GAO Talks FDCC Failures
Usually when the Government Accountability Office releases a <a href="http://gao.gov/products/GAO-10-202">report</a>, there's a bit of finger wagging going on inside the Beltway. But with two new reports highlighting the lack of compliance by major federal agencies to meet the requirements of both the <a href="http://docs.google.com/viewer?a=v&q=cache:DGK-eVhgZWcJ:www.whitehouse.gov/omb/memoranda/fy2008/m08-05.pdf+Trusted+Internet+Connection&hl=en&gl=us&pid=bl&srcid=ADGEESi1jLZL7ngbvJD6AS0LLOkEJM8Y_F1LPxuRw6mV4McfMoVAPGrpfkjWZnjtfZam54tLx23rxax9C7Zh4HxhQsh1f04bEU1fB6nz1I3odlR-sbX0mwtYXWIZygs9dapMwGCThyL6&sig=AHIEtbT5zbBYfwH4DT38Tf1ctUE1OAxPcA">Trusted Internet Connection</a> (TIC) and the <a href="http://nvd.nist.gov/fdcc/index.cfm">Federal Desktop Core Configuration</a> (FDCC) White House initiatives, it's more like finger pointing.
Usually when the Government Accountability Office releases a report, there's a bit of finger wagging going on inside the Beltway. But with two new reports highlighting the lack of compliance by major federal agencies to meet the requirements of both the Trusted Internet Connection (TIC) and the Federal Desktop Core Configuration (FDCC) White House initiatives, it's more like finger pointing.
The full scope of what caused all 24 major agencies to receive less than ideal marks from GAO is murky. But when a collective failure is in play, it's most often the policy or policy enforcer that stinks, which seems to be the culprit here. Just think back to grade school and the creation of the "curve."
"Some of the deadlines that agencies were put under to meet the requirements were not very realistic," said Gregory Wilshusen, director for information security issues at GAO.
Almost all of GAO's recommendations were directed to the Office of Management and Budget to make expectations more reasonable. Six recommendations direct OMB to better define the requirements in a timely manner and provide clear and realistic deadlines for implementation.
The first thing that stuck out to Wilshusen and GAO was OMB's initial deadlines to reduce configurations, some of which were in place before the agency even had determined what the requirements would be.
"Not all the requirements were defined, yet they were supposed to have implemented these," Wilshusen said letting out a short laugh.
Of course, if there is finger pointing, the finger always extends further than one party. Wilshusen said GAO's investigation found that in many cases the agencies had not fully implemented specific requirements that they had clear directives for. In one example, agencies were supposed to submit a draft implementation plan by May 1, 2007.
"Most of the agencies did not provide complete plans and many did not meet the May date," Wilshusen said. "Most of the plans that were submitted were missing critical elements."
None of the agencies met specified configurations, sometimes due to technical issues. In sum, retrofitting new configurations on existing systems often creates technical problems. But Wilshusen says it is incumbent upon agencies to acquire systems and applications that are consistent with FDCC systems.
The other part of this worth mentioning is that these initiatives are fairly basic, ground-level security measures. If we can't get this stuff right, how does the U.S. plan to implement far more complex and broad monitoring initiatives picking up steam in Congress? I posed the question to Wilshusen. Though he didn't exactly give a straight answer, he did suggest that this might be the very issue Howard Schmidt will be addressing in his role as White House cybersecurity coordinator. Wilshusen also reinforced the tenets of continuous monitoring and the pitfalls of compliance by paper.
"I'm always an eternal optimist, but also grounded in reality that these are not easy things," he said.