Next >>

Previous Next

Previous
April 2012

Next

Previous

Next

Plus

Previous

Next

IT savings or spending shuffle? >> NASAs new Web architecture >>

OMB mandates portfolio reviews >>

Download

State Department CIO talks security >> Table of contents >>

Subscribe

Hacktivists and cybercriminals pose the greatest threats to federal agencies, our Cybersecurity Survey shows. The feds are fighting back with continuous monitoring. >> By Ed Moyle and Diana Kelley
informationweek.com/government

Previous

Next

MORE INFORMATIONWEEK GOVERNMENT

Meet Your Peers Our 2012 Government IT Leadership Forum is a day-long event where senior IT leaders in government will gather to discuss how theyre using technology to drive change. Its May 3 at the Newseum in Washington, D.C. informationweek.com/gov/2012forum Whats Next In Cybersecurity In this virtual event, experts will assess the state of cybersecurity in government. It happens May 24. informationweek.com/gov/cyberevent Cloud In Action Find out how 10 federal agencies are moving from planning to implementation of cloud computing. informationweek.com/gogreen/121211gov

CONTENTS
THE BUSINESS VALUE OF TECHNOLOGY April 2012 Issue 12

3 Down To Business
Federal efforts to cut IT costs dont go far enough

QUICKTAKES 4 NASAs Web Plan

Space agencys new Web architecture will apply open source, cloud computing, and commercial technologies

COVER STORY

IN-DEPTH REPORTS 6 Tech Portfolios Under Scrutiny

Government-wide IT portfolio reviews are aimed at rooting out duplication Mobile Government Agencies are working to replace ad hoc mobility policies with a coordinated plan designed to improve delivery of services, increase productivity, and reduce costs. informationweek.com/reports/mobilegov Federal Belt-Tightening Slows Compensation Growth The salary freeze instituted by President Obama in late 2010 has slowed the growth of IT worker compensation. informationweek.com/reports/belt
April 2012 2

9 Threats Vs. Readiness

Hacktivists and cybercriminals pose the greatest threats to federal agencies, our Cybersecurity Survey shows. The feds are fighting back with continuous monitoring.

8 Post-WikiLeaks Security
State Department continues to enhance security in order to prevent data leaks

CONTACTS
18 Editorial and Business Contacts
informationweek.com/government

Previous

Next

Table of Contents

down to Business
Federal IT Savings, Or Old-Fashioned Spending Shuffle?
Federal CIO Steven VanRoekel maintains that over the past three years, the federal government has done much in adopting private sector practices to triage broken IT investments, reduce the IT infrastructure footprint, and innovate with less. But by his own account, it hasnt done enough. So a few weeks ago, VanRoekel and Office of Management and Budget acting director Jeff Zients introduced PortfolioStat (see story, p. 6), a series of annual data-based reviews of agency IT investments (more sweeping than the existing TechStat program), as well as a new requirement for fed agencies to develop consolidation plans for commodity IT services. All goodas long as these measures actually produce meaningful spending cuts rather than just shuffle federal IT dollars around. In a memo announcing the two initiatives, VanRoekel called out the Department of the Interior, which he says will realize $100 million in annual savings (on an IT budget of about $1 billion) from 2016 to 2020 by modernizing IT infrastructure and aligning resources to improve customer service. Furthermore, he estimated that IT spending reviews already carried out at Interior have rendered $11 million in cost avoidance and $2.2 million in redirection. The fact that Interiors fiscal 2013 IT budget is pegged to decline by $28.6 millionby 2.9%compared with the previous years budget is a positive sign. But lets see if the agencys annual IT budget falls by anywhere near $100 million between 2016 and 2020. VanRoekel is quick to note that fiscal discipline is returning to federal IT. After growing at a compound annual growth rate of more than 7% between 2001 and 2009lean years for private sector IT organizationsfed IT spending has come in flat ever since. Still, at about $80 billion, the federal IT budget could use a haircut. Instead, for every IT dollar budgeted to be cut next year at the likes of Interior (down $28.6 million) and Justice (down $102 million), an additional dollar will be spent at the likes of Agriculture (up $79.9 million) and Treasury (up $358.7 million). For all their talk about adopting private sector practices, few in Washington have the stomach or will to make the kinds of hard decisions that companies make all the timethe kinds that
ROB PR ESTON

Next Steps In Cybersecurity

In this virtual event, experts will assess the state of cybersecurity in government and present strategies for creating a more secure IT infrastructure. It happens May 24.

cut budgets rather than just keep them from expanding. Agency CIOs are apt to take their cues from the politicians and career bureaucrats. Consider the federal budget histrionics of a few weeks ago. As part of his rebuke of the deep cuts proposed by Wisconsin Congressman Paul Ryan, President Barack Obama claimed to have already eliminated dozens of programs that werent working. But according to a Wall Street Journal editorial, the savings from these eliminations amount to less than 0.1% of the budget, or less than $100 million. Not that the Republicans were penny-pinchers during the last administration. Far from it. During President George W. Bushs eight years, the national debt doubled to more than $10 trillion. VanRoekel and his predecessor, Vivek Kundra, have done well to identify $4 billion in cost avoidance and redirection as a result of the TechStat program. Begin to lop those billions and more from future budgets, and well be more impressed. Rob Preston is VP and editor in chief of InformationWeek. You can write to Rob at rpreston@techweb.com.
April 2012 3

Register
informationweek.com/government

Previous

Next

Table of Contents

Quicktakes
OPEN GOVERNMENT 2.0
NASA plans to build a new Web architecture that applies cloud computing, open source, and commercial technologies in support of its websites and internal Web ser vices. The architecture is the flagship initiative of the space agencys newly updated open government plan. NASA and other federal agencies have updated their open government efforts in keeping with version 2.0 of the Obama administrations Open Government Initiative, originally launched in 2009. The agencys existing Web infrastructure supports the development and hosting of 140 applications and 1,590 websites, deployed on a variety of systems. Its primary site, NASA.gov, draws 600,000 visitors daily and serves as a hub for more than 250 accounts on social media platforms such as Twitter, Facebook, and Foursquare. The open government plan calls for a single infrastructure to support those apps and a majority of the websites. The agency is looking to use open source, cloud computing, commercial products, and government off-the-shelf technology in lieu of customized technologies. And it plans to make increased use of fast, iterative software development methodologies like agile development. This effort will provide a new agency-wide capability to create, maintain, and manage the NASA.gov Web environment and associated services, which represent what open govern-

QUICKFACT

NASA.gov gets

140M visits annually

NASA Web Plan Incorporates Cloud, Open Source, Social Media

ment at its best can and should be, NASA program manager Nick Skytland writes in an introduction to the open government 2.0 plan. Liberating Data The strategy includes making more NASA data publicly available through two portals, Data.NASA.gov and the federal Data.gov site. The agency plans to release 500 data sets over the next two years, representing as much of NASAs internal work as possible. That will require publishing APIs and functional interfaces to liberate data and content. NASA will also expand its use of social media capabilities. It plans to implement a code repository with social features for collabora-

IT Leadership Forum
InformationWeeks 2012 Government IT Leadership Forum is May 3 at the Newseum in Washington, D.C.

Register

informationweek.com/government

April 2012 4

Previous

Next

Table of Contents

Quicktakes
tion, increase the number of challenges it runs to engage the public in projects, and host events that let users of Facebook, Twitter, and other platforms interact with agency personnel. The agency will launch a pilot program to test the feasibility of using an open source content management system as a replacement for the proprietary system in place. If that goes well, it will consolidate multiple blogging infrastructures to the new content management system within a year. Another nearterm objective is to develop an API for releasing content on NASA.gov. Within two years, NASA wants to move its websites to the new Web infrastructure. Making use of open source was a flagship initiative in NASAs original open government plan, and its now looking to collaborate more actively with the open source development community. NASA already has an open source code repository, Code.NASA.gov. Its open government site is built on the LAMP (Linux, Apache, MySQL, PHP) software stack and an open source content management system. Also, the agency is looking to expand use of technology accelerators, initiatives such as public-private partnerships and innovation mentoring. The agency points to its International Space Apps Challenge and Random Hacks of Kindness volunteer development program as examples of such efforts. J. Nicholas Hoover (nhoover@techweb.com)

Discover IT
LAS VEGAS, MANDALAY BAY // MAY 610, 2012

ATTEND KEYNOTES TO WIN AN IPAD

Be our Guest: Free Expo Pass Extras to ITs Leading Event

CLOUD COMPUTING | VIRTUALIZATION | SECURITY | MOBILITY | DATA CENTER | NETWORKING See all the latest IT solutions from 350+ technology companies. Enjoy vendor-hosted beverages during the Booth Crawl while you check out the latest products and services in the Expo. Attend 50+ free sessions and special events covering the full range of IT innovations. Hear keynotes from top minds at leading companies discuss the future of IT. Tour the event network, built by volunteers and hand selected vendors using the industrys most cutting edge technology. Attend free classes led by InteropNet engineers. Meet cloud computing and virtualization vendors in a special area. Become an IT Hero. Interop gives you the most important technologies and essential strategies to drive business value from your IT organization.

Get a Free Exp o Pass or Save 25%* with code CPQMNL03

www.interop.co m/lasvegas

WORKSHOPS: May 67, 2012 CONFERENCE: May 810, 2012 EXPO: May 810, 2012

EXHIBITORS INCLUDE:

informationweek.com/government

* 25% off discount applies to Flex and Conference Passes. Discount calculated based on the on-site price and not combinable with other offers. Offer good on new registrations only. Proof of IT industry involvement required. Prices after discount applied: Flex: $2,471.25 // Conference: $1,721.25

UBM TechWeb 2012.

Previous

Next

Table of Contents

Quicktakes
THE SHARED-SERVICES ALTERNATIVE

White House Seeks To Root Out IT Duplication With Portfolio Reviews

White House efforts to wring savings from federal IT investments have received another push, this time in the form of a new plan to conduct government-wide IT portfolio reviews, along with new requirements for centralizing IT services. Jeff Zients, acting director of the Office of Management and Budget, and federal CIO Steven VanRoekel on March 30 announced two initiatives: one called PortfolioStat, a series of face-toface, data-based reviews of agency IT portfolios, and another requiring agencies to develop consolidation plans for commodity IT services. Their memo implored agencies to focus on high-value IT investments and stop deploying redundant IT services. The stove-piped and complex nature of the federal enterprise has led over the years to a proliferation of duplicative and low-priority investments in information technology, they wrote. At the same time, agencies too often seek to develop homegrown, proprietary solutions first, before assessing existing options for shared services or components.
informationweek.com/government

PortfolioStat was inspired by private-sector practices as well as by OMBs TechStat program, launched in January 2010 by former federal CIO Vivek Kundra. In the early going, TechStat was used to identify big-budget IT projects that were at risk of running over budget or falling behind schedule, which in turn led to corrective action. TechStat project reviews are now applied more broadly within agencies. The Obama administration says that

TechStat has generated some $4 billion in savings and cost avoidance since 2010. The Dark Corners Businesses have used IT portfolio management for years, and OMB looked to Adobe, OSI Restaurants, and Symantec in drawing up plans for PortfolioStat. VanRoekel, in a blog post, writes that PortfolioStat aims to assess the maturity of agencies IT portfolio management processes and give them tools to look into the darkest corners of the organization to find wasteful and duplicative IT investments. As part of the PortfolioStat sessions, agency deputy secretaries or chief operating officers are required to work with the federal CIO and agency CIOs, CFOs, and chief acquisition officers to sift through and find savings in their IT portfolios. This level of executive sponsorship is a direct reflection of our belief that IT is a strategic asset that can dramatically improve productivity and the way agencies execute their mission, VanRoekel writes. PortfolioStat sessions will delve into comApril 2012 6

PortfolioStats 5-Step Process

>> PHASE 1 Provide high-level survey of agencies IT portfolios. >> PHASE 2 Develop action plan; consolidate duplicative systems and contracts. >> PHASE 3 Conduct PortfolioStat review; identify next steps. >> PHASE 4 Document cost savings, improvements gained through review. >> PHASE 5 Share lessons learned for continuous process improvement.

Previous

Next

Table of Contents

Quicktakes
modity IT investments, redundant or duplicative systems and services, and investments that are poorly aligned to an agencys mission. OMB outlined a five-step process for the program, beginning with baseline data gathering and concluding with an assessment of lessons learned. The document describing those processes provides deadlines for specific objectives to be completed over the next 10 months. In the early going, agencies must complete a survey of their IT portfolios and a bureau-level information request for specific types of commodity IT investments that will used in assessing the portfolios. That review will be followed by one-hour PortfolioStat review sessions, the first of which must be held by the end of July. Those sessions are supposed to lead to concrete next steps to rationalize an agencys IT portfolio, according to the memo. Agencies are required to create consolidation plans for the commodity IT services they use, with final plans by the end of August. PortfolioStat leaders are to set targets for reducing spending on commodity IT and demonstrate how IT portfolios align with agency missions and business functions. By years end, agencies are expected to transition two commodity IT areas, such as email, wireless services, or productivity tools, to shared services or consolidated J. Nicholas Hoover (nhoover@techweb.com) purchasing.

Connect to the Cloud

Without Building Your Identity Infrastructure on Thin Air

If you were starting from scratch, hosting your identity in the cloud would be a no brainer. But your company has many different authentication sources, including multiple Active Directory domains and forests. For most enterprises, pushing this disparate infrastructure to the cloud can be a security and synchronization nightmare. Instead of uprooting your existing identity system, you need a simple, secure way to make it work with cloud-based applications. RadiantOne virtualization federates your identity and delivers it as an on-premise service, giving you a local identity hub for all your applications, whether theyre enterprise, web, or cloud-based. So your SaaS applications can authenticate users against the authoritative sources within your organizationand your essential identity data doesnt walk the tightrope across your firewall every time you synchronize user accounts. Dont disrupt your infrastructureevolve your identity to encompass the cloud.

RadiantOne: One Identity Service for All Your Initiatives

Find out more at www.RadiantLogic.com 1.877.727.6442
CopyRight 2012, Radiant LogiC, inC. aLL Rights ReseRved.

informationweek.com/government

Previous

Next

Table of Contents

Quicktakes

[
SECURITY FIRST

Swart: State Department has enhanced security

State CIO Outlines Post-WikiLeaks Steps

Eighteen months after its diplomatic cables were exposed in the WikiLeaks breach, the State Department continues to lock down its confidential information, while using social media to further its work in other ways. State Department CIO Susan Swart, in an inter view with InformationWeek at the agencys Washington, D.C., headquarters, outlined steps under way to prevent any further data leaks. The State Department has continued to enhance the security of our classified data and systems post-WikiLeaks, she said, adding that the department is playing a lead role in the interagency response to WikiLeaks that was launched last year by presidential order. The agency is deploying new security technology, including auditing and monitoring tools on its classified networks and systems. State has also begun tagging information with metadata to enable role-based access to those
informationweek.com/government

who need it, and is planning to implement public key infrastructure on its classified systems by the summer of 2014. Following the November 2010 WikiLeaks breach, the State Department suspended outside access to several of its classified information portals. Those portalsincluding the Net Centric Diplomacy diplomatic reporting database, ClassNet classified websites, and some SharePoint sitesremain largely inaccessible or subject to restricted access from other networks. The agency has also improved its cybersecurity training, and its working closely with the Department of Homeland Security and the National Security Agency on cybersecurity issues. Other Priorities The departments other technology priorities include IT consolidation, mobility, social media, cloud computing, and improved IT governance, Swart said. The agency is also analyzing the tech tools that are available to diplomats and what more may be needed. Any additions will have to be carried out within the context of a lower IT budget. The White Houses proposed budget for fiscal 2013 would decrease

IT spending at the State Department by 4.8%, to $1.35 billion. One high priority is to consolidate the foreign affairs community onto a common network, known as the Foreign Affairs Network. And, like other federal agencies, the State Department is consolidating data centers. In the United States, its going from 14 data centers to four, while classified processing from overseas offices is being done in a handful of regional sites. Under its eDiplomacy initiative, the State Department is ramping up its use of social media and the Internet for diplomacy and operations. The agency currently has 150 employees dedicated to the eDiplomacy mission using the Web and other new communications technologies to further its international relations efforts. Examples of the eDiplomacy projects under way include the departments presence on public social networks, external blogs like DipNote, an internal blogging community site known as Communities @ State, and a wikibased collaborative encyclopedia on diplomatic affairs called Diplopedia thats modeled on Wikipedia. J. Nicholas Hoover (nhoover@techweb.com)
April 2012 8

Previous

Next

[COVER STORY]
FEDERAL GOVERNMENT CYBERSECURITY SURVEY

Table of Contents

Threats Vs. Readiness

Hacktivists and cybercriminals pose the greatest threats to federal agencies. The feds are fighting back with continuous monitoring.

informationweek.com/government

C
By Ed Moyle and Diana Kelley

ybersecurity is the No. 1 priority of federal IT professionals, by a long

shot. Thats been the key finding of InformationWeeks Federal Gov-

ernment IT Priorities Survey each of the past two years, and you dont

have to look any further than the threats posed by Anonymous,

LulzSec, or WikiLeaks to understand why. What are the most dangerous cyberthreats? And how are agencies re-

sponding? InformationWeek launched our 2012 Federal Government

Cybersecurity Survey to find out. Our poll of 106 federal IT pros in-

volved in IT security for their organizations was conducted in March. We

April 2012 9

Previous

Next

CYBERSECURITY SURVEY

[COVER STORY]

Table of Contents

Get This And All Our Reports

Our full report on federal cybersecurity is free with registration. This report includes 26 pages of action-oriented analysis, packed with 15 charts. What youll find: > The top cybersecurity priorities of federal agencies > How FISMA compliance affects cybersecurity planning

Download

asked respondents to rank the threats they face and their readiness to deal with them. We inquired about cybersecurity spending and where agencies are investing. And we probed into the most significant challenges they face. Our survey results show that organized cybercriminals and hacktivists are viewed as the greatest threats to IT security. At the same time, government IT pros say theyre least prepared for leaks that take place through social media. And a crush of competing priorities is the biggest challenge to effective execution. The good news is that agencies feel theyve made significant improvements in cybersecurity. This is the perception of agencies themselves, as well as the assessment of government evaluators charged with monitoring progress under the Federal Information Systems Management Act (FISMA). Despite the progress, attacks are on the rise, and agencies must continue to bolster their defenses. In a report to Congress published in

Top Security Initiatives

Which of these IT security and cybersecurity initiatives are most important to your agency?

Implementing continuous monitoring systems Upgrading standard defenses (e.g., firewalls and antivirus) Improving security of agency-issued mobile devices Deploying intrusion-prevention capabilities Implementing technologies and processes to thwart insider threats Deploying PKI-based ID smart cards Hiring and cultivating cybersecurity skills

43% 41% 35% 27% 25% 23% 18%

Data: InformationWeek 2012 Federal Government Cybersecurity Survey of 106 federal government technology professionals, March 2012

March on FISMA implementation in fiscal year 2011, the Office of Management and Budget (OMB) disclosed that the number of computer security incidents reported to the U.S. Computer Emergency Readiness Team (US-CERT)

that impacted government agencies rose 5%, to 43,889. Longer term, federal computer security incidents have risen 650% over five years, according to a report released last fall by the Government Accountability Office. In

informationweek.com/government

April 2012 10

Previous

Next

CYBERSECURITY SURVEY

[COVER STORY]

Table of Contents

explaining that increase, the GAO cited persistent weaknesses in information security controls, due to incomplete implementation of security programs. So clearly, theres room for improvement in how agencies prepare and respond. Step one is raising awareness of cyberthreats and establishing an organizational commitment to readiness. Its imperative that an agencys top leadersnot just chief information security officers and their information assurance teams get behind the effort. Steps to improve security include meeting the FISMA requirements and also understanding the security implications of new technologies such as virtualization and cloud computing. Underscoring the urgency of cybersecurity, the White House and Congress are both involved in national planning. President Barack Obama called cyberthreats one of the most serious economic and national security challenges we face as a nation, and there are two security bills moving through Congress, the bipartisan Cybersecurity Act of 2012 (S. 2105) and the GOP-sponsored Secure IT Act of 2012 (S. 2151). A majority of federal IT pros feel theyre up to the task. When asked about their overall state of cybersecurity readiness, 83% of survey respondents rate their agencies as excellent or good. But are they being overly confident, which could be dangerous? According to OMBs report to Congress for FY 2011 on FISMA policy compliance in several broad areas, including continuous monitoring, trusted Inter-

Technology Solutions for Demanding Environments

PacStar, in partnership with networking leader Brocade, o ers military and government customers robust information and communications solutions for todays advanced applications. Our certi ed engineers have the experience and skills required to tailor security, LAN switching/routing, voice integration, and wireless solutions to meet agency needs of today and tomorrow. We help agencies achieve their missions with innovative solutions based on proven technologies for use in the most demanding environments.

For more information contact: Josh Furrer, Director of Sales (503)403-3000 ext. 214 jfurrer@pacstar.com

informationweek.com/government

Previous

Next

CYBERSECURITY SURVEY

[COVER STORY]

Table of Contents

net connections, and implementation of identity smart cards under Homeland Security Presidential Directive 12 (HSPD-12), agencies were 73% compliant in the areas measured, compared with 55% in FY 2010. Thats progress, but with room for improvement. The other side of the story is 27% noncompliance. To close the gap, agencies are asking for more funding for their cybersecurity initiatives. The Department of Homeland Security requested $769 million for security initiatives in its FY 2013 budget, a 60% increase over the previous fiscal year. DHS seeks to establish broader capabilities in network security, expand research and development, and add support for enforcement of cybercrimes, among other areas of investment. Our survey sheds light on spending plans more broadly. A quarter of respondents say that their agencies will increase cybersecurity spending by more than 5% in FY 2013, and another 29% indicate spending will rise by up to 5%.

NISTs Ross: Continuous monitoring aims to reduce risk

On the other hand, cybersecurity spending is expected to be flat at 29% of agencies and decrease at 9%, and thats cause for concern. (Eight percent didnt know or declined to answer.) We understand that overall IT budgets are flat or declining in many agencies, putting pressure on all areas of investment. But IT decision-makers must find ways to adequately fund cybersecurity infrastructure, given the trend toward continuous monitoring, the requirements of FISMA, and the fact that cybersecurity is the No. 1 IT priority across government. FISMA Compliance When it comes to what influences cybersecurity planning in agencies, FISMA is king. In

our survey, FISMA ranks as the most significant influencing factor for cybersecurity strategy, just ahead of the continuous monitoring requirement and US-CERT, which oversees security incidents and the Einstein intrusion-detection system. As any information security practitioner will tell you, FISMA hasnt been an easy road. And critics argue it isnt making agencies more secure. Youre drawing away resources from whats important by taking resources that were focused on real security tasks and focusing them instead on checking the box, says Dave Amsler, president and CIO of Foreground Security. The government has reduced some of the bureaucratic burden through CyberScope, the process for automating FISMA reporting. More than 75% of the agencies reviewed for the Office of Management and Budgets March report can now provide automated data feeds to CyberScope, compared with just 17% that

informationweek.com/government

April 2012 12

Previous

Next

CYBERSECURITY SURVEY

[COVER STORY]

Table of Contents

demonstrated this capability a year earlier. Even so, FISMA compliance fell for more than half of 24 agencies reviewed in the report, which assesses IT security programs in 11 areas, including risk management, configuration management, and identity and access management. Only seven agencies achieved more than 90% compliance in the areas measured. Eight agencies fell into the red zone in the report, meaning they have less than 65% FISMA compliance. The departments of Transportation, Interior, and Agriculture were at the bottom of the list. The Department of Defense didnt provide enough detail on its compliance levels to be included in the report. Much work remains in satisfying the White Houses cybersecurity priorities. As outlined in OMBs FISMA report, the administrations top three priorities for FISMA are continuous monitoring, logical access control (as spelled out in HSPD-12), and trusted Internet connections (TIC v2.0). The priority areas were selected based on the overall impact they have on cybersecurity readiness. Heres how plans to implement those three initiatives are shaping up, as reflected in our survey results. Continuous Monitoring Continuous monitoring is getting the lions share of attention from agencies. The goal is to replace a static, point in time view of an agencys information security posture with near-real-time visibility into system health. Its important not just because its reinformationweek.com/government

Previous

Next

CYBERSECURITY SURVEY

[COVER STORY]

Table of Contents

quired under FISMA, but because it makes good operational sense. Continuous monitoring gets rated as the top cybersecurity initiative in our survey, with 43% of respondents choosing it from a list of 10 possibilities. (Respondents were asked to select their three most important initiatives.) That was followed by improvements to standard defenses (e.g., information security software like firewalls and antivirus), identified by 41%, and mobile device security, at 35%. This tells us that, while federal IT pros recognize the importance of traditional security controls and defenses, they also understand

they likely need to improve continuous monitoring. Continuous monitoring is largely about managing risk, says Ron Ross, senior computer scientist with the National Institute of Standards and Technology (NIST ) and project leader for the FISMA Implementation Project. We start by looking at the risk assessment, based on what adversaries are doing that might be a threat and impact the mission, Ross says. The goal of continuous monitoring is to attempt to evaluate the actual performance of the controls at reducing overall risk. So agencies must understand the risks posed to their systems and networks, and the moni-

Whats Your Agencys Overall Cybersecurity Readiness?

Dont know or decline to say Poor; necessary systems, processes, or policies are lacking Excellent; appropriate systems, processes, and policies in place

10% 7% 25%

58%
Good; some systems, processes, or policies need updating
Data: InformationWeek 2012 Federal Government Cybersecurity Survey of 106 federal government technology professionals, March 2012
informationweek.com/government

toring plans they put in place must shed light on those risks and reduce them. Kelley Dempsey, senior information security specialist with NIST and author of special publication 800-137, Information Security Continuous Monitoring For Federal Information Systems And Organizations, says that getting the risk assessment wrong can undermine continuous monitoring efforts. Everything starts from the risk management framework, Dempsey says. So if that isnt right, everything that falls under it would be at issue. A good continuous monitoring framework will lead you to go back and evaluate control selection, and that in turn will lead you to look for ways to monitor. Whats good monitoring? It requires understanding a few things about each security control: whether its functioning properly and appropriate to the task at hand, and the threat environment within which the control operates. For example, the public websites of federal law enforcement and intelligence agencies have become favorite targets of Anonymous and LulzSec. That leads IT to focus on what data it should collect and not just what it can collect. Agencies will look to automate data collection, but they shouldnt ignore that other important information might only be available through a
April 2012 14

Previous

Next

CYBERSECURITY SURVEY

[COVER STORY]

Table of Contents

manual collection process. Automated metrics may be more cost effective, but those alone could leave you with an incomplete picture of the environment. Pete Lindstrom, research director of Spire Security, warns about becoming slowed by data overload. A jumble of arbitrary data without a frame of reference isnt monitoring; its white noise, he says. A valuable metric is one that tells us something about effectiveness of the control, efficiency of operation, or both. Continuous monitoring needs to be more than just a distillation of what youre currently

collecting. Dave Shackleford, CTO of security research firm IANS, recommends comprehensive whitelisting (granting privileges to trusted users or sites) and file integrity monitoring (keeping a close eye on changes to server files). Monitoring things like antivirus and host-based IDS has some merit but has proven ineffective in countering the more advanced threats seen today, Shackleford says. HSPD-12: Tackling Identity Management Recognizing that a single, trusted source of user identity information is critical to in-

Whats The Most Significant Challenge To IT Security At Your Agency?

Other Lack of technical solutions 2% Reliance on vendors for aspects of security 4% Lack of clear standards 4%

6%
Lack of top-level direction and leadership

Competing priorities and other initiatives

8% 10%

35%

Complexity of the internal environment

31%
Resource constraints
Data: InformationWeek 2012 Federal Government Cybersecurity Survey of 106 federal government technology professionals, March 2012
informationweek.com/government

formation security, HSPD-12 attempts to bring a unified identity management strategy to federal government. The directive requires that all agencies make use of a single, robust credential: a Personal Identity Verification (PIV ) smart card capable of being used for digital signatures and user authentication. In our survey, 23% of respondents identify deployment of PKI-based ID smart cards as one of their top three cybersecurity initiatives. The specifics of the plan to deploy PIV cards are outlined in a White House memo issued in February, titled Continued Implementation of HSPD-12Policy For A Common Identification Standard For Federal Employees And Contractors. Agencies by now should at least have a plan on how to proceed, particularly as it relates to the integration of physical and logical access control systems, a key tenet of the governments identity management plan. According to the Office of Management and Budgets FISMA report, 89% of federal employees and contractors requiring Personal Identity Verification credentials now have them. Moreover, 66% of government user accounts are configured to require PIV cards to authenticate to agencies networks,
April 2012 15

Previous

Next

CYBERSECURITY SURVEY

[COVER STORY]

Table of Contents

up from 55% in fiscal year 2010. Its progress, but the jobs not done. Trusted Internet Connections The third of the White Houses cybersecurity priorities is consolidating traffic under the trusted Internet connections initiative, which aims to consolidate and apply baseline security measures to external network connections, including the Internet. Such controls include network filtering and other capabilities, such as the National Cybersecurity Protection Systems Einstein 2 incident monitoring. That capability is being updated in Einstein 3, which adds realtime packet inspection and applies predefined signatures for threat detection. TIC should be on every agencys radar at least until September, the next critical milestone. By then, all TIC Access Providersdesignated agencies that provide TIC services to other agenciesmust be 100% compliant with the TIC v2.0 reference architecture. Other agencies must achieve TIC v2.0 capabilities by that same date through use of an approved and accredited TICAP for all external connections. Not Ready For Social And Mobile InformationWeeks 2012 Federal Government Cybersecurity Survey shows that ageninformationweek.com/government

Ready For Attack

Whats your agencys level of preparedness for these attacks?

1 Completely unprepared
Malware and spyware Phishing attacks on agency employees DDoS Cyberattack by foreign governments Zero-day exploits Leaks through service providers or partners Insider threats Unsecured mobile devices Leaks through social media

Completely prepared 5

4.1 4.0 3.9 3.9 3.7 3.7 3.5 3.4 3.2

(Mean average)

Data: InformationWeek 2012 Federal Government Cybersecurity Survey of 106 federal government technology professionals, March 2012

cies are least prepared for some of the newest threats. When asked to rate their level of readiness, respondents give some of their lowest scores to leaks through social media (with 28% completely or somewhat unprepared) and unsecured mobile devices (18% completely or somewhat unprepared). Federal IT managers are racing to get

ahead of those risks. The U.S. Army, for example, recently warned deployed soldiers that geotagging photos over Facebook and other social media could give away their units location. And the National Security Agency, the Department of Defense, and civilian agencies are evaluating how to secure mobile devices, as more employees
April 2012 16

Previous

Next

CYBERSECURITY SURVEY

[COVER STORY]

Table of Contents

look to use them in their daily work. We also asked respondents to rank threats, from greatest to lowest. Topping the list are organized cybercriminals and hacktivists, a reflection of the emergence of groups such as Anonymous and LulzSec, which have launched denial-of-service attacks against some federal agencies. Insider threats rank second, followed by foreign states. Gen. Keith Alexander, director of the National Security Agency and head of the U.S. Cyber Command, testified before Congress in March on the emergence of China as one such threat. China is stealing a great deal of military-related intellectual property from the United States and was responsible for last years attacks against RSA, Alexander told the Senate Armed Services Committee. We need to make it more difficult for the Chinese to do what theyre doing, he said. In terms of tools and technologies for establishing cybersecurity, the most widely deployed are workaday controls like firewalls (used by 96% of respondents), antivirus software (94%), anti-spyware software (93%), and VPNs (91%). Mobile device security (70%) and cloud services security (52%) are lower on the list of in-use technologies, but theyre the two that will be most in demand
informationweek.com/government

How Will Cybersecurity Spending Change In Fiscal Year 2013?

Dont know or decline to say Decrease more than 5% Decrease 1% to 5% 2%

8% 25%

Increase more than 5%

7%

29%
Stay the same

29%
Increase 1% to 5%

Data: InformationWeek 2012 Federal Government Cybersecurity Survey of 106 federal government technology professionals, March 2012

as first-time security technologies in FY 2013. Both illustrate the evolving nature of cybersecurity requirements, as new technologies R are brought into the workplace, forcing security teams to respond. When asked about the most significant challenge to their IT security efforts, survey respondents point first to a familiar problem too many competing priorities and other initiatives, cited by 35%. Thats followed closely by a second, equally familiar issue, resource constraints (31%). Notably, technology itself doesnt seem to be much of a problem. Only 4% of survey respon-

dents cite lack of technical solutions as the single biggest challenge to their IT security efforts. Agencies can ease the resource crunch by redirecting funds from lower-priority initiatives toward their cybersecurity efforts. Given the emphasis that IT pros in government place on cybersecurity, and the attention being paid by the White House and Congress, it would seem that when theres a will, there should be a budget. Ed Moyle is a senior security strategist with Savvis, and Diana Kelley is a security adviser and consultant. Write to us at iwletters@techweb.com.
April 2012 17

Previous

Next

Table of Contents

Online, Newsletters, Events, Research

John Foley Editor, InformationWeek Government jpfoley@techweb.com 516-562-7189 Rob Preston VP and Editor In Chief rpreston@techweb.com 516-562-5692 Lorna Garey Content Director, Reports lgarey@techweb.com 978-694-1681 Sek Leung Associate Art Director sleung@techweb.com J. Nicholas Hoover Senior Editor nhoover@techweb.com 516-562-5032 Stacey Peterson Executive Editor, Quality speterson@techweb.com 516-562-5933 Mary Ellen Forte Senior Art Director mforte@techweb.com READER SERVICES
InformationWeek.com/government The destination for breaking news on government, and instant analysis Electronic Newsletters Subscribe to InformationWeek Daily and other newsletters at informationweek.com/newsletters/subscribe.jhtml Events Get the latest on our live events and Net events at informationweek.com/events Reports reports.informationweek.com for original research and strategic advice How to Contact Us informationweek.com/contactus.jhtml District Manager, Cori Gordon (516) 562-5181, cgordon@techweb.com Inside Sales Manager East, Ray Capitelli (212) 600-3045, rcapitelli@techweb.com

Chris Murphy Editor cjmurphy@techweb.com 414-906-5331 Jim Donahue Chief Copy Editor jdonahue@techweb.com

Business Contacts
Executive VP of Group Sales, InformationWeek Business Technology Network, Martha Schwartz (212) 600-3015, mschwartz@techweb.com Sales Assistant, Salvatore Silletti (212) 600-3327, ssilletti@techweb.com

UBM TECHWEB
Tony L. Uphoff CEO John Dennehy CFO David Michael CIO Scott Vaughan CMO David Berlind Chief Content Officer, TechWeb, and Editor in Chief, TechWeb.com Ed Grossman Executive VP, InformationWeek Business Technology Network Martha Schwartz Executive VP of Group Sales, InformationWeek Business Technology Network Joseph Brau Sr. VP, Light Reading Communications Network Beth Rivera Senior VP, Human Resources John Ecke VP of Brand and Product Development, InformationWeek Business Technology Network Fritz Nelson VP, Editorial Director, InformationWeek Business Technology Network, and Executive Producer, TechWeb TV

Editorial Calendar informationweek.com/edcal Back Issues E-mail: customerservice@informationweek.com Phone: 888-664-3332 (U.S.) 847-763-9588 (Outside U.S.) Reprints Wrights Media, 1-877-652-5295 Web: wrightsmedia.com/reprints/?magid=2196 E-mail: ubmreprints@wrightsmedia.com List Rentals Specialists Marketing Services Inc. E-mail: PeterCan@SMS-Inc.com Phone: (631) 787-3008 x3020 Media Kits and Advertising Contacts createyournextcustomer.com/contact-us Letters to the Editor E-mail iwletters@techweb.com. Include name, title, company, city, and daytime phone number. Subscriptions Web: informationweek.com/magazine E-mail: customerservice@informationweek.com Phone: 888-664-3332 (U.S.) 847-763-9588 (Outside U.S.)
Copyright 2012 UBM LLC. All rights reserved

Strategic Accounts
District Manager, Mary Hyland (516) 562-5120, mhyland@techweb.com Account Manager, Tara Bradeen (212) 600-3387, tbradeen@techweb.com

SALES CONTACTSWEST
Western U.S. (Pacific and Mountain states) and Western Canada (British Columbia, Alberta) Western Regional Director, JohnHenry Giddings (415) 947-6237, jgiddings@techweb.com Strategic Account Director, Mark Glasner (415) 947-6245, mglasner@techweb.com Account Manager, Kevin Bennett (415) 947-6139, kbennett@techweb.com Account Manager, Ashley Cohen (415) 947-6349, aicohen@techweb.com

SALES CONTACTSMARKETING AS A SERVICE

Director of Client Marketing Strategy, Jonathan Vlock (212) 600-3019, jvlock@techweb.com Director of Client Marketing Strategy, Julie Supinski (415) 947-6887, jsupinski@techweb.com

Strategic Accounts
Account Director, Sandra Kupiec (415) 947-6922, skupiec@techweb.com

SALES CONTACTSEVENTS
Senior Director, InformationWeek Events, Robyn Duda (212) 600-3046, rduda@techweb.com

SALES CONTACTSEAST
Midwest, South, Northeast U.S. and Eastern Canada (Saskatchewan, Ontario, Quebec, New Brunswick) District Manager, Jenny Hanna (516) 562-5116, jhanna@techweb.com District Manager, Michael Greenhut (516) 562-5044, mgreenhut@techweb.com
informationweek.com/government

MARKETING
VP, Marketing, Winnie Ng-Schuchman (631) 406-6507, wng@techweb.com Director of Marketing, Angela Lee-Moll (516) 562-5803, aleemoll@techweb.com Senior Marketing Manager, Monique Kakegawa (949) 223-3609, mkakegawa@techweb.com

UBM LLC
Pat Nohilly Sr. VP, Strategic Development and Business Admin. Marie Myers Sr. VP, Manufacturing

April 2012 18