Several federal agencies today expressed backing for the "Consensus Audit Guidelines," a set of proposed 20 cybersecurity controls, that could end up as network and application security requirements for federal agencies and their contractors.
Dissatisfied with the current way Congress mandates their networks be evaluated for security, some federal agencies, including the Department of Defense, are proposing a new approach unveiled Monday that would encourage investment in automated defensive measures.
The proposed Consensus Audit Guidelines (CAG) are 20 security controls that begin with the concept of automated inventory-taking of authorized and unauthorized hardware and software for the purpose of assessing network security. Strongly oriented toward specific technical measures that could be automated, CAG is an effort to gradually shift the federal agencies off the annual security compliance effort known as Federal Information Security Management Act (FISMA), which Congress made law in 2003.
"The federal government FISMA legislation that federal agencies comply with has only proven to be partially successful," says John Gilligan, head consultancy Gilligan Group.
A former Air Force CIO, Gilligan has become a strong backer of CAG, kicked off last autumn among some in the federal agencies, including the CIO Council, with help from Alan Paller, director of SANS Institute.
Conforming with FISMA requires the inspector general of each agency to lead an evaluation of agency IT systems based on hundreds of pages of guidelines from the National Institute of Standards and Technology (NIST), tasked by Congress to come up with FISMA standards. These confidential FISMA reports are sent to Congress, which each year publicly hands down grades like a school report card to each agency.
As CIO of the Air Force, Gilligan says he found FISMA certainly focuses on security, though much of it was simply paperwork, and "it didn't help you narrow down, what should I do first?"
Gilligan said he got a handle on what to do first when the "NSA would annually do an assessment of DoD systems with their penetration analysis and call together the CIOs, and every time it was the same story: We broke in, it was easy."
He says he's convinced the government would benefit from a new approach requiring very technical steps, perhaps akin to the secure-software configuration effort of the Air Force five years ago.
CAG's list of 20 controls is published for a month's worth of public comment, and it features a broad list of both automated and non-automated practices that include continuous vulnerability testing remediation and secure configurations of hardware, software and network devices.
Security expert Ed Skoudis is the technical editor on the project.
The CAG recommendation is being funneled through the Center for Strategic and International Studies in Washington, D.C., as part of a cybersecurity report to the White House. The CAG concept Monday garnered backing from the National Security Agency, the Department of Homeland Security, various divisions with the Defense Department, the Department of Energy, the Department of Transportation, the Government Accountability office, MITRE Corp. and the SANS Institute.restive about FISMA, Gilligan says they are intent on bringing agency inspector generals — as well as NIST and Congress — on board to prove CAG will work. To that end, agencies are working to set up "pilot sites" in their production networks where they can demonstrate how CAG controls would work in practice. "We want real-world examination of this for feedback," Gilligan notes.
Though agencies are
The CAG alliance wants feedback on how its guidelines mesh with other government and industry security-compliance efforts, such as the Health Insurance Portability and Accountability Act (HIPAA) guidelines from the Department of Health and Human Services or the Payment Card Industry data standards.