Doing more with less in the age of sequester
While meeting with a couple of my regular contacts at a recent AFCEA event, their conversation veered sharply from their normal assessments of recent cyber attacks into today’s prevalent motif of Beltway pundits -- the sequester.
Normally, I wouldn’t heed current events banter between colleagues taking a break at a trade show, but these guys aren’t blusterers. They’re top information security insiders at some of our nation’s most well-known federal agencies.
And, according to their forecasts, agencies like the DoD may not be prepared to cope with the streamlined IT operations being generated by sequestration. Here’s what they meant: How can federal agencies maintain regulatory compliance and stay abreast of the latest security threats while operating with a reduced IT staff? And how can these agencies secure access to their most sensitive files and applications from former employees and contractors recently furloughed or laid off?
A reduction in staff
Even though the $85 billion sequestration is now several weeks into existence (as of this writing), its affects on military civilian IT workers and contractors -- as well as federal IT employees in general -- remains to be seen.
However, we do know that because DoD is the largest employer of government workers in the nation, its civilian employees are facing the economic brunt of sequestration. Roughly half of the spending cuts are hitting defense programs. To cope, the Pentagon announced in March that it will furlough most of its civilian workforce -- nearly 800,000 employees -- one day per week, without pay, for the remainder of the fiscal year.
For military contractors, it may still be months before the full impact of sequestration is realized. But, as Pentagon Comptroller Robert Hale said, there is no doubt that sequestration “will affect the private sector.”
One case in point: for the duration of the fiscal year, the federal government will not enter into new contracts or exercise options on existing contracts, except for high-priority initiatives. And, from what I’ve seen up close in the defense sector, service contractors are already feeling the affects. I expect weapons manufacturers to experience the impact soon.
These budget and staffing reductions certainly filter down to the systems administrators and information security staff manning the IT controls at federal agencies. And I find myself in agreement with my “security insider” contacts mentioned at the start of this article. Maintaining regulatory compliance and controlling privileged access are likely two of the first areas to be overlooked following a staff reduction.
Does reduced staff equal reduced compliance?
FISMA, NIST and DIACAP are some of the best known examples of regulatory mandates that require federal agencies to demonstrate proactive security measures around issues such as access control, audit and accountability, and identification and authentication.
If you’ve ever been involved with one of these audits, you know well the mad scramble among personnel at all levels of the IT chain to verify and document compliance with the multitude of audit points in advance of the auditor’s arrival. Now, imagine this same scenario, only with a significantly smaller IT team. How would regulatory compliance continue to be met?
By adapting to a practice of “continuous compliance,” IT groups can ensure a level of efficiency that not only allows them to achieve their regulatory compliance mandates, but also to handle the latest cyber-attacks as they occur. Continuous compliance, in simplest of terms, is ensuring that IT processes and controls are constantly in a state of compliance, as opposed to the reactive “firefighter” mode of point-in-time compliance so common in most IT environments. Basically, a federal agency that is in a state of continuous compliance is ready for an audit at any time, without preparation.
This isn’t to suggest that attaining continuous compliance is a simple act. It requires the IT group to always probe for weaknesses and close security holes as soon as they are verified. That involves established methodologies and advanced technology to test controls and provide immediate alerting and remediation to identified vulnerabilities.
One important tool to facilitate the move toward continuous compliance is an automated privileged identity management product that can constantly locate, track and lock down privileged accounts, with little or no human interaction. After implementing this approach an organization can much more easily meet a number of major regulatory requirements, such as maintaining minimum complexity and change frequency standards for privileged passwords; providing authoritative audit trails of privileged access requests; and documenting a strict need-to-know policy for privileged access. And, as a side benefit, with automated privileged identity management, overburdened IT administrators don’t have to stress about accomplishing all of this in time-consuming, manual fashion.
Security amidst IT turnover
In the unfortunate event of contractors or employees having to leave an agency due to sequestration, the reduction in productive manpower is only one consequence. Often overlooked in the commotion of downsizing are the security secrets that can walk out the door alongside former workers.