Government agencies have been busy in the four years since the Federal Information Security Management Act of 2002 (FISMA) became a federal law (enacted in 2002 as Title III of the E-Government Act of 2002). Assessments are up, patching is more automated, policies and procedures are in place and awareness is on the rise, says Laura Taylor, FISMA consultant, teacher and author of the FISMA Certification and Accreditation Handbook (Syngress).

“With FISMA, federal agencies are not seeing security as optional, which they used to. And they’re forced to learn about the security picture in their organizations,” she says. “From there, you start to make that security picture better.”

Agencies are not only looking closer at their own security postures, they’re also exposed to new guidelines, best practices and resources for every step, through the National Institute of Standards and Technology (NIST).

“When you go about deploying these security and risk management controls, you cross technical, operational, management and even private sector systems. The entire critical infrastructure is involved,” says Ron Ross, project leader for NIST’s FISMA Implementation Project. “Any type of guideline we develop has to be incredibly flexible to meet all those demands.”

Even as the ink dries on NIST’s guidelines for assessment, management frameworks, security controls and mapping/ categorization of information systems to security, NIST has already begun Phase II — a Common Criteria-like certification program for assessment and credentialing vendors. This is to be followed by certification for all security vendors, all of which will occur in phases through 2009.

Despite their progress, government agencies still have a lot of work ahead of them to improve awareness and risk posturing, say Taylor, Ross and others, who cite the following hot button areas to which government agencies must apply their energies over the next two years:

Continuous monitoring: Once you’ve deployed controls and countermeasures, the environment will constantly change  with updates, patches and new programs. Monitoring is the only way to make sure security measures in place yesterday are still in place and unchanged today, says Ross.

“Our environment changes every several months,” says Tom Jarrett, CIO and secretary, department of technology and information for the state of Delaware. “So we’re in the process of building a network operations structure to monitor around the clock. It’s difficult, though, because today’s tools are still inefficient.”

Portable devices: Controlling portable storage devices (flash drives, iPods, etc.) that almost every employee/contractor owns is one chore that keeps Pat Howard, the CISO of the Department
of Housing and Urban Development (HUD), up at night. These can leak data out of an organization, as well as let malicious files in. As tempting as it sounds, one can’t just pour glue into the computer’s USB port, as some suggest.

“There are acceptable use cases of using flash drives to download data — such as continuity and disaster recovery operations — that preclude shutting down USB ports,” Howard explains. “Government agencies are attacking this issue with a combination of policies, procedural controls and technology, including flash drive encryption and data protection tools.”

More awareness: While most employees know better than to go to porn sites or click links in unsolicited emails, they’re falling victim to social engineering attacks, says Marshall Heilman, senior consultant to Mandiant, an incident response and security consulting firm.

“In the last 50 incidents we responded to, 75 percent of them were caused by socially engineered, email-based attacks,” says Heilman. “Phishers will take attendee lists from a federal conference and send them emails about the conference. When the user clicks the link, they’re directed to a downloader, which goes out and gets malicious software.”

Peer-to-peer social networks and gaming are also areas that will need to be included in security awareness education, says Howard Schmidt, former White House security adviser. These issues are something being taught all the way down to the school level, too, says Jarrett, who has been piloting privacy education in elementary and high schools in Delaware.

Information sharing:
Information sharing is being carried out on many levels. On the inter-governmental level, HUD’s Howard points to the United States Computer Emergency Readiness Team (US-CERT) and inter-agency, cross-departmental improvements.

Other areas:
Other pain points the government should get under control include disaster recovery planning, web application security, PKI, multifactor authentication and wireless, say experts.
Look, too, for new mandates from the Office of Management and Budget (OMB), adds Ted Rutsch, federal territory manager for SSH Communications Security, a leading provider of enterprise security solutions and end-to-end communications security.

For example, by September 2008, TELNET (TELecommunication NETwork) and FTP (File Transfer Protocol) must be replaced by something more secure. And by February 2008, users can no longer have administrator privileges on their local machines, says John Moyer, CEO, BeyondTrust, a developer of enterprise security products.

In the end
Even without something like FISMA, improvements will continuously be added as new uses for technology open new attack surfaces, say experts. But FISMA brings structure to what would otherwise be a chaotic, voluntary process.

What many would like to lose is the FISMA scorecard, which experts say is not an accurate representation of the true security posture of an organization. Many have seen organizations get an A when they believe they should have received an F, and vice versa. Taylor and Howard blame this on the lack of a standardized evaluation, as well as censorship among auditors.

“Weaknesses identified in certification and accreditation activities remain to be mitigated and corrected,” says Howard. “Additionally, FISMA reporting emphasizes the existence of processes and does not focus on the quality of those processes.”

 -Deb Radcliff is a freelance writer and VP of publishing for The Security Consortium, www.thesecurityconsortium.net.