Federal system administrators feel mandated efforts are improving IT security

For the third consecutive year, a majority of federal decision makers surveyed on cybersecurity say they are more confident about their agency’s information technology security posture now than they were four years ago. A large majority also said they are spending more time each year complying with mandated security requirements.

The figures, included in a survey of 223 IT officials in more than 40 civilian and Defense agencies released today by Cisco, seem to indicate that security mandates from Congress and the Office of Management and Budget are focusing on the right things. The top priorities were achieving compliance with the Federal Information Security Management Act (FISMA) and implementing the president’s Comprehensive National Cyber Security Initiative.

A primary element of the president’s cyber initiative is the Trusted Internet Connection (TIC), an effort to consolidate and better manage government network connections.

“I think that is a really good move, to focus resources on fewer connections,” said David Graziano, Cisco’s manager for federal security solutions. However, he could not say whether federal IT security really has been improving steadily during the past four years.

The survey is the fourth annual study conducted for Cisco by the research firm Market Connections Inc. It claims a margin of error of plus or minus six percent.

Although confidence in agency IT security has consistently been high in the surveys, the level increased this year to 60 percent of respondents, compared with 51 percent last year who felt that their security had improved. A similar number, 64 percent, said they are spending more time this year on mandated requirements. Only 6 percent reported they are spending less time on these issues.

Respondents were evenly split in making FISMA and the cybersecurity initiative top priorities, at 48 and 47 percent, respectively. However, close behind among the leading issues were achieving green status in the President’s Management Agenda, improving grades on the Government Accountability Office’s scorecard and the job of linking budget to program performance.

Graziano said that civilian agencies tend to be more concerned about FISMA compliance that those in the Defense Department, probably because DOD gets only one grade covering all of its services and offices in the annual FISMA report card. “A lot of people are protected by that,” he said.

However, DOD also has been a leader in initiating security programs, such as an interoperable smart ID card, that have been adopted by the civilian side of government. DOD also benefits from a clear focus on a single mission of protecting the warfighters and the network assets supporting them, which contributes to cybersecurity.

“They may be about a year ahead of the civilian side,” in cyber security, Graziano said.

Most administrators surveyed said that they still are focused on responding to incidents and putting out fires.

“It is a one-time security breach they are most concerned with,” Graziano said.

The security issues that keep of them awake at night are the exposure of personal data in security breaches, inadequately trained or unconcerned users and the impact on operations of a security breach.

More of the threats that respondents are worried about are coming from interactive Web 2.0 services, such as peer-to-peer communications and file sharing, remote access to data and social networking. One in five respondents reported they were involved in securing these technologies in their agencies. These are issues that administrators will have to come to terms with, like it or not, Graziano said.

So far, the use of online social networking and wikis for official business has been mostly limited to a few in-house sites for information sharing hosted on intranets in the intelligence community. But, “younger people joining the government workforce are used to these tools” and will expect to have access to them, Graziano said. “I think we are going to see some agencies adopt these and learn to manage them, while others will put up roadblocks. Those that embrace them will be seen as more forward thinking,” and might find it easier to attract new employees.

Concerning the president’s cyber security initiative, about 45 percent of respondents said they plan to manage their TICs entirely in-house, with another 32 percent managing at least some of the connections in-house. Only 19 percent plan to outsource their connections entirely.

“I think it’s a sense of controlling your own destiny,” Graziano said of these plans. Many agencies have had bad experiences in outsourcing networking services in which they did not get the quality of service or flexibility they wanted.

The primary challenges identified for meeting guidelines for the TIC program are maintaining service capability and the ability of security and network operations centers to handle the consolidated traffic. Getting adequately qualified staff also is a concern, as is the ability to perform deep packet inspection on network traffic.

There is a great deal of uncertainty over how much time and resources will go to the cyber initiative in the coming year.

“The budget dollars haven’t gone out to the agencies yet,” Graziano said. Priorities follow the money and officials do not know yet how much money they will have to spend on these issues.

Federal system administrators feel mandated efforts are improving IT security.