In what is being described as a break away movement that security professionals say will better secure porous computer systems, NASA's top security chief ordered his staff on Tuesday to shift their focus from certifying that networks are compliant with a nearly decade-old law to monitoring systems for holes and real-time reporting of threats.
The change is a watershed moment for federal information technology managers, who since 2002 have been required to follow a law that critics say forces IT staffs to spend days filling out reports that confirm technology managers have followed certain security procedures. The law did not require specific actions to secure systems, said opponents of the Federal Information Security Management Act.
Jerry Davis, NASA's deputy chief information officer for IT security, issued a memo to information system managers informing them they no longer need to certify every three years that their networks are compliant with FISMA, as called for by the law. Instead, they should rely on automated continuous monitoring to find holes that hackers could exploit. The process will remain in effect as long as agencies are required to submit annual status reports for networks and vulnerabilities detected during the monitoring don't pose unacceptable risk.
"This was a long time coming," Davis said.
Davis added that he felt he had the backing of the Obama administration to make the changes based on new security requirements the Office of Management and Budget released on April 21, directing agencies to continuously report on their cybersecurity status. Experts applauded the guidance as a much-needed step in addressing flaws in FISMA.
Davis said testimony presented to the House Government Management, Organization and Procurement Subcommittee, in which federal Chief information Officer Vivek Kundra emphasized the need for a more risk-based approach to security, also encouraged him to make the changes.
"Security is a service we push down to our customers -- the information system owners -- and frankly, the old way just wasn't working," Davis said. "They were spending a tremendous amount of money on a process that at the end of the day, added little value."
New information systems still must pass certification and accreditation requirements set out in FISMA when they first go online, according to Davis' memo, but the focus will be on a "near real-time understanding of risk posture, and not the production of paperwork."
NASA officials will have the option to continue the certification and accreditation process to recheck information systems compliance, but "these processes have proven largely ineffective and do not ensure a system's security, or a true understanding of the system's risk posture," Davis wrote in the memo.
Alan Paller, director of research for the SANS Institute and one of the primary advocates calling for agencies to move away from what he calls FISMA's paperwork and check-the-box requirements, estimated that eliminating the three-year recertification exercise will save the space agency about $10 million because officials will no longer spend days writing reports. Instead, their time can be used to deploy automated security tools.
"Jerry Davis read the [OMB] memo and said, '[These processes] are no longer what we're being told we have to do, nor are they the right thing to do,'" Paller said.
He added that Davis' approach complements an initiative at the State Department. More than a year ago, State instituted a widely lauded risk-scoring program that scans every computer and server connected to the department's network no less than every 36 hours to identify security vulnerabilities and twice a month to check software configurations. The program assigns points on a scale of zero to 10, with 10 noting systems that have the riskiest security threats. Points are deducted once those issues are resolved. The new process has reduced the security risk on the department's key unclassified networks by nearly 90 percent at overseas sites and 89 percent at domestic sites. State officials said eliminating FISMA reports will save $133 million.
Most security executives have been reluctant to make similar changes at their agencies because of what Paller described as Stockholm syndrome. "They've been doing it this way for so long, they figure it must be right," he said. "But now NASA has done something that could be catalytic."
Davis said, "My objective is to move NASA forward. But if others want to follow suit, that's great. There's strength in numbers."