activities at DHS and NIST, including those activities related to establishing public/private partnerships with the owners of critical infrastructure. In addition, I will discuss the use of cybersecurityrelated metrics in the federal government. In preparing for this testimony, we relied on our previous reports on federal information security and on DHS`s efforts to fulfill its national cybersecurity responsibilities. We also relied on a draft report of our review of agencies` implementation of the Federal Information Security Management Act (FISMA).1 These reports contain detailed overviews of the scope of our work and the methodology we used.
The work on which this testimony is based was performed in accordance with generally accepted government auditing standards. Those standards require that we plan and perform audits to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
Background
As computer technology has advanced, federal agencies have become dependent on computerized information systems to carry out their operations and to process, maintain, and report essential information. Virtually all federal operations are supported by computer systems and electronic data, and agencies would find it difficult, if not impossible, to carry out their missions, deliver services to the public, and account for their resources without these cyber assets. Information security is thus especially important for federal agencies to ensure the confidentiality, integrity, and availability of their systems and data. Conversely, ineffective information security controls can result in significant risk to a broad array of government operations and assets, as the following examples illustrate:
Computer resources could be used for unauthorized purposes or to launch attacks on other computer systems.
Sensitive information, such as personally identifiable information, intellectual property, and proprietary business information could be inappropriately disclosed, browsed, or copied for purposes of identity theft, espionage, or other types of crime.
Critical operations, such as those supporting critical infrastructure, national defense, and emergency services, could be disrupted.
Data could be added, modified, or deleted for purposes of fraud, subterfuge, or disruption.
Government officials are increasingly concerned about attacks from individuals and groups with malicious intent, such as criminals, terrorists, and adversarial foreign nations. For example, in February 2009, the Director of National Intelligence testified that foreign nations and criminals have targeted government and private sector networks to gain a competitive advantage and potentially disrupt or destroy them, and that terrorist groups have expressed a desire to use cyber attacks as a means to target the United States. 2 The growing connectivity between information systems, the Internet, and other infrastructures creates opportunities for attackers to disrupt telecommunications, electrical power, and other critical infrastructures. As government, private sector, and personal activities continue to move to networked operations, digital systems add ever more capabilities, wireless systems become more ubiquitous, and the design, manufacture, and service of information technology have moved overseas, the threat will continue to grow.
DHS Is a Focal Point for National Cybersecurity Efforts
Federal law and policy3 establish DHS as the focal point for efforts to protect our nation`s computer-reliant critical infrastructures4 a practice known as cyber critical infrastructure protection, or cyber CIP. In this capacity, the department has multiple cybersecurityrelated roles and responsibilities. In 2005, we identified, and reported on, 13 key cybersecurity responsibilities.5 They include, among others, (1) developing a comprehensive national plan for CIP, including cybersecurity; (2) developing partnerships and coordinating with other federal agencies, state and local governments, and the private sector; (3) developing and enhancing national cyber analysis and warning capabilities; (4) providing and coordinating incident response and recovery planning, including conducting incident response exercises; and (5) identifying, assessing, and supporting efforts to reduce cyber threats and vulnerabilities, including those associated with infrastructure control systems.6 Within DHS, the National Protection and Programs Directorate has primary responsibility for assuring the security, resiliency, and reliability of the nation`s cyber and communications infrastructure.
DHS is also responsible for securing its own computer networks, systems, and information. FISMA requires the department to develop and implement an agencywide information security program to provide security for the information and information systems that support the operations and assets of the agency. Within DHS, the Chief Information Officer is responsible for ensuring departmental compliance with federal information security requirements.
NIST Is Responsible for Establishing Federal Standards and Guidance for Information Security
FISMA tasks NIST a component within the Department of Commerce with responsibility for developing standards and guidelines, including minimum requirements, for (1) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of the agency and (2) providing adequate information security for all agency operations and assets, except for national security systems. The act specifically required NIST to develop, for systems other than national security systems, (1) standards to be used by all agencies to categorize all their information and information systems based on the objectives of providing appropriate levels of information security, according to a range of risk levels; (2) guidelines recommending the types of information and information systems to be included in each category; and (3) minimum information security requirements for information and information systems in each category. NIST also is required to develop a definition of and guidelines for detection and handling of information security incidents as well as guidelines developed in conjunction with the Department of Defense and the National Security Agency for identifying an information system as a national security system. Within NIST, the Computer Security Division of the Information Technology Laboratory is responsible for developing information security related standards and guidelines.
FISMA also requires NIST to take other actions that include:
--conducting research, as needed, to determine the nature and extent of information security vulnerabilities and techniques for providing cost-effective information security;
--developing and periodically revising performance indicators and measures for agency information security policies and practices;
--evaluating private sector information security policies and practices and commercially available information technologies, to assess potential application by agencies to strengthen information security; and
--assisting the private sector, in using and applying the results of its activities required by FISMA.
In addition, the Cyber Security Research and Development Act7 required NIST to develop checklists to minimize the security risks for each hardware or software system that is, or likely to become, widely used within the federal government.
Metrics Established to Evaluate Information Security Programs
FISMA also requires the Office of Management and Budget (OMB) to develop policies, principles, standards, and guidelines on information security and to report annually to Congress on agency compliance with the requirements of the act. OMB has provided instructions to federal agencies and their inspectors general for preparing annual FISMA reports. These instructions focus on metrics related to the performance of key control activities such as developing a complete inventory of major information systems, providing security training to personnel, testing and evaluating security controls, testing contingency plans, and certifying and accrediting systems. FISMA reporting provides valuable information on the status and progress of agency efforts to implement effective security management programs.
Recent Efforts to Improve National Cybersecurity Strategy
Because the threats to federal information systems and critical infrastructure have persisted and grown, President Bush in January 2008 began to implement a series of initiatives------ commonly referred to as the Comprehensive National Cybersecurity Initiative aimed primarily at improving DHS`s and other federal agencies` efforts to protect against intrusion attempts and anticipate future threats.8 Since then, President Obama (in February 2009) directed the National Security Council and Homeland Security Council to conduct a comprehensive review to assess the United States` cyber security related policies and structures. The resulting report, ``Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure,`` recommended, among other things, appointing an official in the White House to coordinate the nation`s cybersecurity policies and activities, creating a new national cybersecurity strategy, and developing a framework for cyber research and development.9 In addition, we testified in March 200910 that a panel of experts identified 12 key areas of the national cybersecurity strategy requiring improvement, such as developing a national strategy that clearly articulates strategic objectives, goals, and priorities; bolstering the public/private partnership; and placing a greater emphasis on cybersecurity research and development.
DHS Has Yet to Fully Satisfy Its Cybersecurity Responsibilities
We have reported since 2005 that DHS has yet to comprehensively satisfy its key responsibilities for protecting computer-reliant critical infrastructures. Our reports included about 90 recommendations that we summarized into key areas, including those listed in table 1, that are essential for DHS to address in order to fully implement its responsibilities. DHS has since developed and implemented certain capabilities to satisfy aspects of its responsibilities, but the department still has not fully implemented our recommendations, and thus further action needs to be taken to address these areas.
Bolstering Cyber Analysis and Warning Capabilities
In July 2008, we identified11 that cyber analysis and warning capabilities included (1) monitoring network activity to detect anomalies, (2) analyzing information and investigating anomalies to determine whether they are threats, (3) warning appropriate officials with timely and actionable threat and mitigation information, and (4) responding to the threat. These four capabilities are comprised of 15 key attributes, including establishing a baseline understanding of the nation`s critical network assets and integrating analysis work into predictive analyses of broader implications or potential future attacks.
We concluded that while DHS`s United States Computer Emergency Readiness Team (US-CERT) demonstrated aspects of each of the key attributes, it did not fully incorporate all of them. For example, as part of its monitoring, US-CERT obtained information from numerous external information sources; however, it had not established a baseline of the nation`s critical network assets and operations. In addition, while it investigated whether identified anomalies constituted actual cyber threats or attacks as part of its analysis, it did not integrate its work into predictive analyses of broader implications or potential future attacks, nor did it have the analytical or technical resources to analyze multiple, simultaneous cyber incidents. The organization also provided warnings by developing and distributing a wide array of attack and other notifications; however, these notifications were not consistently actionable or timely i.e., providing the right information to the right persons or groups as early as possible to give them time to take appropriate action. Further, while the team responded to a limited number of affected entities in its efforts to contain and mitigate an attack, recover from damages, and remediate vulnerabilities, it did not possess the resources to handle multiple events across the nation.
We also concluded that without fully implementing the key attributes, US-CERT did not have the full complement of cyber analysis and warning capabilities essential to effectively perform its national mission. As a result, we made 10 recommendations to the department to address shortfalls associated with the 15 attributes in order to fully establish a national cyber analysis and warning capability. DHS concurred and agreed to implement 9 of our 10 recommendations.
Improving Cybersecurity of Infrastructure Control Systems
In a September 2007 report and October 2007 testimony, we reported12 that DHS was sponsoring multiple control systems security initiatives, including an effort to improve control systems cybersecurity using vulnerability evaluation and response tools. However, DHS had not established a strategy to coordinate the various control systems activities across federal agencies and the private sector, and it did not effectively share information on control system vulnerabilities with the public and private sectors. Accordingly, we recommended that DHS develop a strategy to guide efforts for securing control systems and establish a rapid and secure process for sharing sensitive control system vulnerability information. In response, DHS recently began developing a strategy and a process to share sensitive information.
Strengthening DHS`s Ability to Help Recovery from Internet Disruption
We reported and later testified13 in 2006 that the department had begun a variety of initiatives to fulfill its responsibility for developing an integrated public/private plan for Internet recovery in case of a major disruption. However, we determined that these efforts were not comprehensive or complete. As such, we recommended that DHS implement nine actions to improve the department`s ability to facilitate public/private efforts to recover the Internet.
In October 2007, we testified14 that the department had made progress in implementing our recommendations; however, seven of the nine had not been completed. For example, it revised key plans in coordination with private industry infrastructure stakeholders, coordinated various Internet recovery-related activities, and addressed key challenges to Internet recovery planning. However, it has not, among other things, finalized recovery plans and defined the interdependencies among DHS`s various working groups and initiatives. In other words, it has not completed an integrated private/public plan for Internet recovery. As a result, we concluded that the nation lacked direction from the department on how to respond in such a contingency. We also noted that these incomplete efforts indicated that DHS and the nation were not fully prepared to respond to a major Internet disruption. To date, an integrated public/private plan for Internet recovery does not exist.
Reducing Organizational Inefficiencies
In June 2008, we reported15 on the status of DHS`s efforts to establish an integrated operations center that it agreed to adopt per recommendations from a DHS-commissioned expert task force. We determined that while DHS had taken the first step towards integrating two operations centers the National Coordination Center Watch and US-CERT, it had yet to implement the remaining steps, complete a strategic plan, or develop specific tasks and milestones for completing the integration. We concluded that until the two centers were fully integrated, DHS was at risk of being unable to efficiently plan for and respond to disruptions to communications infrastructure and the data and applications that travel on this infrastructure, increasing the probability that communications will be unavailable or limited in times of need. As a result, we recommended that the department complete its strategic plan and define tasks and milestones for completing remaining integration steps so that we are better prepared to provide an integrated response to disruptions to the communications infrastructure. DHS concurred with our first recommendation and stated that it would address the second recommendation as part of finalizing its strategic plan.
Completing Corrective Actions Identified During a Cyber Exercise In September 2008, we reported16 on a major DHS-coordinated cyber attack exercise called Cyber Storm, which occurred in 2006 and included large-scale simulations of multiple concurrent attacks involving the federal government, states, foreign governments, and private industry. We determined that DHS had identified eight lessons learned from this exercise, such as the need to improve interagency coordination groups and the exercise program. We also concluded that while DHS had demonstrated progress in addressing the lessons learned, more needed to be done. Specifically, while the department completed 42 of the 66 activities identified to address the lessons learned, it identified 16 activities as ongoing and 7 as planned for the future.17 In addition, DHS provided no timetable for the completion dates of the ongoing activities. We noted that until DHS scheduled and completed its remaining activities, it was at risk of conducting subsequent exercises that repeated the lessons learned during the first exercise. Consequently, we recommended that DHS schedule and complete the identified corrective activities so that its cyber exercises can help both public and private sector participants coordinate their responses to significant cyber incidents. DHS agreed with the recommendation. To date, DHS has continued to make progress in completing some identified activities but has yet to do so for others.
Developing Sector Specific Plans that Fully Address All of the Cyber-Related Criteria
In 2007, we reported and testified18 on the cybersecurity aspects of CIP plans for 17 critical infrastructure sectors, referred to as sectorspecific plans. Lead federal agencies, referred to as sector-specific agencies, are responsible for coordinating critical infrastructure protection efforts with the public and private stakeholders in their respective sectors. DHS guidance requires each of the sectorspecific agencies to develop plans to address how the sectors` stakeholders would implement the national plan and how they would improve the security of their assets, systems, networks, and functions.
We determined that none of the plans fully addressed the 30 key cybersecurity-related criteria described in DHS guidance. Further, while several sectors` plans fully addressed many of the criteria, others were less comprehensive. In addition to the variations in the extent to which the plans covered aspects of cybersecurity, there was also variance among the plans in the extent to which certain criteria were addressed. Consequently, we recommended19 that DHS request that the sector-specific agencies, fully address all cyberrelated criteria by September 2008 so that stakeholders within the infrastructure sectors will effectively identify, prioritize, and protect the cyber aspects of their CIP efforts. We are currently reviewing the progress made in the sector specific plans.
We testified in March 200920 regarding the need to bolster public/private partnerships associated with cyber CIP. According to panel members, there are not adequate economic and other incentives (i.e. a value proposition) for greater investment and partnering with owners and operators of critical cyber assets and functions. Accordingly, panelists stated that the federal government should provide valued services (such as offering useful threat or analysis and warning information) or incentives (such as grants or tax reductions) to encourage action by and effective partnerships with the private sector. They also suggested that public and private sector entities use means such as cost-benefit analyses to ensure the efficient use of limited cybersecurity-related resources. We are also currently initiating a review of the status of the public/private partnerships in cyber CIP.
Securing Internal Information Systems
Besides weaknesses relating to external cybersecurity responsibilities, DHS had not secured its own information systems. In July 2007, we reported21 that DHS systems supporting the USVISIT program22 were riddled with significant information security control weaknesses that place sensitive information including personally identifiable information at increased risk of unauthorized and possibly undetected disclosure and modification, misuse, and destruction, and place program operations at increased risk of disruption. Weaknesses existed in all control areas and computing device types reviewed. For example, DHS had not implemented controls to effectively prevent, limit, and detect access to computer networks, systems, and information. To illustrate, it had not (1) adequately identified and authenticated users in systems supporting US-VISIT, (2) sufficiently limited access to US-VISIT information and information systems, and (3) ensured that controls adequately protected external and internal network boundaries.
In addition, it had not always ensured that responsibilities for systems development and system production had been sufficiently segregated, and had not consistently maintained secure configurations on the application servers and workstations at a key data center and ports of entry. As a result, intruders, as well as government and contractor employees, could potentially bypass or disable computer access controls and undertake a wide variety of inappropriate or malicious acts. These acts could include tampering with data; browsing sensitive information; using computer resources for inappropriate purposes, such as launching attacks on other organizations; and disrupting or disabling computer-supported operations. According to the department, it has started remediation activities to strengthen security over these systems and implement our recommendations.
In January 2009, we briefed congressional staff on security weaknesses associated with the development of systems supporting the Transportation Security Administration`s (TSA) Secure Flight program.23 Specifically, TSA had not taken sufficient steps to ensure that operational safeguards and substantial security measures were fully implemented to minimize the risk that the systems will be vulnerable to abuse and unauthorized access from hackers and other intruders. For example, TSA had not completed testing and evaluating key security controls, performed disaster recovery tests, or corrected high- and moderate-risk vulnerabilities. Accordingly, we recommended that TSA take steps to complete security testing, mitigate known vulnerabilities, and update key security documentation prior to initial operations. TSA subsequently undertook a number of actions to complete these activities. In May 2009, we concluded that TSA had generally met its requirements related to systems information security and satisfied our recommendations.
NIST Has Developed Important Federal Information Security Standards and Guidelines
NIST has taken steps to address its FISMA-mandated responsibilities by developing a suite of required security standards and guidelines as well as other publications that are intended to assist agencies in developing and implementing information security programs and effectively managing risks to agency operations and assets. In addition to developing specific standards and guidelines, NIST developed a set of activities to help agencies manage a riskbased approach for an effective information security program.
These activities are known as the NIST Risk Management Framework. Several special publications support this framework and collectively provide guidance that agencies can apply to their information security programs for selecting the appropriate security controls for information systems including the minimum controls necessary to protect individuals and the operations and assets of the organization.
NIST has developed and issued the following documents to meet its FISMA mandated responsibilities:
Federal Information Processing Standards Publication 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004. This standard addresses NIST`s requirement for developing standards for categorizing information and information systems. It requires agencies to categorize their information systems as low-impact, moderateimpact, or high-impact for the security objectives of confidentiality, integrity, and availability. The security categories are based on the harm or potential impact to an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-today functions, and protect individuals. Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization.
Special Publication 800-60 Volume I, revision 1, Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories, August 2008. This guide is to assist federal government agencies with categorizing information and information systems. It is intended to help agencies consistently map security impact levels to types of (1) information (e.g., privacy, medical, proprietary, financial, investigation); and (2) information systems (e.g., mission critical, mission support, administrative). Furthermore, it is intended to facilitate application of appropriate levels of information security according to a range of levels of impact or consequences that might result from the unauthorized disclosure, modification, or use of the information or information system.
Federal Information Processing Standards Publication 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006. This is the second of the mandatory security standards and specifies minimum security requirements for information and information systems supporting the executive agencies of the federal government and a risk-based process for selecting the security controls necessary to satisfy the minimum security requirements. Specifically, this standard specifies minimum security requirements for federal information and information systems in 17 security-related areas. Federal agencies are required to meet the minimum security requirements through the use of the security controls in accordance with NIST Special Publication 800-53.
Special Publication 800-61, revision 1, Computer Security Incident Handling Guide, March 2008. This publication is intended to assist organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. It provides guidelines for organizing a computer security incident response capability; handling incidents from initial preparation through post-incident lessons learned phase; and handling specific types of incidents, such as denial of service, malicious code, unauthorized access, and inappropriate usage.
Special Publication 800-59, Guideline for Identifying an Information System as a National Security System, August 2003. The purpose of this guide is to assist agencies in determining which, if any, of their systems are national security systems as defined by FISMA and are to be governed by applicable requirements for such systems.
Special Publication 800-55, Performance Measurement Guide for Information Security, July 2008. The purpose of this guide is to assist in the development, selection, and implementation of measures to be used at the information system and program levels. These measures indicate the effectiveness of security controls applied to information systems and supporting information security programs.
Special Publication 800-30, Risk Management Guide for Information Technology Systems, July 2002. This guide provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. It also provides information on the selection of cost- effective security controls that can be used to mitigate risk for the better protection of mission-critical information and the IT systems that process, store, and carry this information.
Special Publication 800-18, revision 1, Guide for Developing Security Plans for Federal Information Systems, February 2006. This guide provides basic information on how to prepare a system security plan and is designed to be adaptable in a variety of organizational structures and used as a reference by those having assigned responsibility for activities related to security planning. NIST is also in the process of developing, updating, and revising a number of special publications related to information security, including the following:
Special Publication 800-37, revision 1, Guide for Security Authorization of Federal Information Systems, August 2008. This publication is intended to, among other things, support the development of a common security authorization process for federal information systems. According to NIST, the new security authorization process changes the traditional focus from the stovepipe, organization-centric, static-based approaches and provides the capability to more effectively manage information system-related security risks in highly dynamic environments of complex and sophisticated cyber threats, ever increasing system vulnerabilities, and rapidly changing missions. The process is designed to be tightly integrated into enterprise architectures and ongoing system development life cycle processes, promote the concept of near realtime risk management, and capitalize on current and previous investments in technology, including automated support tools.
Special Publication 800-39, second public draft, Managing Risk from Information Systems An Organizational Perspective, April 2008. The purpose of this publication is to provide guidelines for managing risk to organizational operations and assets, individuals, other organizations, and the nation resulting from the operation and use of information systems. According to NIST, the risk management concepts described in the publication are intentionally broad-based, with the specific details of assessing risk and employing appropriate risk mitigation strategies provided by supporting NIST security standards and guidelines.
Special Publication 800-53, revision 3, Recommended Security Controls for Federal Information Systems and Organizations, June 2009. This publication has been updated from the previous versions to include a standardized set of management, operational, and technical controls intended to provide a common specification language for information security for federal information systems processing, storing, and transmitting both national security and non national security information.
Draft IR-7502, The Common Configuration Scoring System (CCSS):
Metrics for Software Security Configuration Vulnerabilities. This publication defines proposed measures for the severity of software security configuration issues and provides equations that can be used to combine the measures into severity scores for each configuration issue.
In addition, NIST has other ongoing and planned activities that are intended to enhance information security programs, processes, and controls. For example, it is supporting the development of a program for credentialing public and private sector organizations to provide security assessment services for federal agencies. To support implementation of the credentialing program and aid security assessments, NIST is participating or will participate in the following initiatives:
Training includes development of training courses, NIST publication quick start guides, and frequently asked questions to establish a common understanding of the standards and guidelines supporting the NIST Risk Management Framework.
Product and Services Assurance Assessment includes defining criteria and guidelines for evaluating products and services used in the implementation of controls outlined in NIST SP 800-53.
Support Tools includes identifying or developing common protocols, programs, reference materials, checklists, and technical guides supporting implementation and assessment of SP 800-53- based security controls in information systems.
Mapping initiative includes identifying common relationships and the mappings of FISMA standards, guidelines, and requirements with International Organization for Standardization (ISO) standards for information security management, quality management, and laboratory testing and accreditation.
These planned efforts include implementing a program for validating security tools.
Other Collaborative Activities Undertaken by NIST
NIST collaborated with a broad constituency federal and nonfederal to develop documents to assist information security professionals. For example, NIST worked with the Office of the Director of National Intelligence, the Department of Defense, and the Committee on National Security Systems to develop a common process for authorizing federal information systems for operation. This resulted in a major revision to NIST Special Publication 800-37, currently issued as an initial public draft. NIST also collaborated with these organizations on Special Publication 800-53 and Special Publication 800-53A to provide guidelines for selecting and specifying security controls for federal government information systems and to help agencies develop plans and procedures for assessing the effectiveness of these controls. NIST also interacted with the DHS to incorporate guidance on safeguards and countermeasures for federal industrial control systems in Special Publication 800-53.
NIST is also working with public and private sector entities to establish specific mappings and relationships between the security standards and guidelines developed by NIST and the ISO and International Electrotechnical Commission Information Security Management System standard. For example, the latest draft of Special Publication 800-53 introduces a three-part strategy for harmonizing the FISMA security standards and guidelines with international security standards including an updated mapping table for security controls.
NIST also undertook other information security activities, including
--developing Federal Desktop Core Configuration checklists and
--continuing a program of outreach and awareness through organizations such as the Federal Computer Security Program
Managers` Forum and the Federal Information Systems Security Educators` Association.
Through NIST`s efforts, agencies have access to additional tools and guidance that can be applied to their information security programs.
Opportunities for Improving Information Security Metrics
Despite federal agencies reporting increased compliance in implementing key information security control activities for fiscal year 2008, opportunities exist to improve the metrics used in annual reporting. The information security metrics developed by OMB focus on compliance with information security requirements and the implementation of key control activities. OMB requires federal agencies to report on key information security control activities as part of the FISMA-mandated annual report on federal information security. To facilitate the collection and reporting of information from federal agencies, OMB developed a suite of information security metrics, including the following:
--percentage of employees and contractors receiving security awareness training,
--percentage of employees with significant security responsibilities receiving specialized security training,
--percentage of systems tested and evaluated annually,
--percentage of systems with tested contingency plans,
--percentage of agencies with complete inventories of major systems, and
--percentage of systems certified and accredited.
In May 2009, we testified25 that federal agencies generally reported increased compliance in implementing most of the key information security control activities for fiscal year 2008, as illustrated in figure 1.
However, reviews at 24 major federal agencies26 continue to highlight deficiencies in their implementation of information security policies and procedures. For example, in their fiscal year 2008 performance and accountability reports, 20 of 24 major agencies noted that their information system controls over their financial systems and information were either a material weakness or a significant deficiency.27 In addition, 23 of the 24 agencies did not have adequate controls in place to ensure that only authorized individuals could access or manipulate data on their systems and networks. We also reported that agencies did not consistently (1) identify and authenticate users to prevent unauthorized access; (2) enforce the principle of least privilege to ensure that authorized access was necessary and appropriate; (3) establish sufficient boundary protection mechanisms; (4) apply encryption to protect sensitive data on networks and portable devices; and (5) log, audit, and monitor security- relevant events. Furthermore, those agencies also had weaknesses in their agencywide information security programs.
An underlying reason for the apparent dichotomy of increased compliance with security requirements and continued deficiencies in security controls is that the metrics defined by OMB and used for annual information security reporting do not generally measure the effectiveness of the controls and processes that are key to implementing an agencywide security program. Results of our prior and ongoing work indicated that, for example, annual reporting did not always provide information on the quality or effectiveness of the processes agencies use to implement information security controls. Providing information on the effectiveness of controls and processes could further enhance the usefulness of the data for management and oversight of agency information security programs.
In summary, DHS has not fully satisfied aspects of its key cybersecurity responsibilities, one of which includes its efforts to protect our nation`s cyber critical infrastructure and still needs to take further action to address the key areas identified in our recent reports, including enhancing partnerships with the private sector. In addition, although DHS has taken actions to remedy security weaknesses in its Secure Flight program, it still needs to address our remaining recommendations for strengthening controls for systems supporting the US-VISIT program. In taking these actions, DHS can improve its own information security as well as increase its credibility to external parties in providing leadership on cybersecurity. NIST has developed a significant number of standards and guidelines for information security and continues to assist organizations in implementing security controls over their systems and information. While NIST`s role is to develop guidance, it remains the responsibility of federal agencies to effectively implement and sustain sufficient security over their systems.
Developing and using metrics that measure how well agencies implement security controls can contribute to increased focus on the effective implementation of federal information security.
Chairman Wu, this concludes my statement. I would be happy to answer questions at the appropriate time.
Thursday, June 25, 2009 at 10:02 
View Printer Friendly Version
Email Article to Friend