Securing Federal Computers ‘Brutally’ Difficult

Are federal computers more secure today than they were in 2002 when the Congress passed the Federal Information Security Management Act (FISMA)? That depends. Some agencies are in various stages of compliance, while others are not as far along.

“The task is brutally difficult, at best,” said Yvonne Donaldson, a spokeswoman at BindView, a federal IT contractor based in Houston. “Agencies have large, complex and frequently segmented networks that complicate the rapid collection, analysis, and reporting of the required data.”

FISMA was passed in conjunction with other homeland security laws in the wake of the terrorist attacks of Sept. 11, 2001. The law has a number of security objectives, including data confidentiality, data integrity, and data availability, for government computer networks.

“The requirements are increasingly more challenging to meet,” said Donaldson, as the rules seek to protect federal data from being modified, or destroyed, without authorization. That means that in-house rules, as well as processes, and then the IT to implement them, must be installed.

Process Problems

The White House Office of Management and Budget (OMB) recently issued a report indicating that more federal agencies — from NASA to the Department of Health and Human Services — are more worried about certification issues than they are about the problems that complying with the new rules may cause for the flow of data, and work processes.

The issue of compliance with FISMA — or non-compliance, as the case may be — is generating attention in Congress, as well as the executive branch. Recently, the House Government Reform Oversight Committee held a hearing on the effectiveness of the law.

A number of software and hardware contractors are working on the issue. The Environmental Protection Agency (EPA) is using a solution from BindView that repels and blocks viruses, before their networks are exploited.

Another firm, NetSec, based in the Washington D.C. area, has created a managed service offering for federal government agencies to track and report network problems. “NetSec is striving to serve as an ‘honest broker’ in ensuring that FISMA guidance and oversight go beyond paperwork exercises to truly foster everyone’s bottom-line objective — reducing the risk to the government’s information assets,” said a spokesman for NetSec, Evan Wiesel.

The security software vendor elQnetworks, Inc., based in Acton, Mass., is working with Global Data Systems, Inc., to provide automated compliance reports for federal clients that are implementing FISMA. The security event monitoring, and forensics analysis, are delivered through a portal online.

Companies like California-based Beachhead Solutions are working on areas like “electronic data disposal” under FISMA, Scott Hildula, a spokesman, said.

Knowing What To Do

Often, federal agencies themselves still don’t know what is required under the act. That has created opportunities for vendors. Major security providers like Symantec are “routinely working with and counseling government agencies on the act and how to achieve compliance, particularly in light of the failing or below average security report grades across federal agencies,” said David Forstrom, a spokesman for the developer.

The agencies are working on diverse operating systems including Unix, Windows, and NetWare.

One concern, no matter what the operating system being employed, is “protecting against leakage via the outbound e-mail channel,” said Andy Murphy, a spokesman for Proofpoint, an IT security firm.

Some vendors have recommendations that go far beyond securing the e-mail channels, however.

“To ensure successful remediation of security weaknesses, every agency must maintain a central process through the CIO’s office to monitor agency remediation efforts,” said Chris Farrow, director of Configuresoft’s Center for Policy and Compliance.

So far, this is proving to be a challenge. For 2003, the most recent year for which complete data is available, there were some 1.4 million cybersecurity incidents involving the federal government.

Overlapping Laws

The glut of federal laws, passed after the terrorist attacks, may be partly responsible for the slow compliance with FISMA mandates, experts said. FISMA also overlaps with requirements that some agencies have adopted in-house, like the Department of Justice. DOJ has in-house experts who have developed their own rules, for example, for IT protection.

“Given the emphasis both public and private sector concerns are placing on compliance with the regulations contained in the other federal acts, including HIPAA and Sarbanes-Oxley, it can be hard to understand why FISMA compliance isn’t coming easier for many companies,” said Andrew Tull, executive vice president of BioPassword, an IT developer. “I’ve come to believe that the other Acts are the problem. Over the last five years, Congress has put in place so many stringent requirements for protecting business and customer data that companies are struggling to keep up.”

Another factor has been that in addition to the new rules, the government is still fighting a major war. “DoD [Department of Defense] agencies have had other priorities,” said Donaldson. “Including fighting wars.”