State, HHS Outline Work on FISMA
The Information Security and Privacy Advisory Board got a glimpse of two vastly different regimes for information security in federal agencies during a discussion Friday with John Streufert, chief information security officer at the State Department, and Mike Carleton, chief information officer at Heath and Human Services. Streufert highlighted the security improvements at USAID and State after undertaking a program of continuous monitoring, and Carleton talked about the budgetary battles at HHS that undermine information security, and potential challenges ahead as a national health information network is developed.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Streufert said leaving the snapshot model of FISMA and moving to a system of continuously monitoring for risks, which includes scanning for vulnerabilities continuously, daily summarizing uncorrected problems to every owner and giving monthly letter grades to technical managers, helped USAID jump from one of the worst FISMA scores to one of the highest and helped State improve its score. The organizations are both large -- 50,000 at State -- and small -- 8,000 at USAID -- and operate in 24 time zones around the world, he said, so the method should be transferable to any other agency. “I feel this would be beneficial on a wider basis,” he said.
A dashboard display tool allows IT managers to see their daily risk score, how that score compares to others throughout the department and in the region, and gives risk scores for 10 individual components. This allows security professionals to see the most serious problems that have emerged in the last 24 hours, Streufert said. The result at both State and USAID was a reduction in risk, he said. At USAID, after six months of presenting the worst problems for the day, two-thirds of the risk disappeared, he said. The State Department showed a 75 percent reduction in risk for its domestic computers for the six months that ended Jan. 7, he said. Streufert said State’s proposal for using the stimulus money for IT is still working its way through OMB.
Health and Human Services has “no shortage of known defects to remedy,” but the way the internal IT budgeting was set up makes it difficult to address issues, Carleton said. The smaller operations within HHS were involuntarily lumped together for IT, with the promise they wouldn’t have to pay for IT out of their budgets, he said. But when fixed-price mindset bumps up against open-ended reactionary costs of meeting goals, especially for groups that weren’t FISMA- compliant to begin with, security suffers, he said. “At HHS we are incredibly good and practiced at fighting over money. It doesn’t mitigate any security risk,” he said.
HHS received an extra $50 million from the Recovery Act for IT security, Carleton said. That’s a significant boost compared to normal spending of $70 million, he said. The agency is working to ensure the recovery money is used to supplement, not supplant, existing security funds, he said. Alternatively, he said, OMB tends to want assurances written in blood that money for IT security will resolve the backlog of HHS issues and cause them never to reappear again, he said.
Among the problems Carleton explained to the board were that of people designing systems in such a way to foist FISMA responsibilities onto colleagues. “I see people actively avoiding the FISMA responsibilities as best they can,” he said, saying there are lots of opportunities to do so in a diffuse environment.
Carleton also projected potential problems with a nationwide health information network. First, he said, it would be “negatively spectacular” if there were a health information breach in a government agency as the administration is trying to persuade people to trust their health information to electronic records. Secondly, he said there will be problems when the medical sector, which is accustomed to self-attestation of compliance with HIPAA requirements, becomes subject to a higher standard of security compliance. Carleton said there’s not much veracity to such self-attestation. Further, he said, the public seems to think its health information is protected by federal privacy laws that actually only govern government use of data, not private sector use. Someone will have to tell the public its information protection level is “low by law,” he said.
Carleton said the people who get revenues from intellectual property should provide some type of warranty so when there’s a latent defect in the product, they'll fix it or at least share some of the costs. Right now there’s no way to get to people when products have problems, he said. “We have people who say, ‘We tried, we're sorry, here’s our 7,000 lawyers,'” he said.
The Recovery.gov Web site, which will track all recovery spending, also poses some challenges to the agency, Carleton said. Those challenges aren’t with IT but from the data elements that will go into the site, he said. For example, the agency must report how many jobs each program created or retained, an element it doesn’t currently track, he said.