Agencies Beef Up IT Security

As criticism of the federal government's security practices and policies mounts, some agencies are making sweeping changes in the way they manage IT assets.

As criticism of the federal governments security practices and policies mounts, some agencies are making sweeping changes in the way they manage IT assets.

The Department of Justice, one of a handful of agencies that received a failing grade on last months report card on IT security delivered by a congressional subcommittee, is at the forefront of the movement.

The DOJ has made a number of changes in recent months, including the establishment of a departmentwide IT security staff that answers directly to the CIO, according to DOJ officials, in Washington. That group, in turn, has set about organizing a security council within the department, they said.

The council comprises the top security officials from each of Justices dozens of component organizations, including the United States Attorneys Office; the Bureau of Alcohol, Tobacco, Firearms and Explosives; and the U.S. Marshals Service. Known as the IT Security Council, this group is now responsible for implementing and overseeing all the security programs in the department. This type of centralization, while normal in large enterprises, is still very new to federal agencies.

It was organized out of necessity at Justice, an organization comprising more than 50 parts. So far, the results have been encouraging, department officials said, even though the results didnt show up on the 2003 congressional report card.

"The department program is producing the security management needed, and I am looking forward to next years report card when we can reflect the improved implementation and validation of security requirements," said Dennis Heretick, deputy director of the IT security staff at the DOJ, in Washington.

"These programs have set the stage for a departmentwide capability to manage implementation of risk control requirements but are not at the point where they produced the bottom-line results needed to improve last years report card," Heretick said.

The security grades are handed out each year by the House Committee on Government Reforms Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, and they are based mainly on how well each agency measures up to a set of established criteria. The criteria, among other things, require that each agency inventory all its IT assets and be able to assess the security of each. In large, distributed departments such as Justice, this can be a daunting task.


Steps the DOJ took to improve IT security:
  • Created centralized security staff within office of CIO
  • Built an IT Security Council to manage all security programs
  • Established a departmentwide automated security evaluation and remediation program

As a result, security personnel inside the government have begun developing their own methods and tools to get the job done.

The Environmental Protection Agency staff, for example, has created an automated security evaluation and remediation application capable of testing the security posture of each machine and monitoring the remediation process for any problems found. The security staff at Justice is now using this tool as well.

Beyond the DOJ and EPA, other departments are moving ahead with changes.

The Department of Transportation recently implemented a comprehensive vulnerability assessment and remediation package that performs continuous scans, instead of the traditional monthly or quarterly assessments.

A deputy secretary of the department is kept apprised of every critical vulnerability in the departments network. Both the EPA and the DOT made full letter-grade improvements in the 2003 report card.

"This is a good example of something thats working. This brings vulnerability visibility to the highest levels," said Alan Paller, research director at The SANS Institute, in Bethesda, Md. "Theyre transforming the concept of vulnerability assessment."