Printer Friendly

Information Security: Concerted Effort Needed to Consolidate and Secure Internet Connections at Federal Agencies.

GAO-10-237 March 12, 2010

To reduce the threat to federal systems and operations posed by cyber attacks on the United States, the Office of Management and Budget (OMB) launched, in November 2007, the Trusted Internet Connections (TIC) initiative, and later, in 2008, the Department of Homeland Security's (DHS) National Cybersecurity Protection System (NCPS), operationally known as Einstein, became mandatory for federal agencies as part of TIC. For each of these initiatives, GAO was asked to (1) identify their goals, objectives, and requirements; (2) determine the status of actions federal agencies have taken, or plan to take, to implement the initiatives; and (3) identify any benefits, challenges, and lessons learned. To do this, GAO reviewed plans, reports, and other documents at 23 major executive branch agencies, interviewed officials, and reviewed OMB and DHS guidance.

The goals of TIC are to secure federal agencies' external network connections, including Internet connections, and improve the government's incident response capability by reducing the number of agencies' external network connections and implementing security controls over the connections that remain. In implementing TIC, agencies could either provide their own access points by becoming an access provider or seek service from these providers or an approved vendor. To achieve the initiative's goals, agencies were required to (1) inventory external connections, (2) establish a target number of TIC access points, (3) develop and implement plans to reduce their connections, (4) implement security capabilities (if they chose to be an access provider) addressing such issues as encryption and physical security, and (5) demonstrate to DHS the consolidation of connections and compliance with the security capabilities (if they chose to be an access provider). As of September 2009, none of the 23 agencies had met all of the requirements of the TIC initiative. Although most agencies reported that they have made progress toward reducing their external connections and implementing critical security capabilities, most agencies have also experienced delays in their implementation efforts. For example, the 16 agencies that chose to become access providers reported that they had reduced their number of external connections from 3,286 to approximately 1,753. Further, agencies have not demonstrated that they have fully implemented the required security capabilities. Throughout their reduction efforts, agencies have experienced benefits, such as improved security and network management. However, they have been challenged in implementing TIC because OMB did not promptly communicate the number of access points for which they had been approved and DHS did not always respond to agency queries on security capabilities in a timely manner. Agencies' experiences with implementing TIC offered OMB and DHS lessons learned, such as the need to define program requirements before establishing deadlines and the usefulness of sponsoring collaborative meetings for agencies' implementation efforts. Einstein is intended to provide DHS with an increased awareness of activity, including possible security incidents, on federal networks by providing intrusion detection capabilities that allow DHS to monitor and analyze agencies' incoming and outgoing Internet traffic. As of September 2009, fewer than half of the 23 agencies had executed the required agreements with DHS, and Einstein 2 had been deployed to 6 agencies. Agencies that participated in Einstein 1 improved identification of incidents and mitigation of attacks, but DHS will continue to be challenged in understanding whether the initiative is meeting all of its objectives because it lacks performance measures that address how agencies respond to alerts.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Gregory C. Wilshusen Team: Government Accountability Office: Information Technology Phone: (202) 512-6244

Recommendations for Executive Action

----------

Recommendation: In order to ensure that federal agencies continue to have adequate information about the number of connections for which they have been approved, the Director of OMB should communicate its final decisions on agency requests for additional TIC access points in a consistent and timely manner.

Agency Affected: Executive Office of the President: Office of Management and Budget

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

----------

Recommendation: In order to ensure that federal agencies continue to have adequate information about the number of connections for which they have been approved, the Director of OMB should assess the efficacy of, and take steps to apply as appropriate, the lesson learned during the initial implementation of TIC regarding the need to define future requirements before establishing deadlines.

Agency Affected: Executive Office of the President: Office of Management and Budget

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

----------

Recommendation: In order to further ensure that federal agencies have adequate, sufficient, and timely information to successfully meet the goals and objectives of the TIC and Einstein programs, the Secretary of Homeland Security should provide agencies with timely responses to their questions seeking clarification on TIC security capabilities.

Agency Affected: Department of Homeland Security

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

----------

Recommendation: In order to further ensure that federal agencies have adequate, sufficient, and timely information to successfully meet the goals and objectives of the TIC and Einstein programs, the Secretary of Homeland Security should enhance TIC compliance validations by including (1) direct testing and evaluation of the critical capabilities and (2) evaluation of the capabilities at all agency TIC locations.

Agency Affected: Department of Homeland Security

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

----------

Recommendation: In order to further ensure that federal agencies have adequate, sufficient, and timely information to successfully meet the goals and objectives of the TIC and Einstein programs, the Secretary of Homeland Security should, before activating Einstein sensors, ensure that both DHS and participating agencies (1) execute required service level agreements and (2) sign site deployment checklists.

Agency Affected: Department of Homeland Security

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

----------

Recommendation: In order to further ensure that federal agencies have adequate, sufficient, and timely information to successfully meet the goals and objectives of the TIC and Einstein programs, the Secretary of Homeland Security should establish milestones for agencies to submit required Einstein agreements.

Agency Affected: Department of Homeland Security

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

----------

Recommendation: In order to further ensure that federal agencies have adequate, sufficient, and timely information to successfully meet the goals and objectives of the TIC and Einstein programs, the Secretary of Homeland Security should, to better understand whether Einstein alerts are valid, develop additional performance measures that indicate how agencies respond to alerts.

Agency Affected: Department of Homeland Security

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

----------

Recommendation: In order to further ensure that federal agencies have adequate, sufficient, and timely information to successfully meet the goals and objectives of the TIC and Einstein programs, the Secretary of Homeland Security should assess the efficacy of, and take steps to apply as appropriate, lessons learned during the initial implementation of these initiatives such as the need to (1) define future requirements for TIC before establishing deadlines and (2) make agencies aware of their ability to access Einstein flow data.

Agency Affected: Department of Homeland Security

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Categories: April 12, 2010, Comprehensive National Cybersecurity Initiative, Computer networks, Computer security, Computer security incidents, Cyber security, Federal agencies, Government information, Homeland security, Information security, Information security management, Information security regulations, Information systems, Information technology, Internal controls, Internet, Intrusion detection systems, Lessons learned, Monitoring, National Cybersecurity Protection System, Performance appraisal, Requirements definition, Strategic planning, Trusted Internet Connections initiative
COPYRIGHT 2010 Stonehenge International
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2010 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Publication:General Accounting Office Reports & Testimony
Date:Jun 1, 2010
Words:1362
Previous Article:Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements.
Next Article:Electronic Government: Implementation of the Federal Funding Accountability and Transparency Act of 2006.
Topics:

Terms of use | Privacy policy | Copyright © 2022 Farlex, Inc. | Feedback | For webmasters |