The National Geospatial-Intelligence Agency has a better understanding of where it’s cybersecurity shortcoming lie.
To be clear, NGA recently passed several key audits required for its unclassified systems.
But Gary Buchanan, the chief information security officer at NGA, said at a recent AFCEA DC panel these audits are actually helping the agency better protect their data and networks instead of just pointing out problems.
“We just passed our Command Cyber Readiness Inspection (CCRI). We had a cybersecurity service provider (CSSP) and a public-key infrastructure (PKI) inspection in [earlier this spring]. Of course that was six months of prep, but we did pass and really a lot of things got illuminated from that in in challenges with continuous monitoring,” Buchanan said at the event, an excerpt of which was played on Ask the CIO. “The piece that I, that I really want to talk about with that is the negative connotations that people have with inspections that they have with CCRI, CCORI or any type of inspections as done with you as a CISO. I welcome them. It goes back to my first job in the IC where I was a janitor, and I was cleaning a building that used to be called Defense Mapping Agency. In that building, I’m 6’1″, but my vision is at a different level than some of the folks that I worked with, who were generally shorter than me, and what I saw that needed to be cleaned and what they saw that needed to be cleaned were two different things. When you have those inspections that we just went through and we passed, I have to keep on saying that we passed, the different mindset the different look that someone’s giving you at a different level is phenomenal.”
The reviews, which he said are a true “deep dive into our overall security posture,” helped identify some gaps in NGA’s architecture and other areas where it could improve.
Earlier this summer, DoD also scheduled an analysis or inspection of NGA’s classified network and systems.
“I’ll tell you that from our PKI standpoint and our identity and access management, we knocked it out of the park from a CSSP, which is the cybersecurity service provider. We scored a 96%, which means all of our policies, procedures and our technologies and tactics for defending at the edge we’re very good,” he said. “Some of our challenges, internal included, the continuous monitoring pieces of patching, some STIG compliance, some of the things that tend to get you and how you set up your vulnerability scans and how you’re monitoring, there’s two different ways to look at it.”
Updated RMF for DoD
Buchanan said the audit helped NGA to take a different look at their patching processes and where the network vulnerabilities may exist.
That idea of an agency understanding its risks is a central them as the Defense Department updates its 8510 publication, which is its internal version of the risk management framework (RMF).
The latest version came out in mid-July, outlining four key changes, including establishing policy, assigns responsibilities and prescribes procedures for executing and maintaining the RMF and providing guidance on reciprocity of system authorization decisions for the DoD in coordination with other federal agencies.
David McKeown, the deputy CISO at the Defense Department, said in May before the latest version came out that the RMF policy will focus on better integration with cyber operations before a service certifies or accredits a system.
“Many of the cyber professionals out there, Cyber Command or Joint Force Headquarters Defense Information Network (JFHQ-DoDIN) and even your CSSPs we’re really not aware of the risks in the system. So we’re adding some flavor in there to tie those two together, the operations folks with the authorizing official,” he said. “We’re working with the CISOs from the various departments right now. They’ve got a target team making some recommendations on things we can do better. We have some zealots out there who when they do a security control assessment they think that everything that’s on the RMF knowledge service they have to do to the letter of the law. We’re going to make some color coding to say these are absolute must dues, and these are optional to encourage tailoring. Tailoring has been around forever, but people still choose not to use it. They would rather do all the controls and do them to the letter of the law, which can be costly and time consuming.”
Additionally, DoD is working on an implementation memo to help ease the burden and increase the speed to applying the new requirements in the RMF.
Adding risk management to oversight
NGA also is applying the risk management framework to address any planning or governance shortcomings.
Buchanan said NGA program managers have done well to monitor cost, schedule and performance, but not necessarily security as part of that oversight effort.
“There was never the question on how secure was it? How are you keeping it up to date? How are you monitoring that that application or whatever it is that you put up?” he said. “That’s really a culture change that we’re working at NGA. We’re having a cyber risk management slide for every single program or application at NGA. Once a year, they come before our CIO and it’s how I’m dealing with costs, my performance, here’s my challenges. By the way, here’s my cyber risk posture, and that that slide is not put together by them, but that’s put together on my team. That’s an opportunity to highlight stellar performers from a cyber perspective and those who need some help from a cyber perspective.”
Angel Phaneuf, the CISO for the Army Software Factory, said by training soldiers and civilians to develop software, the Army is mitigating risks at the front end of the process.
For example, the Army Software Factory recently launched two new applications — one helps reservists find jobs in the local community and one to help with land resource management in Hawaii — where security wasn’t an afterthought, but was part of the discussion with the user from the beginning.
“We’re going through all of the documentation now, and we’re making our plan works for our developers, our end users and our platform engineers as well,” Phaneuf said. “That’s the most important part. I think a lot of the times in the past, cybersecurity has put solutions in place, and hasn’t really thought about the people that are using it. So we’re trying to make sure that our implementation and our process doesn’t impact our ability to deploy apps, but keeps us safe and secure.”
The implementation Phaneuf talks about at the Army Software Factory is based on looking at the controls outlined in the RMF and figuring out which ones make the most sense and which ones can be automated from the application or platform standpoints.
“We’re continuously improving on this journey. We’re doing a really good job right now,” she said. “Our application security validation engineers go through and check to make sure that our tools are doing the right things that they’re supposed to be doing and that the applications are doing the right things they’re supposed to be doing. We’re continuously this hitting those controls and answering those controls with our automation.”