A consortium of federal agencies and private organizations released a set of guidelines on Monday aimed at protecting data and information systems from cyberattacks. The list of security controls eventually will be compared to global audit guidelines to determine whether they should be incorporated into assessments of information security.
Security experts have criticized federal cybersecurity efforts, saying agencies tend to respond to attacks after they occur, rather than taking a proactive approach to eliminating network vulnerabilities. The new audit guidelines, which were developed as part of a larger initiative at the Center for Strategic International Studies to advance key recommendations of a report by the Commission on Cybersecurity for the 44th Presidency, addresses that criticism by defining the 20 most critical security controls needed to protect federal and contractor information and systems.
"After the report was released, we realized that if we didn't keep moving, the recommendations would turn to shelfware," said Jim Lewis, senior fellow at CSIS and program manager of the commission. "Phase 2 became about implementation -- starting with the recommendation to move away from paper-based reviews and focus on what actually works by developing standards and best practices to improve security."
The guidelines are aimed at protecting against known attacks on federal agencies, financial institutions and retailers that have involved penetrating networks and stealing or changing data and applications. Often these attacks result in intruders gaining long-term access to the compromised systems without detection.
The list of controls includes 15 that can be implemented with automated software tools, such as inventories of authorized and unauthorized hardware and software on networks and secure configurations for hardware and software on laptops, workstations and servers.
Another five controls require manual measurement and validation. These include secure network engineering, incident response and data recovery capabilities, security skills assessments and training, and "red team" exercises that test organizations' defenses and response capabilities.
The experts identified specific attacks that each control is designed to protect against, provided best practices in automating controls when possible and defined tests to determine whether agencies have effectively implemented the controls.
The project was led by John Gilligan, president of the consulting firm Gilligan Group and former CIO at both the Air Force and the Energy Department. The guidelines were developed with input from the National Security Agency, the Defense, Homeland Security, Energy, Transportation and Health and Human Services departments, and the Government Accountability Office.
The public review period for the guidelines runs until March 23, after which several agencies will conduct pilot tests of them. A security committee of the federal CIO Council and a team from the Federal Audit Executive Council will review the guidelines to determine how they can be used across government.
"I do not know of anything going on in security that will have the impact this [list] can have," said Alan Paller, director of research at the SANS, Institute a nonprofit cybersecurity research group based in Bethesda, Md. "It's a complete revolution in federal cybersecurity and business security as well. If the nation and the rest of the developed world cannot make these guidelines work, we will continue to fall further behind the attackers at an accelerating rate."