In an attempt to tighten control of classified information, the Obama administration issued a memo outlining requirements and questions agencies have to address as part of their information security evaluation.
Issued by Jacob Lew, director of the Office of Management and Budget, the memo said federal departments and agencies that handle classified information have to complete their initial security review by Jan. 28. This memo sets the completion deadline for the security assessments the agencies were ordered to undertake in a November memo to review the protocols and processes for safeguarding classified and sensitive information.
The latest memo emphasizes agency safeguards for automated systems, but asked for information about management and oversight, counterintelligence, information assurance measures, education and training, as well as personnel security.
Going through the OMB questions, it is clear the administration is focused on making sure information doesn’t leave federal agencies’ systems and not on the bigger problem of how information is classified. A number of security professionals have said recently the government should be considering who has access to information and apply appropriate access rights relevant to the job instead of the current system of classifying broad swathes of data.
“There’s a fine line between trusted insider and malicious insider,” Jack Hembrough, CEO of VaporStream, told eWEEK recently. “Rather than trying to identify who might ‘go bad,'” it would be “more productive” to manage what the person can do, he said.
Agencies should be asking, “Are you trying to get what you are supposed to be accessing?” when defining user privileges, Ken Ammon, chief strategy officer at Xceedium, told eWEEK. Extra privileges should be granted only upon request, but the system needs to revoke the extra privileges immediately after the task is complete, he said.
Data leaks from agencies where security is comparatively poor, such as the Army, is more likely than from agencies with more rigorous security practices, such as the CIA, wrote Steven Aftergood, an analyst for Washington, D.C.-based think tank Federation of American Scientists, on the group’s Secrecy News. The resulting furor from the WikiLeaks disclosures has the administration thinking that “if the Army becomes more like the CIA” in how it handles security, “it should become less vulnerable” to breaches, which is a “predictable” reaction, but “troubling,” Aftergood wrote.
Security Review Seeks to Assess Employee Trustworthiness
According to the memo, agencies have to identify vulnerabilities or weaknesses in automated systems and formulate plans to address those gaps. The memo contained more than 100 questions, asking each agency to provide the OMB with information about how classified networks are configured and upgraded, and the process under which individuals are given access to these classified systems.
There were several questions that asked about how employee “trustworthiness” was measured without “alienating” them. The OMB also wanted information about agencies using psychiatrists and sociologists to determine employees’ job satisfaction. In fact, “relative happiness” would imply trustworthiness, and “despondence and grumpiness” could “gauge waning trustworthiness,” according to the memo.
Interestingly, the memo asked agencies whether employees are required to report contacts with the media or subject themselves to regular polygraph examinations.
“If your agency does not have any of the required programs/processes listed, you should establish them,” the memo said.
In order to “deter, detect, defend against employee unauthorized disclosures,” agencies were asked about efforts to “fuse together” individual employees’ disparate security information, such as personnel security and evaluation, polygraph, IT auditing or user activities, and foreign contact/foreign travel information. The information would provide analysts with “early warning indicators of insider threats,” according to the memo.
Agencies should be combining security information “that lets employees enter the door” with information about their user access rights in a single identity profile, but “the entrenched bureaucracy is slowing down” that effort, said Ammon.
The OMB was unclear on how it expects agencies to monitor employees before or after their employment, but it asked whether their online activities were being monitored. Some of the directives were “out of place,” wrote Aftergood.
Other questions were a bit more reasonable, dealing with the agency’s policy for the use of removable media, such as USB devices, on secured systems. In a “zero-trust” environment, it’s easy to know when a person is trying to do something that is prohibited, instead of trying to sift through all the activities to find the “bad thing,” said Ammon.
The Information Security Oversight Office, the Office of the Director of National Intelligence and OMB will assist the review teams and conduct “periodic on-site reviews of agency compliance” if necessary, according to the memo.