Pushing Toward Federal Reform in the Information Security Space

By Chris Buse posted Jul 19,2011 10:41 AM

Like

NASCIO Security Community,

Last spring President Obama and CIO Vivek Kundra made an announcement that they were going to actively search for ways to reform the federal government to ease the administrative and regulatory burdens on state and local government. Leader from the administration reperated this pledge at the NASCIO Mid Year Conference.

Feeling strongly that IT security regulations are unduely complex, I sent the federal CIO and his representatives a message after the NASCIO meeting, a copy of which can be seen below. These individuals have responded back and would like to hear what essentially boils down to a more specific and detailed understanding of the problem that states now face.

I am posting this message to my colleagues to let all of you see what I proposed. But more importantly, I would like to hear your thoughts about this request and whether you feel that it is an area that deserves the attention of our professional organization.

********* Start of Message*************

Dear Mr. Glickman and Ms. Wiggins,

First off, I would like to thank both of you and Mr. Kundra for taking the time yesterday to discuss federal reform opportunities. When I first read President Obama's call for reform, I immediately told my colleagues in the Minnesota security community that we needed to seize this opportunity to simplify the current maze of federal information security requirements that is both difficult to understand and costly to navigate. What was very inspiring to to me yesterday was the fact that you not only seemed to feel our pain, but you genuinely wanted to help.

Brief Overview of the Problem

Today state governments are besieged by numerous federal agency specific information security requirements, such as Treasury Circular 1075 and the new CJIS Security Guide, just to name a few. It is very difficult to keep abreast of the changes to all of these documents. Furthermore, because there is no common terminology or organizational framework, state security leaders must go through a painstakingly difficult process of trying to figure out what is the lowest common denominator among all of the various regulatory publications. States also spend an inordinate amount of time dealing with federal information technology audits, which are also done agency by agency. To illustrate, we recently had teams on site from both the IRS and SSA. Because much of the underlying technology on our side was the same, we literally had two different federal audit teams assessing controls over the very same environment in the span of one month. In their defense, though, they each were conducting their engagements in accordance with their own set of rules.

Proposed End State

I believe that the federal government needs to reconcile and simplify its security requirements into one common document, or set of artifacts, that is shared by all federal agencies. Clearly, it will not be possible to create a one size fits all standard. However, it certainly should be possible to publish a series of security baseline standards for information systems that have certain characteristics. It could be as simple as publishing three standards: high security systems, medium security systems, and systems with minimal security needs. When this is done, agencies should be prohibited from adopting information security standards, unless they are incorporated in the centrally managed repository. On the audit side, I think that we need to work towards a model like the one that is currently in place for financial audits, articulated in the Single Audit Act. Under this model, states must undergo one audit that is structured to meet the needs of all federal agencies.

Moving towards my proposed end state will be mutually beneficial for both states and the federal government. But beyond the simple efficiency gains, it also will put all levels of government in a better position to harness the benefits of cloud computing, virtualization, and other underpinning technologies that are geared to support multiple services. In Minnesota – and for that matter in other states too – the economic situation now makes it cost prohibitive to build entire technology solutions one by one on distinct infrastructure. Recognizing the technology path is already taking us to a place where IRS, SSA, other types of data will be housed in the same virtual place, we clearly need strong leadership from you to put in place a corresponding security architecture that aligns with the new realities of information technology.

Finally, if you choose to run with this idea, I certainly would be willing to throw my hat in the ring to help and I know that I could garner the support of my colleagues in Minnesota and around the country as well. Projects like this are fraught with red tape and there will be lots of people with parochial interests who will advocate for business as usual. But with that said, I hope that the two of you keep up the spirit and continue to focus on what is right, because collectively we CAN do it.

Please pass on my thanks to Mr. Kundra as well.

---------------------------------------------------------------------------------

Christopher P. Buse

Chief Information Security Officer

State of Minnesota

658 Cedar Street, Suite 300

St. Paul, MN 55155

651-201-1200 (W)

651-334-7146 (M)

Chris.Buse@State.MN.US

---------------------------------------------------------------------------------

***********End of Message***********

2 comments

29 views

Permalink

Comments

John Stehno

Nov 22,2011 02:04 PM

It's difficult to blame the feds for the very things we states are often times guilty of. With the exception of the fines and penalties, it’s my understanding that the SSA and FTI security requirements are near identical. But then nearly all security standards are just a subset of the broader NIST security standards.
Several years ago the state of Oregon realized with the handful of security standards and the ever-increasing burdens associated with each, we could no longer afford to attack security from our independent agencies or silos. So we formed a new committee entitled "FTI Joint Agency Security Committee" chaired by our Enterprise Security Office and have already made pretty good progress including introducing a statewide baseline FTI training/certification cbt module and the Internal Inspection sub-committee recently and jointly completed their internal inspection of our state data center.
The participants of this committee range from all FTI-handling agencies, about 6 DOJ asst Attys General, Procurement, Enterprise Security Office, even the IRS is on board acting in an advisory capacity.
The long term goal is to remove the "FTI" portion from the committee name and eventually get the entire state shooting at the same security tartget. Here's an article that may better illustrate some of our goals.
http://searchsecurity.techtarget.com/news/2240039574/State-IT-security-model-for-IRS-compliance-could-work-at-federal-level
Minimizing redundant efforts throughout the state by forming new inter-agency efforts to attack common goals simply are no longer just ideas for states to entertain. In this economic climate their immediate implementations are mandatory. The committee is hard work but it’s actually been amazing to witness agencies willingness to cooperate. We have a long row to hoe, but it would be even harder work and far more costly if we just kept addressing these efforts redundantly agency by agency.
-John Stehno
Oregon State Data Center

Mark Reardon

Jul 20,2011 03:21 PM

Chris,
Some specific examples we have recently faced in Georgia arise from our data center consolidation and outsourcing program called GETS (Georgia Enterprise Technology Services). Our focus was to have each agency develop a FISMA security plan for each of its systems, which would assign each system to a FIPS 199 category, high, moderate or low. This would drive the selection of controls required for each system.
Most of our federal partners didn't want to use FISMA but instead focus on their agency specific standards. While we were discussing Special Publication 800-53 controls and 800-53A audit processes, our federal partners were using their unique playbooks. Even more frustrating were the audit inconsistencies. Two outsourced agencies were audited by the same federal agency. Their systems were operating in the same data center with the same control sets. They received different audit results.
Another example of an issue is IRS 1075 mentioned in your blog. Our Dept. of Revenue (DOR) is the receiving agency for Federal Tax Information (FTI) and Treasury Offset Program (TOP) information, which is defined in IRC Section 6103(I)(10). There is an extra requirement for TOP information. Only employees of the approved agency may have access to TOP information. IRS 1075 Section 5.8 explicitly prohibits disclosure to contractors. We have been told that means no outsourcing of these systems is allowed.
We have other agencies that allow contractors but not non-U.S. citizens. Even others require all work do be performed within the U.S., which precludes the use of many SaaS environments.
We have also been told (verbally) that encryption is not sufficient protection for one agency's moderate impact information passing over a nonphysically secure network. The encryption in question is compliant with FIPS 140-2. The federal agency in question delivers the information to Georgia over the Internet with TLS 1.0 providing protection.
We have many more examples of issues but the solution is more to the point. We would like a consistent audit process based on Special Publication 800-53A and the FISMA framework, and we would like for federal agencies to be willing to accept an audit conducted by an independent auditing firm, similar to the process used for SSAE 16 when a financial outsourcer supports multiple customers in the same environment. A by product of this is that we could undergo a single audit of all systems annually while most federal agencies conduct audits every three years.
This should save the federal government money by allowing multiple agencies to share the results of the same audit. They would also receive more frequent updates as to the status of a state's information security. This would save the states by allowing us to undergo one annual audit covering all needs. The savings could be used to address audit findings rather than create more documentation.
Mark Reardon
CISO Georiga

Blogs