recommended reading

NASA security chief orders bold change to secure networks

Jerry Davis, information security chief at NASA, says "frankly, the old way just wasn't working."NASA

In what is being described as a break away movement that security professionals say will better secure porous computer systems, NASA's top security chief ordered his staff on Tuesday to shift their focus from certifying that networks are compliant with a nearly decade-old law to monitoring systems for holes and real-time reporting of threats.

The change is a watershed moment for federal information technology managers, who since 2002 have been required to follow a law that critics say forces IT staffs to spend days filling out reports that confirm technology managers have followed certain security procedures. The law did not require specific actions to secure systems, said opponents of the Federal Information Security Management Act.

Jerry Davis, NASA's deputy chief information officer for IT security, issued a memo to information system managers informing them they no longer need to certify every three years that their networks are compliant with FISMA, as called for by the law. Instead, they should rely on automated continuous monitoring to find holes that hackers could exploit. The process will remain in effect as long as agencies are required to submit annual status reports for networks and vulnerabilities detected during the monitoring don't pose unacceptable risk.

"This was a long time coming," Davis said.

Davis added that he felt he had the backing of the Obama administration to make the changes based on new security requirements the Office of Management and Budget released on April 21, directing agencies to continuously report on their cybersecurity status. Experts applauded the guidance as a much-needed step in addressing flaws in FISMA.

Davis said testimony presented to the House Government Management, Organization and Procurement Subcommittee, in which federal Chief information Officer Vivek Kundra emphasized the need for a more risk-based approach to security, also encouraged him to make the changes.

"Security is a service we push down to our customers -- the information system owners -- and frankly, the old way just wasn't working," Davis said. "They were spending a tremendous amount of money on a process that at the end of the day, added little value."

New information systems still must pass certification and accreditation requirements set out in FISMA when they first go online, according to Davis' memo, but the focus will be on a "near real-time understanding of risk posture, and not the production of paperwork."

NASA officials will have the option to continue the certification and accreditation process to recheck information systems compliance, but "these processes have proven largely ineffective and do not ensure a system's security, or a true understanding of the system's risk posture," Davis wrote in the memo.

Alan Paller, director of research for the SANS Institute and one of the primary advocates calling for agencies to move away from what he calls FISMA's paperwork and check-the-box requirements, estimated that eliminating the three-year recertification exercise will save the space agency about $10 million because officials will no longer spend days writing reports. Instead, their time can be used to deploy automated security tools.

"Jerry Davis read the [OMB] memo and said, '[These processes] are no longer what we're being told we have to do, nor are they the right thing to do,'" Paller said.

He added that Davis' approach complements an initiative at the State Department. More than a year ago, State instituted a widely lauded risk-scoring program that scans every computer and server connected to the department's network no less than every 36 hours to identify security vulnerabilities and twice a month to check software configurations. The program assigns points on a scale of zero to 10, with 10 noting systems that have the riskiest security threats. Points are deducted once those issues are resolved. The new process has reduced the security risk on the department's key unclassified networks by nearly 90 percent at overseas sites and 89 percent at domestic sites. State officials said eliminating FISMA reports will save $133 million.

Most security executives have been reluctant to make similar changes at their agencies because of what Paller described as Stockholm syndrome. "They've been doing it this way for so long, they figure it must be right," he said. "But now NASA has done something that could be catalytic."

Davis said, "My objective is to move NASA forward. But if others want to follow suit, that's great. There's strength in numbers."

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.