Cyber Reports Prod Senate Action

The federal government is not fully following information security initiatives, according to two separate reports published by the Government Accountability Office on Monday. Senators who requested the audits called for the creation of a permanent cyber czar in response to findings that agencies are not implementing a critical Homeland Security Department cybersecurity system, not reducing connections to external networks and not properly configuring security settings on workstations.

"Unfortunately, these key initiatives, which have been underway for years, have faced challenges, particularly the lack of communication and follow through from the Office of Management and Budget and the Department of Homeland Security," said Joseph I. Lieberman, I-Conn., chairman of the Senate Homeland Security and Governmental Affairs Committee, in a statement. "OMB and DHS have agreed with the GAO's findings, and are already acting to address the concerns raised in these reports. The committee is also currently drafting legislation to address many of the lessons learned in implementing these key cyber security initiatives. "

The committee's ranking member Susan Collins, R-Maine, added, "In an era where millions of attempted cyber attacks on government computers occur every month, the GAO's findings are most disturbing. . . We must elevate the focus on cybersecurity within the federal government and across our nation's critical cyber infrastructure."

Committee member Thomas R. Carper, D-Del., has introduced a bill that would create a White House-level cyberspace office and require the office's director to deploy a national cyberspace strategy. The bill, (S. 921), the 2009 U.S. Information and Communications Enhancement Act, also would make agency heads responsible for ensuring appropriate information security controls. And the legislation calls for installing a system that automatically and continuously reports on compliance with security policies.

"I have been actively working with my colleagues for the past several years to update the decade-old Federal Information Security Management Act and these reports are yet another warning shot across our bow," Carper said in a statement on Monday. "I look forward to getting the reforms outlined in our bill -- on the president's desk by the end of the year."

Rep. Diane Watson, D-Calif., introduced similar legislation in the House last month. The 2010 Federal Information Security Amendments Act, (H.R. 4900), would update FISMA, partly by establishing a national office of cyberspace within the White House. The office's director would be a permanent, presidentially appointed position subject to Senate confirmation. The current highest-ranking cyber official, White House Cybersecurity Coordinator Howard Schmidt, fills a post created by the president. His appointment was not subject to Senate approval and can be eliminated by any future administration.

Lieberman officials on Monday said that the committee plans to insert Carper's proposals into a larger cybersecurity package sponsored by the chairman.

One system that GAO evaluated, dubbed Einstein, is maintained by DHS and monitors traffic on federal networks for possible security incidents. As of September, fewer than half of the major 23 agencies audited had established agreements with DHS to have their network activity tracked. Only six agencies had deployed the most up-to-date version of Einstein.

The GAO reports also examined an initiative called trusted Internet connections (TIC), which was developed to bolster the security of the government's external networks by using as few access points as possible. Agencies are required to establish an ideal number of access points, deactivate the targeted connections and strengthen controls over the remaining connection points. As of September, none of the major agencies had met all such requirements, according to auditors.

"They have been challenged in implementing TIC because OMB did not promptly communicate the number of access points for which they had been approved and DHS did not always respond to agency queries on security capabilities in a timely manner," one report stated.

OMB agreed with GAO's findings and DHS provided technical comments, which auditors incorporated into the final report.

A separate GAO report found that agencies have not properly configured their computers to provide a uniform level of security All agency workstations are supposed to adhere to standard security settings, called the Federal Desktop Core Configuration Requirements (FDCC).

"None of the agencies has fully implemented all configuration settings on their applicable workstations. ...Though several implemented agency-defined subsets of the settings," according to the report.

In addition, many agencies failed to include language on FDCC in procurement contracts to ensure future systems are properly configured. The challenges preventing agencies from complying with the new security protocols include the need to retrofit existing systems and assess the risk of using configurations that differ from the FDCC.

GAO recommended that OMB issue policies on monitoring compliance with the FDCC and determining the risk of deviating from FDCC settings. In addition, GAO advised agencies to fully implement the required settings. The agencies generally concurred with GAO's recommendations, according to the final report.