Information securityDHS receives top FISMA score for the second year in a row

DHS has received the top score in the annual Federal Information Security Management Act(FISMA), making it the only agency to achieve a score of ninety-nine two years in a row. The act, passed in 2002, requires the Office of Management and Budgetto report on federal agencies’ implementation of set processes designed to secure federal IT infrastructures. Analysts credit the achievement to DHS’ Office of Inspector General’s (OIG) push for continuous monitoring of IT systems and standards. The OIG uses commercial vulnerability scanning tools and open source management software to form a system that routinely scans the agency’s networks for compliance with FISMA metrics.

“Our process was one of making security a part of the operational unit,” and not just an IT function, said Jaime Vargas, the OIG’s chief information security officer. Being aware of system vulnerabilities on a consistent basis means appropriate personnel can be held accountable for results. “We can ask very pointed questions. We are telling them not only that something is broken, but what is broken.”

Vargas points out that the high marks for FISMA compliance does not always translate to a secure network, but the new scanning system is helping his office shift from a process-driven to a result-driven program that provides greater visibility in the agency’s systems. “I think we are moving in the right direction.”

GCNreportsthat the OIG performs department-wide evaluations on FISMA compliance but each operational unit of DHS including the OIG, manages its own IT systems and is responsible for its own security. That adds pressure on the OIG, Vargas said. “One of the challenges the IG has is that we don’t set our own policies, we follow the policies of the department at large,” he said. “At the same time, we are expected to set an example in order to be credible.”

To maintain top security measures in a time of budget austerity, OIG relies on products already available to the office such as the Nessus vulnerability scanner from Tenable Network Securityand Microsoft’s Active Directorytools, in conjunction with open source tools. Active Directory is synchronized with the office’s accounting system to track IT assets that have been bought. With a baseline inventory, compliance policies were developed for each IT device. Open source tools were also developed to customize the scanning process. There was some resistance to using open source tools but they are cheap and available. “Nothing is perfect,” Vargas said. “But when you get some code and some smart people working on it, they can actually leverage it and get something that works.”

With its current system, the OIG is able to scan 90 percent of its IT infrastructure every week, but whether compliance equals security, Vargas believes that compliance improves transparency which improves security. “Whether the metrics address security is outside my purview,” he said. “That is decided by the administration and department policy. But this allows us to know what should be on the network, what should not be on the network, what is normal and what is not.”