Interior Department FISMA audit reveals shortcomings in emergency planning

The Department of the Interior failed to properly test plans for a disaster or other emergency that could compromise its IT systems, according to an auditors’ report obtained by FedScoop.

“It’s pretty important,” said John Pescatore, director of emerging security trends at the SANS Institute, a cybersecurity research company. It’s like not testing your emergency generator and flashlight before a storm hits, he said. “When the power goes out and they don’t work, it’s really tough to recover.”

The report, obtained by FedScoop through a Freedom of Information Act request, is required by the Federal Information Security Management Act. It was produced last year by independent auditors working for KPMG LLP, and was heavily redacted.

The report found that the department had established a business continuity/disaster recovery program enterprisewide. However, DOI had “not fully” tested its continuity of operations plans — sometimes called COOP plans — or business continuity plans annually, nor had it fully maintained evidence of reviewing or updating its continuity plans for data centers.

The culprit appears to be “one of six bureaus/office[s],” and the deficiencies are “isolated” and “not pervasive.” Though the report warns that not testing these plans properly can have serious consequences.

“During an extended outage and/or disaster state of the information system processing functions, [redacted, but presumably DOI or one of its subagencies or offices] may be unable to restore vital business operations and functions in a timely manner due to critical information and/or computer resources are unavailable, inaccessible, or not properly trained,” the heavily redacted report said.

When the report was issued, management agreed with the report’s recommendations to ensure that the plans are updated and fully tested, and that “lessons learned are communicated to senior management.”

“The Department takes the privacy and security of its data very seriously, and we continue to be an active participant in the ongoing efforts by the Federal government to improve our nation’s overall cybersecurity posture,” DOI spokeswoman Jessica Kershaw said in an email to FedScoop. The department would not say specifically how it has since improved its contingency planning.

While agencies have some leeway in how often they must test their plans, Pescatore said annual testing is a good baseline.

After Hurricane Katrina in 2005, horror stories surfaced about government agencies and private companies with contingency plans in place that hadn’t worked in the face of a real threat, he said.

“In this day and age, planning for it on an annual basis as a minimum is really what needs to be done,” he said.

Revisiting COOP plans is critical because organizations — and the technologies they use — are constantly changing, said Tony Cole, vice president and global government chief technology officer for network security company FireEye. People leave, the structure of offices transforms, and technology loses or gains functionalities, he said.

“There are so many facets that, until you actually go through and test them, you don’t realize that’s it’s valuable to you — or something that was valuable that’s no longer valuable,” he said.

He pointed to the Pentagon’s response to the 9/11 attacks. Communications had been knocked out in many areas of the facility, said Cole, a former technical operations manager for the Pentagon’s network security services. But a young private had kept a list of BlackBerry pins for certain personnel. The pins allowed officials to message another BlackBerry user directly without pinging the company’s on-site servers. That information, Cole said, was “invaluable” at the time, and should have been incorporated into the Pentagon’s contingency plans. BlackBerry devices later lost that capability — a development that underscores the need to continue to evaluate plans, he said.

“In this quickly evolving world we live in, our COOP plans have to reflect how quickly our organizations and technology evolves if we’re going to be successful,” he said. “The only way to do that is test them frequently and make sure that the results of that test is incorporated into the plan.”

[Read more: Thousands of cybersecurity vulnerabilities uncovered at Interior Department]

The missions of agencies also change in the face of new laws and regulations, said Waylon Krush, CEO of cybersecurity company Lunarline. He said his company works with the Department of Transportation, which often faces new safety requirements for which it must establish systems. As a result, the agency must continue to update its contingency plans.

“New laws, new requirements come down the pike, and those become large priorities within the organization. A lot of times, if you’re not paying attention to them, they’re not going to make it into the COOP,” he said.

Underscoring PIV card adoption

Interior’s security processes have been under close scrutiny since this June when news broke that Office of Personnel Management records stored in a DOI data center had been compromised, exposing millions of people’s personal data to hackers thought working for Chinese intelligence. Testifying before Congress in July, DOI Chief Information Officer Sylvia Burns said it was an OPM privileged username and password that allowed bad actors to get into Interior’s systems.

One of the “lessons learned,” Burns told lawmakers at the time, was the importance of two-factor authentication. Indeed, the department’s FISMA report noted that DOI had not fully enforced the use of personal identity verification cards, which are used in two-factor authentication.

After making “slow progress” on rolling out a two-factor program, Burns said the department ramped up its efforts in the wake of the breach and amid the administration’s “cyber sprint” to bolster agencies’ defenses. According to a Performance.gov progress update, 100 percent of privileged DOI users, and 95 percent of total users, are technically required to log onto the network with a two-factor PIV card.

At the hearing, Burns emphasized the importance of going beyond the “paper-based exercise of checking boxes” typical of the FISMA report. Technology executives, she said, had to do more to stay on top of the threat.

“The FISMA metrics are right,” Burns testified. “But they are not the only thing that we need to be doing. They’re one lens of what we need to be doing.”

Likewise, Lunarline’s Krush said that performance score on a FISMA report looks at compliance, offering a way to find controls that are not in place or not working as intended. But it doesn’t paint a full picture of whether an agency has an effective operational security program. That’s slowly changing in government, he said. But a FISMA report is not a good indicator of, say, whether an agency would be hacked.

“They’re very important, and they’re critical,” he said. “But they never tell the whole story.”

Contact the reporter on this story by emailing her at whitney.wyckoff@fedscoop.com, or follow her on Twitter @WhitneyWyckoff. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.