An Explanation of OMB's Security Mandate

The following post was written by Tim Clark, editor and president of Government Executive.

A bit of skepticism has been flying around about the government’s effort to achieve significant advances in cybersecurity by standardizing agencies’ use of the Microsoft Windows operating system. Or so our own reporting would suggest.

But yesterday, an all-star panel of those who have worked on the effort made a case, persuasive to my ear, that the simple, one-page memo issued March 22 by the Office of Management and Budget has the potential to block most of the intrusion attempts that plague federal networks.

The panel spoke during a breakfast session sponsored by Government Executive and the SANS Institute, the country’s leading educator on cybersecurity and manager of the Internet Storm Center, providing the nation with early warning against broad-based cyberattacks. The panelists included Karen Evans, OMB administrator for electronic government and information technology; Kenneth M. Heitkamp, assistant Air Force chief information officer for life-cycle management; Tony W. Sager, chief of the vulnerability analysis and operations group at the National Security Agency; Lisa Schlosser, CIO at the Housing and Urban Development Department; and Alan Paller, director of research at the SANS Institute.

Just what is the real achievement here? Well, Alan and I worked together to frame the two-hour session. My introduction was apparently lucid because an NSA staffer came up to me after the session and said they’d like to use the introduction in their own materials describing the new security initiative.

I started by saying that our session would address one of the top problems confronting government technology: the vulnerability of its computer networks to penetration by criminals, foreign agents, terrorists and other bad actors. We were gathered, I added, to learn about a big development that will go a long way toward mitigating the government’s security problem. And I said that the OMB mandate would also materially assist with cybersecurity in the private sector.

More from the opening spiel: OMB is mandating that when agencies deploy systems using Windows, they do so with security settings that make the system harder to crack than systems using the security settings that are standard on most Windows computers. Windows systems cover nearly all the desktops and most of the servers in government and contractor sites.

NSA has analyzed how many of the common attack vectors are blocked by these secure settings and found the answer to be more than 85 percent. Such a change is an obvious benefit to security, but that’s actually not why the initiative is so important.

Two principal security problems confront government today:

1. Security vulnerabilities are endemic in the systems and applications agencies deploy on their networks.

2. The all-too-human vulnerability of users, who are fooled into letting cybercriminals and spies into their networks.

The OMB mandate won’t make federal employees smarter or more careful, but it will radically reduce the vulnerabilities in federal systems. It reduces vulnerabilities because it solves the central dilemma facing security managers every month. When Microsoft releases patches, every organization has to decide whether to install them right away or wait for extensive testing. It’s a Hobson’s choice.

If they install immediately they face a significant threat that they will cause applications to break. If they do not install immediately they face a significant threat of their systems being exploited. Most agencies take the “wait and test” approach.

The same dilemma arises when trying to implement secure configurations. When agencies implement secure configurations, some applications break.

If agencies could keep applications from breaking, they would solve the problem. But they cannot because they don’t control the applications. And applications break because every application vendor changes the Windows security settings or simply use the unsecured version. Vendors rightfully objected to building applications to fit secure configurations when there was no agreement on what those configurations would be.

The big breakthrough in the OMB mandate is that federal users have agreed on a set of secure settings and now can insist in procurements that systems be configured that way. This will shift responsibility for making applications work safely on those secure configurations to the vendors. Only the vendors can fix this problem. Each time a vendor solves the problem for one federal agency, it solves it for all agencies and for every other organization that buys that application and uses the secure configuration.

In other words, here the federal government is leading by example and making security less expensive and more effective for everyone.

It took four important initiatives to bring these benefits to all of government and industry.

• First, to reach broad agreement on what constitutes a secure configuration. This was done by NSA working with a non-profit group, the Center for Internet Security.

• Second, to persuade the operating system vendors and computer suppliers to build systems with the secure configurations baked in and to maintain those systems and test patches on those systems. Here, the Air Force took the lead.

• Third, to demonstrate that the secure configuration can be deployed to hundreds of thousands of people, without any disruption in their work. Here again, the Air Force made it happen.

• Fourth, to extend the program to all of government so application vendors will build well-behaved applications (with security baked in, once again) that work well on the secure configurations. This is where OMB stepped up to the plate with its one-page mandate directed at every federal agency. Evans said at our session that OMB has set a June 30 deadline for agencies to bring procurements in line with the new security settings.

We actually gave awards to people who were key to these developments. You can find out more by watching a webcast of the session on govexec.com. It will be edited and ready to view early next week.