Another year of poor IT security scores for government agencies has prompted the House Government Reform Committee to launch the CISO Exchange.
Striving for what it calls a "cross-pollination" of IT security ideas between government and corporate CISOs, the congressional committee is hoping, among other things, that the group will greatly improve the government's Federal Information Security Management Act (FISMA) report card.
"The objective is not to use the report card to beat CISOs with, but rather to calibrate performance, and there are a lot of stakeholders in this," said Steve O'Keefe, one Reform Committee spokesperson. The overall score on IT security for 24 government agencies rose 2.5 points over last year, but equated to only a D+.
"The 2004 FISMA grades indicate that agencies have made significant improvements, but significant challenges remain," said Tom Davis (R-VA), Government Reform Committee chairman.
In an effort to address these challenges, the CISO Exchange was formed, to be comprised of federal agency and corporate CISOs who will share information on anything from education and best practices to operations and standards. The group will assemble quarterly, and should have its first meeting in May at the latest, said O'Keefe.
He added that private sector members will be announced in the next two weeks, and will consist of specific corporate members rather than a series of professional associations. On the government side, Vance Hitch, CIO for the Department of Justice and lead executive on the CIO Council for Security and Privacy, will be asking all CIO Council members to encourage their security officers to attend the quarterly meetings.
"As many people know, the private sector is years ahead of the federal government in terms [of using] IT security technology," said Drew Crockett, another Committee spokesperson.
The Exchange will help share the knowledge that comes from this.
Alan Paller, director of research at The SANS Institute, said the key value of the annual FISMA report card is to learn which security practices are actually working for agencies that improved their grades.
"Three of the organizations did much better and a bunch of others did worse. That begs the question 'Why?'. I think the most effective use of these forums is to find promising practices," said Paller.
He points to the work of CISOs Dennis Heretick at the DoJ, Lisa Schlosser at the DoT – now CIO at Housing and Urban Development – and George Bonina at the EPA, noting that all "radically increased their FISMA scores by... meeting and collaborating all year, and their models are excellent."
The DoT cut the cost of certification and accreditation by 80 percent. This item often sees the biggest outlay, and is typically the greatest challenge for agencies, said Paller. The DoT's grade rose from a D+ to an A- in 2004.
The DoJ focused on what it would take to meet requirements, which allowed it to move from an F in 2003 to a B- in 2004. Among its initiatives, the DoJ codified the tasks needed to meet NIST standards, developed metrics to measure progress, and shared enterprise assets so that each element could do its job more cost-effectively. Automating processes also helped tremendously, added Paller.
Finally, the EPA automated the FISMA reporting process in a cost-effective manner. Improving processes helped the EPA to jump from a C in 2003 to a B in 2004.
But to really improve security, stronger enforcement mechanisms are needed, said Doug Landoll, president of Texas-based consultant Veridyn. This holds doubly true for those agencies whose grades dropped, such as the Department of Commerce which went from a C- to an F, or for those that saw consistently poor performance, such as the Department of Homeland Security or the Department of Health and Human Services (in charge of HIPAA compliance). They took an F from 2003 to 2004.
"How can you be a federal agency and get two Fs in a row?" he said. "You'd think there'd be some improvement. These are federal agencies. Agency heads need to be held accountable for failing for multiple years in a row."
In addition to better enforcement, he said that a greater budget, better education for security professionals, and any needed operational changes in security organizations will go a long way.
While he believes the CISO Exchange may help, standards and best practices are already there for the taking, and FISMA requirements and NIST guidelines are pretty clear.
"Unless you get the budget and time to do this, more information isn't going to solve [the problem]," he explained. "The highest ranking security officer within each agency needs to have the authority and budget to correct the problem. As long as their budget and authority is carved out of IT, this will continue to be a report card that gives the public nightmares."