There was no candy-coding the inspector general report the State Department received last summer. It was bad.
The IG report said the department’s Bureau of Information Resource Management’s Office of Information Assurance isn’t doing enough to protect the agency’s networks. But the IG report also is proving to be invaluable for State. Bill Lay, State’s chief information security officer, said the IG report helped the agency reexamine how it organizes and addresses cybersecurity oversight, and, in the end, make it more efficient and effective. “We’ve taken a multi-faceted approach,” Lay said. “For the past year, we’ve worked very closely with our human resources organization on workload assessments, making sure we had the right positions, skill sets, structure and really building an organizational capability to do the work we really needed to do to get after all of those recommendations the IG put forth. On the fiscal side, the budget that I have discretionary authority over, my boss actually doubled from 2013 to 2014. That was huge. That really moved things along quickly. Now, throwing money at a problem doesn’t fix it, so we had to have a very structured corrective action plan. We sent it through our C-level management council for the department and got input from the IG saying here are discrete actions we are going to take.”
Lay said one example of the actions under the corrective plan is to bring better cybersecurity skills to the mission or system owners. He said many times these executives don’t have a cybersecurity background to approve a system or fully understand all the risk aspects a system faces.
“We’ve really redoubled our efforts in that we went out and hired new staff using basically a desk officer approach,” he said. “I’m calling them bureau system owner liaisons in that when it comes to meeting Federal Information Security Management Act (FISMA) requirements or just overall cybersecurity concerns at a bureau or mission level, we aren’t just throwing a requirement at them, we are meeting them more than halfway and walking them through the process so they will be successful and we are bringing them across the finish line. That has already, even though we’ve just been doing it for only a few months, is starting to generate huge gains. A lot of the repeat findings and recommendations the IG identified over the last few years, this type of approach where we are really reaching out and embracing our bureau customers is really paying dividends.”
Lay said his office’s budget increased to $14 million in 2014 from $7 million last year. He said a large chunk went for contractor support to improve FISMA compliance efforts. A second area he spent money on was security tools, specifically for databases and middleware to tie together the assorted tools and sensors.
“We bought the tools and the skill sets necessary to really weave it into a whole, so we can pull the data together be able to see a much bigger single synchronized picture,” he said.
State has long been a leader in government in using cybersecurity data to make better decisions. Its iPost tool really set the stage and showed the value of continuous monitoring.
“The tools that we are using are commercial tools, whether it’s monitoring our networks, our databases, patch management or configuration management on desktops and servers,” he said. “Instead of directing those feeds and data flows to our in-house tool, we’re using basically industry standards and moving it into COTS solutions. That’s one of the big criteria we are asking for when we work with vendors. We want all the vendors to play nicely with the rest of the community — proprietary solutions really aren’t helping us or the rest of the government. We need standards so the data can flow. We don’t want a lot of manual intervention. We are approaching this as a big data issue.”
With thousands of tools across the world, Lay said State needs to capture the information, pull out false positives and deliver the information to decision-makers so that it’s useful immediately.
Lay said the move to the tools under the CDM program is more of a transition and less about implementing new tools. He said State knows what it’s looking for from the CDM vendors in terms of software and hardware because of its experience with its current continuous monitoring program.
“We really want to mature our dashboard,” he said. “At the end of the day, we want the information to be actionable by our decision-makers and our senior leaders. Where we are trying to take our dashboard is more than just a meter saying ‘You are doing better today than yesterday.’ Where we are trying to go is to have the dashboard become part of a decision support tool in that our senior leadership will have a better sense especially when it comes to actionable decisions of what does it mean, why is it important and how does it influence the risk posture or ability to carry out, in our case, our foreign service mission?”