DHS Cybersecurity Effort Not Intended as ‘FISMA 2,’ Officials Say
Flush with cash from an unexpectedly large budget approval, the Department of Homeland Security is increasing its cybersecurity efforts internally and for other agencies, agency officials told the Bethesda chapter of the Armed Forces Communications and Electronics Association Thursday. But DHS isn’t trying to become “FISMA 2,” said Robert Jamison, under secretary for the National Protection and Programs Directorate. He was referring to the Federal Information Security Management Act and its agency review process, which many officials criticize as a paperwork exercise. DHS simply wants to act as a “support entity” for other agencies, he said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
For the first time in several years of discussion, agencies have both an “ongoing debate” and a comprehensive strategy in President Bush’s cybersecurity initiative, Jamison said. The effort, begun this year, remains largely classified. The U.S. Computer Emergency Readiness Team will have a real-time intrusion detection system -- the so-called Einstein 2 system that expands on Einstein’s existing “delayed flow” analysis of government-wide network traffic -- operating across the federal government in 18 months, he said. DHS wants to share Einstein’s capabilities with state and local governments as well, Jamison said. Longer term, DHS will upgrade Einstein to become an intrusion prevention system, said Michael Brown, deputy assistant secretary for cyber security and communications in Jamison’s directorate.
The federal government has “drastically reduced” its external Internet connections, from around 4,500 to 2,700 this summer, through the Trusted Internet Connections effort required by the Office of Management and Budget, Brown said. He said he has been “locked up… for the last several days” figuring the number of connections as of Sept. 30. OMB’s goal is to get “under 100” connections across agencies. But Brown said he wasn’t confident the government could get to its more optimistic goal of 79 (WID Sept 16 p3).
A revamp of the FISMA law is in order, but the basic framework is “sound,” said Robert West, chief information security officer at DHS. Like balancing a checkbook, FISMA is a necessary “paperwork drill,” he said. “The federal government is under siege” daily. DHS’s first trusted Internet connection is up and running at a Mississippi location, he said. Asked whether DHS was putting too much emphasis on perimeter defense at the expense of security between agency networks or data at rest, West said that “we've frankly had issues with our network security engineers over the past couple years” on the subject. DHS is building a capability like Trusted Internet Connections between seven agency organizations that act as “trust zones” for safe traffic, he said.
DHS tripled its budget for cybersecurity between fiscal 2007 and 2009, getting more than it requested in the most recent cycle, Jamison said. With the money, DHS will increase full-time employment and recruitment of information-security professionals, including some “senior leadership” slots, he said. DHS will build a “red-team capability,” a sort of brain trust for cyberattack scenarios, in fiscal 2009 and 2010, Jamison said. Project 12, a DHS program to encourage businesses to share information with the agency and for it to respond in kind, is in the “final iteration of approval,” he added. Asked whether program managers without IT experience were grasping the cybersecurity mission, Jamison said managers had other pressures. “If you see any of our correspondence from the Hill, [DHS programs] need to be done yesterday.”
Brown assured the vendor representatives in the audience that DHS hadn’t forgotten about their role in cybersecurity procurement. DHS will hold a “vendor day” in December or January. Vendors can request more information on DHS cybersecurity needs at civendorinfo@dhs.gov.