The Federal Desktop Core Configuration initiative and its predecessor proof of concept in the Air Force is the most significant success in federal cybersecurity to date, a group of cybersecurity experts said in a report this week.
The Air Force led the way for the federal effort by creating a standard configuration for two Microsoft Windows operating systems and using its procurement power to drive vendors to install the secure configuration in delivered computers. As a result, the Air Force reduced network patch time from 57 days to less than 72 hours, according to the report, which was released Dec. 10.
Agencies that are upgrading their computers to Microsoft XP or Vista must adopt the Federal Desktop Core Configuration by February 2008 under Office of Management and Budget requirements.
“Federal agencies gain improved security configurations, faster system patching, and lowered procurement and operating costs,” states the consensus paper on what works in federal cybersecurity.
The document is available for comment until Feb. 8, 2008. The authors will issue a final report Feb. 14. The authors are Alan Paller of the SANS Institute, Paul Kurtz of Good Harbor Consulting, Jim Lewis of the Center for Strategic and International Studies, John Gilligan of SRA International and Frank Reeder of the Reeder Group.
The effective projects that the group highlighted prevented cyberattacks, reduced national vulnerability or minimized the damage and recovery time from attacks. Each project’s impact had to be measurable. For example, deployment of the Defense Department’s Common Access Card produced a large decrease in the opportunity for unauthorized access to government computers. The card let DOD implement two-factor authentication – a password and physical identification card. DOD’s success led to the Homeland Security Presidential Directive 12, which, when fully implemented, will provide for two-factor authentication.
The most promising cybersecurity program is the Security Content Automation Program (S-CAP), which will automate the monitoring for vulnerabilities to patching systems and applications. It engages all the players, from application and system software developers to system management tool suppliers to security tool suppliers, to upgrade their tools so they can work together to protect federal and other critical systems. S-CAP, however, has not yet been implemented in enough commercial applications to permit full automation.
“Once S-CAP is fully operational, agencies and industry can expect substantial cost reductions because they will be able to eliminate much of the manual effort currently associated with finding and fixing vulnerabilities in the software they have deployed,” the report states.
The authors also cited Einstein, the federal program that monitors and analyzes network traffic outside an agency’s firewall. Currently, 14 agencies have installed Einstein sensors at their network gateways. Einstein will be incorporated into OMB’s Trusted Internet Connection program, which will reduce the number of external agency network connections, so that all traffic into agencies will be monitored.
Other successful cybersecurity programs are:
The National SCADA (Supervisory Control and Data Acquisition) Test Bed and Control Systems Security program to protect control systems that manage power plants and other critical infrastructure.
The Justice Department’s Computer Crime and Intellectual Property Section, the FBI’s Cybersecurity Program, and cybersecurity programs of the Secret Service and Postal Inspection Service, all of which work at identifying, capturing and imprisoning cyber criminals for longer periods.
