Karen Evans, administrator for e-government and IT at the federal Office of Management and Budget, has remained on the frontlines, battling cybercrime as it turned from hobby to professional pursuit.
She was first on the scene when a recreational hacker defaced the Department of Justice website in 1996, and more than a decade later, led the feds’ effort to protect its assets and instill e-trust in the American citizenry after a string of high-profile data breaches.
Evans, who will deliver a keynote at next month’s SC Magazine World Congress, took some time recently to update us on the current state of IT security in the federal government.
Q. What first got you thinking about cybersecurity?
A. During my tenure at the Department of Justice, I was responsible for providing internet services to all Justice employees. In 1996, the main Justice website was hacked. The lessons learned from that experience still apply today, though, the stakes are much higher now. Information security and risk management is always a priority for all organizations who provide online services. You need to have credibility and trust in the services provided.
Q. One memo you issued, M-07-16, ordered agencies to stop storing unnecessary information and develop a breach notification plan. Has this helped stop the bleeding?
A. We take safeguarding personally identifiable information very seriously. The VA laptop incident highlighted the need to re-emphasize to agencies their responsibilities along with recommendations which were included in the memorandum (M-06-16) issued June 23, 2006. This memorandum included the National Institute of Standards and Technology (NIST) checklist for protection of remote information to heads of departments and agencies.
Q. What other strides has OMB made in either helping agencies prevent data breaches or respond quickly to them should one occur?
A. As part of the work of the Identity Theft Task Force, the memorandum issued, May 22, 2007, agencies were required to develop and implement a breach notification policy. The memorandum also outlined the framework within which agencies must develop breach notification policy while ensuring proper safeguards are in place to safeguard personally identifiable information.
In formulating a breach notification policy, we asked that agencies review their existing requirements with respect to privacy and security. The policy must include existing and new requirements for incident reporting and handling, as well as external breach notification. Finally, the document required agencies to develop policies concerning the responsibilities of individuals authorized to access personally identifiable information. Within the framework agencies could also implement more stringent policies and procedures reflecting the mission of the agency.
The framework identified a number of steps to greatly reduce the risks related to a data breach of personally identifiable information. A few simple and cost-effective steps were noted as possibly delivering the greatest benefit, such as: reducing the volume of collected and retained information to the minimum necessary; limiting access to only those individuals who must have such access; and using encryption, strong authentication procedures, and other security controls to make information unusable by unauthorized individuals.
In addition, there has been great success with SmartBUY a Federal government procurement vehicle designed to promote effective enterprise level software management. By leveraging the government’s immense buying power, SmartBUY can potentially save taxpayers millions of dollars through government-wide aggregate buying of commercial off the shelf (COTS) software products.
Q. How are agencies progressing on another OMB order to implement FDCC configuration to help with patch and configuration management?
A. As of August 2008, as reported by the agencies of the 3.5 million affected desktops and laptops, 1.7 million are Federal Desktop Core Configuration (FDCC) compliant.
Implementation of FDCC provides a baseline level of security which reduces risk from security threats and vulnerabilities. This allows agencies to improve system performance, decrease operating costs, and ensure public confidence in the confidentiality, integrity and availability of government information. Through quarterly Plan of Actions and Milestone reporting, we are able to see the progress and track improvements.
We have also partnered with GSA on a new GSA-offered service to the agencies, the Policy Utilization Assessment (PUA). PUA leverages statistical sampling techniques to provide agency CIOs with actionable, objective information on the status of their implementation of FDCC across their bureaus and operating divisions, as well as specific recommendations on where they can improve, and identification of opportunities to take advantage of cross-government best practices.
Q. Is there any progress behind a push for government IT workers to achieve minimum security certification and accreditation requirements? (HSPD12)
A. As we are approaching the October 27, 2008 deadline, agencies are working to complete background checks for all employees and contractors and issue PIV credentials has indicated in their agency-OMB agreed upon implementation plans. Agencies have told us that they anticipate providing HSPD-12 cards for approximately five million federal employees (including U.S. military) and 1.3 million contractors.
With the infrastructure to issue the HSPD-12 credentials, we now want agencies to implement the use of the electronic capabilities of these credentials to the fullest extent possible for access to all applications – regardless of assurance level required.
Q. How urgent is it to apply safeguards to DNS within the federal government?
A. Safeguarding our infrastructure is always high priority! Originally released in February 2003, The National Strategy to Secure Cyberspace, outlines the goals and priorities for protecting the infrastructure that is essential to our economy, security and American way of life. Objectives include improving the security and resilience of key internet protocols, and as specifically identified, to secure the Domain Name System (DNS) from exploitation or attack.
DNSSEC has been an integral part of information assurance strategy since the initiation of the National Strategy to Secure Cyberspace, and M-08-23 was issued as a consequence of agencies having completed the initial consolidation of external network connectivity.
Q. Do you have any security reservations with deployment of software-as-as-service for federal agencies?
A. One always has to take into account security for any expansion or initiative that has potential to impact our agencies. OMB addressed agency questions about software reuse and software as a service in our FY07 Federal Information Security Management Act guidance document. We stated that SaaS contractor services must meet FISMA requirements as well as any applicable policies and laws. National Institute of Standards and Technology (NIST) modified its security guidance to address software-as-a-service requirements, as well.
We need to start taking some of our legacy systems offline and move to a service oriented approach and at the same time reduce costs for equipment and development.
Q. Is there anything else you’d like to add?
A. E-Government is making it possible for our citizens to connect, do business and interact with their government online. So it’s extremely important for us to create a trusted environment which instills confidence. There is sound foundation in place for the next administration to build on and move forward with the next generation of e-government services.