Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Feds Unite on Security Benchmarks

    By
    Caron Carlson
    -
    December 15, 2003
    Share
    Facebook
    Twitter
    Linkedin

      A group of high-level IT officials in the federal government has begun collaborating on configuration benchmarks that government agencies could be required to use in future purchases of hardware and software.

      The development of the benchmarks is at once an indication of the growing importance of security in Washington and of the governments intention to use its purchasing power as an agent of change inside the Beltway and in the vendor community.

      “Yes, I believe the government is getting better at this,” said Alan Paller, research director at The SANS Institute, based in Bethesda, Md., who has spoken with many of the federal CIOs involved in this effort. “This doesnt solve the entire problem, but it helps going forward. I believe a great deal of money was thrown away on reports that couldve been spent on solving the problem.”

      The move comes at a time of heavy criticism of the governments security efforts, much of it tied to last weeks release of an annual report card from the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census on the security of federal agencies networks.

      The government received an overall grade of D—up from an F last year—for the state of its security, as measured against a set of criteria laid out in FISMA (Federal Information Security Management Act), signed by President Bush last December. Several large agencies, including the Department of Homeland Security, Department of Justice and Department of State, received failing grades. But observers say the test is not an accurate reflection of the agencies security posture because the self-evaluation the agencies must perform can cost hundreds of thousands of dollars, depending on the size of the network. Many agencies had difficulty finding money in their budgets to complete the evaluation.

      Despite cries of unfairness from some agencies that did not score well, Rep. Adam Putnam, R-Fla., who is the subcommittees chairman, intends to continue the scoring process in the coming year and is planning to hold an oversight hearing in early March, said Bob Dix, staff director for the subcommittee.

      “People knew what the scoring criteria would be,” Dix said. “It is disappointing to us that a couple of the agencies have gone backward.”

      One of the biggest problems at the agencies is the continued inability to provide complete and reliable inventories of IT assets, which is required under federal law, Dix said. Additionally, it appears that the leadership at some agencies is not as involved in the process as it is at others.

      “At the Department of Labor, the secretary is engaged in this issue. Their performance is evidence of that,” Dix said.

      A part of FISMA is a requirement that each federal agency establish a set of benchmarks for system configurations and that it complies with those standards. The act does not specify what those standards should be. The evaluation for 2003 did not test agencies on these benchmarks, but next years will.

      As a result, federal CIOs and other top IT officials have begun working together to develop such common configuration benchmarks. Those standards could eventually make their way to the private sector once theyre finalized.

      New elements of FISMA

      • Annual reports to the Office of Management and Budget concerning risk assessments, security policies, security training
      • Requirement for each agency to develop and adhere to system configuration guidelines
      • Annual test of security policies and
      • procedures
      • Plan for continuity of operations
      • Require each agency to inventory major information systems

      “This is good government. You need these benchmarks if you plan to buy software this way,” said Roger Cressey, president of Good Harbor Consulting LLC, in Alexandria, Va., and former chief of staff of the Presidents Critical Infrastructure Protection Board. “Its not something where you place a call and snap your fingers, and the product is delivered securely. Its the right thing to do.”

      The standards could cover what services should be enabled or disabled by default, as well as more mundane items such as password length. This is not an entirely novel idea, however. Earlier this year, the Department of Energy announced a contract with Oracle Corp. in which the database vendor agreed to deliver its software in a secure configuration, as dictated by guidelines established by the Center for Internet Security. In addition, the National Institute of Standards and Technology has implementation guides and checklists available for various technologies.

      But security experts and Washington insiders say this is an important step in the governments progression toward better security.

      “Theyre not there yet, but the fact that theyre talking about alternatives like benchmarks is a good thing,” said Ron Sable, vice president of the public sector at Guardent Inc., a managed security services company based in Waltham, Mass. “Theyre dealing with it, but it is the government. There are enormous challenges.”

      Chief among those challenges is the limited budgets the individual agencies must contend with. But perhaps an even thornier issue is executing a complete inventory of an agencys IT assets, especially in large organizations such as the Department of Defense or the DOJ, which have dozens of remote locations and thousands of personnel working in the field.

      Next page: Improving end-to-end security

      Improving end

      -to-end security”>

      Aside from the benchmarks, parts of the government are working on other aspects of security, such as moving quickly to IPv6. Improving end-to-end security is one of the objectives set forth by the DOD in mandating an agencywide transition to IPv6 beginning this year. As of Oct. 1, procurement for all net-centric operations and warfare assets must be IPv6-compatible.

      However, the Pentagon is remaining quiet about the deployment and is not publicizing it as a model for other organizations to follow, much to the chagrin of IPv6 champions.

      “Im not sure how much [the DOD deployment] will impact the public at large. If theyre not going to talk, I dont know if theres a big master plan [in the United States],” Alex Lightman, chairman of the IPv6 Summit, said, adding that the Pentagon opted not to issue a press release, despite keeping a high profile at last weeks summit here.

      Although IPv6 is not inherently more secure than IPv4, it comes with a mandatory security framework, promising fewer networking vulnerabilities.

      “There is no advantage from a security protocol perspective of IPv6 over IPv4,” said Jim Bound, chair of the IPv6 Forum Technical Directorate. “The advantage of IPv6 is that the implementation has to have IPSec [IP Security].”

      Caron Carlson

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×