Recently, there has been some forward movement with the federal government and its cyber security efforts. A new executive order, updates to NIST 800 53 and other efforts demonstrate growing momentum to improve federal cyber security.
Granted, the federal cyber security posture continues to be concerning, but improvements are noted. Research from Thales notes that 34 percent of the agencies were breached this year and that 65 percent agencies have suffered similar fates in the past. Not surprisingly albeit a bit alarming, 96 percent considered themselves vulnerable to threats.
At one level, everyone (public or private organizations) should feel vulnerable given the dynamic threat environment. Interestingly the latest FISMA report (PDF) indicates that in 2016, 90 percent of government agencies have implemented vulnerability management programs. That’s up from 2015, where it was 70 percent.
Even so, contrary to this statistic, the executive order highlights the notion that agencies are not responding to known vulnerabilities or misconfigurations.
“Known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies (agencies). Known vulnerabilities include using operating systems or hardware beyond the vendor’s support lifecycle, declining to implement a vendor’s security patch, or failing to execute security-specific configuration guidance.” –Cyber Security Executive Order, May 2017
Security goes beyond discovering known vulnerabilities. Extensive monitoring and response processes and technologies are needed to detect and mitigate unknown changes that may be risky threats. The federal effort to modernize IT systems and staff with strong IT professionals will also improve the cyber security posture.
We’re seeing some of these additional measures already. In fiscal year 2016, metrics were added to the FISMA assessment. Inspector generals ranked maturity models against the NIST Cyber Security Framework’s functional areas: Identify, Protect, Detect, Respond and Recover.
Offering tangible and prescriptive bars to reach will promote more effective cyber security. The median government-wide rankings were either level 2 or 3. That’s good, but there’s still room for improvement.
A big take-away from the cyber security executive order was the shift in accountability, where the head of the agency has the ultimate responsibility versus just the CISO/CIO. This paradigm shift has already occurred in the private sector.
Cyber attacks are seen as business or organization issues and not just technology problems. The benefit to this change in focus will hopefully unite government agencies behind their respective cyber goals. Towards that end, everyone in the agencies will need to contribute.
At this point, it seems the changes to FISMA Security Rule NIST 800 53 (now revision 5) have matured the document to speak to all organizations, not just federal agencies, and updated terminology to address new threats and become more outcome-based.
For example, it went from “information systems” to “systems” in an effort to address new areas such as industrial/process control systems, cyber physical systems, weapons systems, IoT devices, etc. The wordings on the controls have also changed, but the intent has not. Overall, revision 5 seems like a series of format changes that will have minimal impact on current efforts to align with NIST 800 53.
“Please note that the proposed changes described below have no effect on the actual security and privacy controls, and organizations would not be expected to make updates to security plans, tools, or templates outside of the normal update schedule to accommodate these changes.” –NIST 800 53 Rev 5 Status Update March 28, 2017
Not all industries are prone to this level of transparency and scrutiny on their cyber security posture. And achieving FISMA compliance can be daunting.
Tripwire recently worked with SANS and other security experts on a webcast to show how the SANS 20 Critical System Controls can help you achieve FISMA compliance. Watch the recorded webcast to gain pragmatic advice. You can also learn more about Tripwire’s efforts to support your FISMA NIST 800 53 compliance.