Meeting Security and Compliance Challenges

When I took over as the CIO at the Millennium Challenge Corporation (MCC)?a government agency designed to work with some of the poorest countries in the world?I inherited an organization with a highly mobile workforce and unacceptable levels of network security risk.

To meet its mission, the agency had hired a dedicated security staff. Despite that, viruses were common, service interruptions were routine and a variety of unapproved applications were running on agency laptops. In addition, MCC had 23 unresolved financial and Federal Information Security Management Act (FISMA) audit findings, and had missed a deadline for meeting the U.S. Office of Management and Budget?s (OMB) Federal Desktop Core Configuration (FDCC) standard.

It was clear that MCC faced some major challenges. We needed to re-architect the network, build a security and compliance program from the ground up and instill a security-oriented culture. To accomplish all this, we would need the sustained support of every member of the senior staff over an extended period of time.

Our first step was to get the best possible data about the status of our network and security. Using a suite of tools from nCircle, we assessed our exposure to vulnerabilities, performed risk modeling and presented the results to senior staff. This initial appraisal was essential in creating the management support needed to begin the network changes and start the process of cultural change.

To keep management informed on a regular basis and to demonstrate consistent progress, I put together a security and compliance dashboard with key metrics, including the average daily host score, which measured our progress in reducing enterprise risk. The dashboard was designed to highlight hot-button issues and escalate the chief security and compliance problems presented at seniorstaff meetings.

The report was a vital step toward promoting awareness and ownership of the organization?s security and compliance challenges. I reinforced this effort with awareness training and meetings with every department, so the staff would understand the value and necessity of improved security.

Adding Configuration Compliance

After implementing continuous risk measurement, we added configuration compliance monitoring to ensure that we were meeting the OMB?s FDCC standard. This included monitoring more than 500 technical controls (such as password length, screensaver timeout, etc.) and required us to use a Security Content Automation Protocol (SCAP)-validated tool for verification.

We used another tool in the nCircle Suite, the SCAP-validated Configuration Compliance Manager, to verify our baseline installation as we deployed new equipment and to monitor ongoing compliance. Doing this enabled us to quickly highlight and correct out-of-compliance configurations. The timely information also helped educate our staff on how to connect a security or compliance risk with its probable cause.

Our dashboard tracks open help-desk tickets, network security vulnerability management risk scores, configuration compliance and open audit items. It presents a simple, color-coded set of at-a-glance priorities and information on where the organization is heading?data that every senior staff member can understand.

Our weekly focus on core metrics has helped move the organization toward a continual-compliance system. This system is both more effective and less resource-intensive than was our previous ?scrambling before an audit? approach.

Using a central dashboard enables us to set clear priorities for security and IT teams, and it has been instrumental in building organizational focus. The management oversight and the focus on the key metrics presented in the dashboard have brought about an increase in FDCC configuration compliance from 30 percent of systems to 97 percent. We?ve also been able to close 85 percent of our FISMA audit items and reduce our vulnerability risk scores by 85 percent.

I?m pleased that our process and dashboard have been instrumental in reducing MCC?s overall network security risk, while also improving our compliance with federal mandates.

In fact, this method is now considered a management model for other groups in our organization.

Dennis Lauer is CIO of the Millennium Challenge Corp. (MCC), an independent U.S. foreign aid agency that is helping in the fight against global poverty.