Editor’s Note: A comment from the Interior inspector general’s office was added to the story on Oct. 26.
There’s a problem with many reports from federal auditors that doesn’t get mentioned often enough in government. Many times these inspector general or Government Accountability Office reports are just snapshots in time and could be as much as 6-to-12 months old in terms of the actual state of the federal agency.
This is not to say auditor reports are not worthwhile. Just the opposite, these studies put agencies on notice about problems that need immediate attention.
The problem comes in when reporters and members of Congress believe the most recent report still is accurate.
The latest example is with the Interior Department’s IG report on the agency’s implementation of the continuous diagnostics and mitigation (CDM) program from the Homeland Security Department.
The IG released a report on Oct. 17 highlighting what seems to be major problems with Interior’s implementation of this key cybersecurity program. Among the most eye-opening findings from auditors were it will take Interior five years longer than first planned to reach “steady state” of CDM in 2019, and the agency is not doing a good enough job in protecting high-valued assets, including leaving more than 90,000 critical and high-risk vulnerabilities unpatched for more than two years.
At first glance, the “wow” factor is huge — 90,000 unpatched vulnerabilities and a five-year delay with CDM.
But if you dig a little deeper, you’ll find why auditors’ reports sometimes shouldn’t be taken at face value.
Sylvia Burns, Interior’s chief information officer, said the data the auditors are relying on is more than a year old.
“The report that they did when they took the survey of those vulnerabilities was in 2015, so over a year ago and by-and-large, the vast majority of those vulnerabilities have been remediated,” Burns said in an interview with Federal News Radio. “But I think the thing that is valid in what they are calling attention to is the basics. It’s management paying attention to the vulnerabilities. Not sustaining critical or high vulnerabilities on your network for any extensive length of time.”
Burns said Interior’s IT staff met weekly over the last year and now meets every two weeks to ensure they are on top of all potential and real system cyber problems.
“What you shine the light on gets done, and that’s true,” she said. “I feel like I’m doing my best to do that.”
Agencies have been focused on fixing critical vulnerabilities and protecting high-valued assets since OMB’s cyber sprint in 2015. DHS Secretary Jeh Johnsonsigned a Binding Operational Directive in June requiring all agencies to work with DHS to assess their high-valued assets. So a 2015 report on Interior’s vulnerabilities is far from accurate.
Another shortcoming in the IG report was around Interior’s implementation of CDM. Again, on the surface auditors saying steady state of CDM will not happen until 2019 seems like a “what the heck is going on?” moment.
What the IG doesn’t mention or seem to take into account is Interior’s implementation of the tools and services are based on a schedule determined, largely in part, by DHS and the contractor serving the group Interior is a part of.
Burns said DoI is on schedule for Phase 1.
“The contract for phase one wasn’t actually open to us until early 2015 so we couldn’t have done anything before that. I think when we were talking about a September 2014 date, which they cite in the report, we were talking about that on preliminary what DHS was talking about early and what they thought they were going to be able to do,” she said. “The truth is we didn’t have anything we could do until early 2015 so phase one really started for us in 2015 and I feel like we’ve done a decent job. Phase one will not be done until May 2017, and then really for us have the organization absorb that, we put more time in to get the work processes down. It’s not just about cutting over and have the tool operate, it’s really about how we are using the tool to manage our environment. That’s why if we cited it goes longer than that, it’s because of our absorption of the capabilities.”
Burns said implementing CDM is going to be a constant and overlapping series of efforts to fully meet all four phases of the program.
“If you are going to do a good implementation, you have to have qualified people behind all this stuff. You can’t just buy these tools, and as my chief information security officer says , ‘Have blinky lights without anyone watching them.’ If you have all these tools and don’t have the ability to do anything with these tools and data, you aren’t any better off than when you didn’t have the tool,” she said. “I’ve had to modify my own anxiety to have wanted something yesterday and being impatient about it, to actually being more measured and saying, ‘What’s really more important for me is whatever we implement, we implement it rock solid so that it’s working properly here and we are deriving the benefit from it. That outweighs the fast.’”
In response to Burns’ comments, the Interior IG said their results and conclusions continue to be relevant as presented.
“We’ve run intermediate tests that, unfortunately, demonstrate the weaknesses laid out in this month’s CDM evaluation will continue to persist until the underlying conditions have been fully addressed,” the IG said in an email to Federal News Radio.
Two industry sources, both of whom requested anonymity in order to talk about the CDM program more candidly, said Interior’s struggles are not uncommon across the government
One source said the pace of deployments is slow, and after three years only the Office of Personnel Management has fully deployed phase one.
The source said all other agencies are in various states of deployment or haven’t yet started.
Another industry source said based on the IG’s report Interior is struggling with project management based on its CDM contractor’s schedule — again not uncommon across the government.
The source said any plan must be done in a collaborative manner, laying out a reasonable timeline based on the size, complexity and risks associated with CDM implementation.
Federal CIOs are optimistic about the cyber tools and services. Federal News Radio’s survey from August of CIOs, deputy CIOs and other IT managers found just over half of all respondents said CDM would either be a game changer or have significant impact on their agency’s cybersecurity posture.
Several CIOs commented on the challenges of integration of the tools.
“The problem with the approach is that the integration is lacking — we’re taking pieces of a suite of products that do not necessarily match the needs of the components within an agency. It’s not yet clear that the integrator efforts will resolve this to create an effective and lasting system. Another theory vs. practical issue,” one CIO respondent said.
And that’s where also the IG report on Interior does help. It brings up some practical challenges Interior faces, including having quality software and hardware inventories, and improving how it ensures systems and software are configured properly.
And at least some of these problems can be fixed in the short term. For example, the IG pointed out that Interior already is using IBM’s Big Fix software for inventory management, and if it would expand the use of the technology to know what’s on its network.
Burns said over the last year Interior has taken major steps toward improving its cybersecurity such as enforcing two-factor authentication for computer access for its network, for remote access and for email.
“Even with these hard things happened and they had mission impact, we go in with our eyes wide open and understand what the impacts are and then deal with them separately,” she said. “The whole experience [of the cyber sprint] helped Interior and IT mature, and actually become more close together and for IT to be closer to the mission. Frankly, we couldn’t be talking about some of these things had we not gone through that experience.”