Despite repeated embarrassing and potentially damaging incidents, the federal government is still bedeviled by security shortfalls and, it seems, turf wars over how to improve the situation.
This Unbossed story on a report released earlier this month by the Government Accountability Office offers plenty of scary information. In fiscal year 2005, for instance, 3,634 sensitive government information systems were put at risk. In fiscal year 2007, the number had risen to 13,029. The Unbossed story offers several examples, with the notorious loss of personal information on 26.5 million current and past members of the armed forces by The Department of Veterans Affairs heading the list.
The report says that most federal agencies have not implemented adequate controls, often do not manage what is in place correctly, and lack agency-wide programs. The inspectors general also are under-performing in a number of ways, all of which are outlined in the story. (A link to the GAO press release on the report, which itself links to a fact sheet and the full report, is available here.)
It would be unfair to say that no advances have been made, however. For instance, the National Institute of Standards and Technology (NIST) earlier this month launched a Website listing validated software tools. The site is associated with the Security Content Automation Protocol (SCAP), an effort of NIST, the Department of Defense, the Department of Homeland Security and MITRE Corp. SCAP is a framework for "identifying, enumerating, assigning and sharing security-related data," according to TechNews. The new page list tools that outside labs have assessed as being SCAP-compliant.
Such steps notwithstanding, federal information security seems to be a battleground between a Republican White House and a Democratic Congress. Government Executive says that hopes for a comprehensive federal data security bill are dwindling for this session of the House. However, there still is hope for tweaks to the Federal Information Security Management Act (FISMA). The changes on the table would broaden the definition of "personally identifiable information," strengthen reporting and auditing requirements, and change procedures for assessing the sensitivity of lists bought by agencies from commercial brokers.
The fate of the bill -- as limited as it seems to be -- is by no means certain. The story carries critical quotes from an administrator in the Office of Management and Budget. A following comment by the president of the Cyber Security Industry Alliance is critical of the OMB. The sense is that time is short and that it will be difficult to take meaningful action.
On another topic that seems as much about partisan politics as data protection, The Wall Street Journal reported in late January that the administration wants to spend $6 billion on cyber security. There are a couple of caveats to this proposed expenditure, according to this ZDNet posting. One is that the administration doesn't want to say precisely what the money will be spent on, while Congress feels it has a right to know.
The government's rationale is that the new hardware and software will be more effective if the bad guys don't know what they are facing. The blogger says that transparency is the best approach and urges Congress not to fund projects until the administration releases more information. The bottom line is that this is a significant amount of money: $6 billion is bigger than the entire firewall industry and one-fourth as large as the whole security sector.
Judging by the government's track record in protecting information, this Computerworld piece -- which describes the growing use of private data centers to store sensitive information held by federal agencies -- should be considered good news. Many of the data centers are highly secure, with barriers, bulletproof materials and other physical and electronic features, the story says. The hot area for these sites is close to the DC Beltway. One example is a storage facility being built by Terremark Worldwide in Culpeper County, Va. The data center will be certified to store Top Secret/Sensitive Compartmented Information, a high-level, top-secret status.