Information Security: Concerted Effort Needed to Consolidate and Secure Internet Connections at Federal Agencies
Highlights
To reduce the threat to federal systems and operations posed by cyber attacks on the United States, the Office of Management and Budget (OMB) launched, in November 2007, the Trusted Internet Connections (TIC) initiative, and later, in 2008, the Department of Homeland Security's (DHS) National Cybersecurity Protection System (NCPS), operationally known as Einstein, became mandatory for federal agencies as part of TIC. For each of these initiatives, GAO was asked to (1) identify their goals, objectives, and requirements; (2) determine the status of actions federal agencies have taken, or plan to take, to implement the initiatives; and (3) identify any benefits, challenges, and lessons learned. To do this, GAO reviewed plans, reports, and other documents at 23 major executive branch agencies, interviewed officials, and reviewed OMB and DHS guidance.
The goals of TIC are to secure federal agencies' external network connections, including Internet connections, and improve the government's incident response capability by reducing the number of agencies' external network connections and implementing security controls over the connections that remain. In implementing TIC, agencies could either provide their own access points by becoming an access provider or seek service from these providers or an approved vendor. To achieve the initiative's goals, agencies were required to (1) inventory external connections, (2) establish a target number of TIC access points, (3) develop and implement plans to reduce their connections, (4) implement security capabilities (if they chose to be an access provider) addressing such issues as encryption and physical security, and (5) demonstrate to DHS the consolidation of connections and compliance with the security capabilities (if they chose to be an access provider). As of September 2009, none of the 23 agencies had met all of the requirements of the TIC initiative. Although most agencies reported that they have made progress toward reducing their external connections and implementing critical security capabilities, most agencies have also experienced delays in their implementation efforts. For example, the 16 agencies that chose to become access providers reported that they had reduced their number of external connections from 3,286 to approximately 1,753. Further, agencies have not demonstrated that they have fully implemented the required security capabilities. Throughout their reduction efforts, agencies have experienced benefits, such as improved security and network management. However, they have been challenged in implementing TIC because OMB did not promptly communicate the number of access points for which they had been approved and DHS did not always respond to agency queries on security capabilities in a timely manner. Agencies' experiences with implementing TIC offered OMB and DHS lessons learned, such as the need to define program requirements before establishing deadlines and the usefulness of sponsoring collaborative meetings for agencies' implementation efforts. Einstein is intended to provide DHS with an increased awareness of activity, including possible security incidents, on federal networks by providing intrusion detection capabilities that allow DHS to monitor and analyze agencies' incoming and outgoing Internet traffic. As of September 2009, fewer than half of the 23 agencies had executed the required agreements with DHS, and Einstein 2 had been deployed to 6 agencies. Agencies that participated in Einstein 1 improved identification of incidents and mitigation of attacks, but DHS will continue to be challenged in understanding whether the initiative is meeting all of its objectives because it lacks performance measures that address how agencies respond to alerts.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of Management and Budget | In order to ensure that federal agencies continue to have adequate information about the number of connections for which they have been approved, the Director of OMB should communicate its final decisions on agency requests for additional TIC access points in a consistent and timely manner. |
In fiscal year 2012 OMB reported, in response to our recommendation, that DHS communicated OMB's final decisions to agencies on agency requests for additional TIC access points in May 2010.
|
| Office of Management and Budget | In order to ensure that federal agencies continue to have adequate information about the number of connections for which they have been approved, the Director of OMB should assess the efficacy of, and take steps to apply as appropriate, the lesson learned during the initial implementation of TIC regarding the need to define future requirements before establishing deadlines. |
In fiscal year 2012 OMB reported that M-09-32, Update on Trusted Internet Connections Initiative, defines program requirements and establishes deadlines for meeting the TIC initiative.
|
| Department of Homeland Security | In order to further ensure that federal agencies have adequate, sufficient, and timely information to successfully meet the goals and objectives of the TIC and Einstein programs, the Secretary of Homeland Security should provide agencies with timely responses to their questions seeking clarification on TIC security capabilities. |
In fiscal year 2011 we verified that DHS TIC Program Management Office, in response to our recommendation, provides agencies with timely responses to their questions seeking clarification on TIC security capabilities.
|
| Department of Homeland Security | In order to further ensure that federal agencies have adequate, sufficient, and timely information to successfully meet the goals and objectives of the TIC and Einstein programs, the Secretary of Homeland Security should enhance TIC compliance validations by including (1) direct testing and evaluation of the critical capabilities and (2) evaluation of the capabilities at all agency TIC locations. | In fiscal year 2011 we verified that DHS, in response to our recommendation, now tests and evaluates with three tools that facilitate and automate compliance testing. In addition, we verified that DHS evaluates, or intends to evaluate, the capabilities at all agency TIC locations. For example, in fiscal year 2010, DHS evaluated 29 agency TIC Access Providers . To evaluate the capabilities at all OMB approved TIC locations not previously assessed, DHS has an approved plan to conduct an onsite evaluation of one TIC, and the associated support components for that TIC, from each of the OMB approved TIC Access Provider Agencies each year. The assessment schedule ensures that all TIC locations...
|
| Department of Homeland Security | In order to further ensure that federal agencies have adequate, sufficient, and timely information to successfully meet the goals and objectives of the TIC and Einstein programs, the Secretary of Homeland Security should, before activating Einstein sensors, ensure that both DHS and participating agencies (1) execute required service level agreements and (2) sign site deployment checklists. |
In fiscal year 2011 we verified that DHS, in response to our recommendation, executed 30 service level agreements as of March 2011 to the 30 participating agencies and required agencies to sign site deployment checklists prior to activating an Einstein sensor.
|
| Department of Homeland Security | In order to further ensure that federal agencies have adequate, sufficient, and timely information to successfully meet the goals and objectives of the TIC and Einstein programs, the Secretary of Homeland Security should establish milestones for agencies to submit required Einstein agreements. |
Closed.
|
| Department of Homeland Security | In order to further ensure that federal agencies have adequate, sufficient, and timely information to successfully meet the goals and objectives of the TIC and Einstein programs, the Secretary of Homeland Security should, to better understand whether Einstein alerts are valid, develop additional performance measures that indicate how agencies respond to alerts. |
In fiscal year 2011 we verified that DHS, in response to our recommendation, developed additional performance measures to monitor and track agency responsiveness to Einstein alerts . For example, DHS now tracks: 1) when an agency responds to an alert 2) total hours taken by an agency in response to an alert and 3) length of time of each alert.
|
| Department of Homeland Security | In order to further ensure that federal agencies have adequate, sufficient, and timely information to successfully meet the goals and objectives of the TIC and Einstein programs, the Secretary of Homeland Security should assess the efficacy of, and take steps to apply as appropriate, lessons learned during the initial implementation of these initiatives such as the need to (1) define future requirements for TIC before establishing deadlines and (2) make agencies aware of their ability to access Einstein flow data. |
In fiscal year 2011 we verified that DHS, in response to our recommendation, applied the lessons learned during the initial stages of implementation by (1) providing periodic netflow and other EINSTEIN training, (2) implementing a secure web portals to share draft, interim, and final copies of security capabilities and technical reference architecture documents; and (3) revising agendas to include activities associated with accessing flow data to the extent available.
|