recommended reading

NASA security chief orders bold change to secure networks

Jerry Davis, information security chief at NASA, says "frankly, the old way just wasn't working."NASA

In what is being described as a break away movement that security professionals say will better secure porous computer systems, NASA's top security chief ordered his staff on Tuesday to shift their focus from certifying that networks are compliant with a nearly decade-old law to monitoring systems for holes and real-time reporting of threats.

The change is a watershed moment for federal information technology managers, who since 2002 have been required to follow a law that critics say forces IT staffs to spend days filling out reports that confirm technology managers have followed certain security procedures. The law did not require specific actions to secure systems, said opponents of the Federal Information Security Management Act.

Jerry Davis, NASA's deputy chief information officer for IT security, issued a memo to information system managers informing them they no longer need to certify every three years that their networks are compliant with FISMA, as called for by the law. Instead, they should rely on automated continuous monitoring to find holes that hackers could exploit. The process will remain in effect as long as agencies are required to submit annual status reports for networks and vulnerabilities detected during the monitoring don't pose unacceptable risk.

"This was a long time coming," Davis said.

Davis added that he felt he had the backing of the Obama administration to make the changes based on new security requirements the Office of Management and Budget released on April 21, directing agencies to continuously report on their cybersecurity status. Experts applauded the guidance as a much-needed step in addressing flaws in FISMA.

Davis said testimony presented to the House Government Management, Organization and Procurement Subcommittee, in which federal Chief information Officer Vivek Kundra emphasized the need for a more risk-based approach to security, also encouraged him to make the changes.

"Security is a service we push down to our customers -- the information system owners -- and frankly, the old way just wasn't working," Davis said. "They were spending a tremendous amount of money on a process that at the end of the day, added little value."

New information systems still must pass certification and accreditation requirements set out in FISMA when they first go online, according to Davis' memo, but the focus will be on a "near real-time understanding of risk posture, and not the production of paperwork."

NASA officials will have the option to continue the certification and accreditation process to recheck information systems compliance, but "these processes have proven largely ineffective and do not ensure a system's security, or a true understanding of the system's risk posture," Davis wrote in the memo.

Alan Paller, director of research for the SANS Institute and one of the primary advocates calling for agencies to move away from what he calls FISMA's paperwork and check-the-box requirements, estimated that eliminating the three-year recertification exercise will save the space agency about $10 million because officials will no longer spend days writing reports. Instead, their time can be used to deploy automated security tools.

"Jerry Davis read the [OMB] memo and said, '[These processes] are no longer what we're being told we have to do, nor are they the right thing to do,'" Paller said.

He added that Davis' approach complements an initiative at the State Department. More than a year ago, State instituted a widely lauded risk-scoring program that scans every computer and server connected to the department's network no less than every 36 hours to identify security vulnerabilities and twice a month to check software configurations. The program assigns points on a scale of zero to 10, with 10 noting systems that have the riskiest security threats. Points are deducted once those issues are resolved. The new process has reduced the security risk on the department's key unclassified networks by nearly 90 percent at overseas sites and 89 percent at domestic sites. State officials said eliminating FISMA reports will save $133 million.

Most security executives have been reluctant to make similar changes at their agencies because of what Paller described as Stockholm syndrome. "They've been doing it this way for so long, they figure it must be right," he said. "But now NASA has done something that could be catalytic."

Davis said, "My objective is to move NASA forward. But if others want to follow suit, that's great. There's strength in numbers."

Threatwatch Alert

Software vulnerability

Malware Has a New Hiding Place: Subtitles

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.