Cyber Security: The Status of Information Security
Cyber Security: The Status of Information Security and the Effects of the Federal Information System Management Act at Federal Agencies
Bruce Morrison, Acting Chief Information Officer Testimony Before Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census Washington, DC June 24, 2003
Good Morning Mr. Chairman and Members of the Committee. I am honored to be here and appreciate the opportunity to discuss information security at the Department of State. With your permission, I will submit my written testimony for the record.
While we are not yet where we would like to be in cyber security, I would like to take this opportunity to report on the initial stages of improving our program.
I would like to state that we at the State Department have the highest level of support from Secretary Powell and Under Secretary for Management Green. Secretary Powell considers Information Technology [IT] and Security to be a strategic component in implementing U.S. foreign policy.
Let me summarize of IT Security at State
We have long established a strong perimeter defense with technical, physical, and personnel controls, anti-virus, firewalls, intrusion detection, and incident reporting.
However, we realize that a sound cyber security program is built upon a defense-in-depth strategy that includes management controls as well as technical and operational measures. What we have lacked in the past is a comprehensive management structure and a serious Systems Authorization program.
A New Day
It is a new day at State, with the convergence of several events bringing a fresh approach and commitment to cyber security. First, GISRA [Government Information Security Reform Act] and then FISMA [Federal Information System Management Act] focused top management attention on cyber security. Second, we have new cyber security leadership at State I stepped into the position of acting CIO [Chief Information Officer] six months ago. Additionally, there is a new Assistant Secretary for Diplomatic Security with whom we collaborate closely. Finally, OMB [Office of Management and Budget] very helpfully mandated that we authorize all systems by 4th Quarter FY 2004.
Our new organization is giving birth to a new cyber security culture, and is producing results. We have a new Office of Information Assurance headed by a senior officer reporting directly to me. This office handles IT security policy, program management, performance measures, risk management, and reporting.
There is increased Department-wide cyber security focus as all offices are now involved to some degree in cyber security through the Plans of Actions & Milestones (POA&Ms) process and awareness programs. As I mentioned, there is excellent rapport and collaboration between the CIO and the Bureau of Diplomatic Security on all aspects of cyber security. A similarly cooperative partnership exists with the Chief Financial Officer on Critical Infrastructure protection and the information technology budget.
We have a senior-level, multi-disciplinary Cyber Security Advisory Group. There is a close working relationship with the Office of the Inspector General [IG]. In bi-weekly meetings with the IG, we discuss a variety of cyber security issues with FISMA requirements and systems authorization taking center stage.
Security and Capital Planning and Investment Control (CPIC)
State has recently established an E-Gov Program Board chaired by Under Secretary for Management Green to manage all IT funds.
Information Assurance experts now review every IT system budget request to assure that appropriate security considerations are budgeted and executed.
Cyber security is represented at all levels of the budget process. We have initiated ongoing training for Systems Owners on completing the security part of budget submissions.
We have developed a new process for IT, which is a hybrid of NIACAP [National Information Assurance Certification and Accreditation Process] and NIST [National Institute of Standards and Technology] guidance and categorizes systems by type and security classification level. The plan was developed and submitted to OMB in March and budgeted in mid-April. We are on track with 10% of our systems done and with goals of 33% by August 2003 and 100% by August 2004.
Institutionalizing Cyber Security
We are taking specific steps to institutionalize cyber security management and practices. New systems are addressing security from the outset and will undergo C&A [Certification and Accreditation] so that they are authorized before being put into operation. In our future budgets, requests will include security costs. Regular awareness sessions for all users, establishing a cyber security corps and mandatory training for the security practitioner will assist in institutionalizing cyber security throughout the Department.
In summary, FY 2003 Progress
We are still in the early stages of creating a comprehensive cyber security program but we have made great strides over the past few months. This progress contributed to our PMA [President s Management Agenda] score of green for E-Gov progress.