Possible Patch For Policy On Protecting Government Agency Systems

  /     /     /  
Publicated : 22/11/2024   Category : security


Possible Patch For Policy On Protecting Government Agency Systems


CSIS report due tomorrow will recommend revising a longtime OMB policy with continuous monitoring of government systems and networks



A new national cybersecurity law may not be on the horizon anytime soon, but there could be a simpler and less politically charged way to shore up security, at least among U.S. government agencies. Former Office of Management and Budget (OMB) officials and others are proposing changes to an OMB policy they say would better protect agencies from todays advanced attacks.
The Center for Strategic and International Studies (CSIS) Technology and Public Policy Program tomorrow will issue recommendations for updating 12-year-old OMB requirements to call for continuous monitoring in federal agencies to help thwart todays attacks. The goal is to replace a current compliance checkbox approach and mentality with a method that automates the monitoring and patching of vulnerabilities in government systems as a way to improve security, according to authors of the report, three of whom are former OMB officials.
Government security experts have told us that the current regime of periodic reports and certifications requires them to spend tens of millions of dollars on reports and processes that do little to enhance security. Agencies can better implement continuous monitoring through work led by chief information officers (CIOs) and chief information security officers (CISOs), the
report
says.
This would require revising OMB Circular A-130, called Management of Federal Information Resources. Under the current policy regime, oversight organizations, like the inspectors general and the Government Accountability Office, produce reports on compliance against outdated policies, wasting time and energy and incentivizing exactly the wrong behavior among agencies. There is hard evidence that continuous monitoring, measurement, and mitigation are far more effective in addressing real threats in an environment in which those who seek to do us harm move quickly, the report says.
Federal agencies would still report annually to the OMB and Congress as required by the Federal Information Security Management Act of 2002 (FISMA), however.
This has been cooking for about six months or so. We were [becoming] pessimistic about the prospect of legislation this year, and believe a lot of things can be done without legislation, says former OMB and White House official Frank Reeder, one of the authors of the report and co-founder and director of the Center for Internet Security and the National Board of Information Security Examiners.
All of us are convinced that legislation is absolutely necessary to deal with privately owned infrastructure ... but the executive branch has ample authority to address the government side of the infrastructure picture, he says.
Reeder says he hopes the CSISs recommendations will help encourage a possible executive order for shoring up the cybersecurity of agency networks and systems, but making these changes to FISMA doesnt require an executive order, either. The OMB has ample authority under FISMA to do what needs to be done. An executive order would give any such guidance more moral weight, he says.
And unlike the partisan split over regulating the security of private critical infrastructure, tightening the security of the governments computing infrastructure has been more of a nonpartisan issue, he says.
[Eighty percent of critical infrastructure operators say they have experienced a large-scale attack. See
Cyberattacks On Critical Infrastructure Are Increasing, Study Says
. ]
CSISs new white paper, called Updating U.S. Federal Cybersecurity Policy and Guidance: Spending Scarce Taxpayer Dollars on Security Programs that Work, follows on the themes and recommendations raised by the Commission on Cybersecurity for the 44th Presidency, which was
issued in 2008
. Continuous monitoring and mitigation of threats also speed response to potential risks and attacks, according to the report. The report also says that the Department of Homeland Security (DHS) would be a major resource for providing agencies with security control priorities, risk and vulnerability reports, as well as mitigation strategies.
Reeder says CSIS has been in conversations with OMB and other players mentioned in the report about the possibility of changing the OMB circular to specify continuous monitoring. Our next step is to continue to engage in conversations with DHS, OMB, and others in the administration, and to brief folks on the Hill, he says.
It shouldnt be a major undertaking to make the change, he says. We cant continue to spend money on things that dont work, he says.
The CSIS report also calls for finding a way to bridge the gap between national security and non-national security systems to better protect the nations critical infrastructure. That means finding a way for the government to work with the civilian side in protecting public utilities, banking systems, or other critical infrastructure. The threat to infrastructure is not just about weapons systems, he says.
Tony Sager, a former NSA senior official, weighed in on the CSIS recommendations: The Federal government is spending substantial sums on security measures that are either marginally effective, or unmeasured in their effectiveness. This report recommends ways that government policy can help lead agencies to improve their security as part of the management of risk across the entire Federal enterprise, Sager said in a statement.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Possible Patch For Policy On Protecting Government Agency Systems