State Dept Authorization Bill Mandates Security Breach Reporting, NSA Consultations –Can PenTest Be Far Behind?

Posted: 12:27 am EDT
Updated: 11:23 am PDT
[twitter-follow screen_name=’Diplopundit’ ]

 

Update: A source on the Hill alerted us that the State Authorization bill was offered as an amendment when the NDAA was debated in the Senate last month but it was not voted on and the NDAA passed on June 18 (That would be H.R. 1735 which passed 215 (71-25)  We understand that both chambers are now starting the process to bring the bill to conference in order to resolve differences.  The State Authorization bill, we are told, will not be part of those discussions.  In order for this to move forward, it will either need to be brought to the floor as a stand alone vote or Corker/Cardin could try again to attach it to another piece of legislation. Given that this is the first authorization bill passed by the SFRC in 5 years, and made it through the committee with bi-partisan support, we suspect that the senators will not just easily forget about this. — DS

On June 9, 2015, U.S. Senators Bob Corker (R-Tenn.) and Ben Cardin (D-Md.), the chairman and ranking member of the Senate Foreign Relations Committee, applauded the unanimous committee passage of the Fiscal Year 2016 Department of State Operations Authorization and Embassy Security Act. The SFRC statement says that it has been five years since the Senate Foreign Relations Committee passed a State Department Authorization bill and 13 years since one was enacted into law.  This State Department Authorization bill has been offered as an amendment to the National Defense Authorization Act, which currently is on the Senate floor. It is quite lengthy so we’re doing this in installments.

Below is the section on information technology system security that mandates security breach reporting, as well as making State Dept systems and networks available to the Director of the National Security Agency (NSA) and any other such departments or agencies to carry out necessary tests and procedures.

The State Department’s Consular Consolidated Database (CCD) as of 2011 contains over 137 million American and foreign case records and over 130 million photographs and is growing at approximately 40,000 visa and passport cases every day. If the CCD is compromised, it would be a jackpot for hackers that would make the OPM hack severely pales in comparison.

If this bill passes, will the penetration test by NSA on one of the world’s largest data warehouses finally happen?

Via govtrack:

Section 206.Information technology system security

(a)In general

The Secretary shall regularly consult with the Director of the National Security Agency and any other departments or agencies the Secretary determines to be appropriate regarding the security of United States Government and nongovernment information technology systems and networks owned, operated, managed, or utilized by the Department, including any such systems or networks facilitating the use of sensitive or classified information.

(b)Consultation

In performing the consultations required under subsection (a), the Secretary shall make all such systems and networks available to the Director of the National Security Agency and any other such departments or agencies to carry out such tests and procedures as are necessary to ensure adequate policies and protections are in place to prevent penetrations or compromises of such systems and networks, including by malicious intrusions by any unauthorized individual or state actor or other entity.

(c)Security breach reporting

Not later than 180 days after the date of the enactment of this Act, and every 180 days thereafter, the Secretary, in consultation with the Director of the National Security Agency and any other departments or agencies the Secretary determines to be appropriate, shall submit a report to the appropriate congressional committees that describes in detail—

(1)all known or suspected penetrations or compromises of the systems or networks described in subsection (a) facilitating the use of classified information; and

(2)all known or suspected significant penetrations or compromises of any other such systems and networks that occurred since the submission of the prior report.

(d)Content

Each report submitted under subsection (c) shall include—

(1)a description of the relevant information technology system or network penetrated or compromised;

(2)an assessment of the date and time such penetration or compromise occurred;

(3)an assessment of the duration for which such system or network was penetrated or compromised, including whether such penetration or compromise is ongoing;

(4)an assessment of the amount and sensitivity of information accessed and available to have been accessed by such penetration or compromise, including any such information contained on systems and networks owned, operated, managed, or utilized by any other department or agency of the United States Government;

(5)an assessment of whether such system or network was penetrated by a malicious intrusion, including an assessment of—

(A)the known or suspected perpetrators, including state actors; and

(B)the methods used to conduct such penetration or compromise; and

(6)a description of the actions the Department has taken, or plans to take, to prevent future, similar penetrations or compromises of such systems and networks.

#

Related Post:
S.1635: DOS Operations Authorization and Embassy Security Act, Fiscal Year 2016 – Security Clearance

Advertisements

State/OIG Issues Alert on Recurring Weaknesses of State Department’s Computer Security

|| >    We’re running our crowdfunding project from January 1 to February 15, 2014. If you want to keep us around, see Help Diplopundit Continue the Chase—Crowdfunding for 2014 via RocketHub  <||

 

— By Domani Spero

In November 2013, Inspector General Steve Linick issued a management alert memo to the State Department’s Management Control Steering Committee concerning the “significant and recurring weaknesses” of its information system security program over the past three fiscal years (2011-2013).

The recurring weaknesses identified were in six areas: Authority to Operate (ATO), Baseline Controls, Scarming and Configuration Management Controls, Access Controls, Cyber Security Management, and Risk Management and Continuous Monitoring Strategies.

A backgrounder from the OIG report:

The Department of State (Department) is entrusted to safeguard sensitive information, which is often the target of terrorist and criminal organizations. Cyber attacks against Government organizations appear to be on the rise,’ including state-sponsored efforts to exploit U.S. Government information security vulnerabilities. The Department is responsible for preserving and protecting classified information vital to the preservation of national security in high risk environments across the globe. The Department also undertakes significant numbers of financial and other transactions, including, for instance, the daily collection of millions of dollars in consular fees. In addition, the Department maintains records on approximately 192 million current passports,5 which contain such sensitive personally identifiable information (PII) as dates of birth and social security numbers. To protect this information, the Department must ensure that its Information System Security Program and management control structure are operationally effective.

Some of the examples of weaknesses cited include the following:

  • In FY 2013, OIG found another instance of access control weakness. Specifically, OIG reported that 36 employees assigned to the [Redacted] (b) (5).  Pursuant to 12 FAM 232, those systems can only be accessed by individuals possessing appropriate clearances. The 36 employees did not possess such clearances.
  • On August 20, 2013, the Bureau of Information Resource Management (IRM) reported that the Department had a total of 6,369  system administrators. According to IRM officials, system administrators are given network-wide permissions to allow them to collaboratively manage and troubleshoot issues.“ However, such broad access by large numbers of system administrators also subjects the system to risk. The recent, highly-publicized breach of information pertaining to national security matters by Edward Snowden, a contract systems administrator, starkly illustrates the issue.”
  • The Bureau of Diplomatic Security did not have the administrative credentials needed for Demilitarized Zone servers  to perform periodic scanning.

State/OIG made three recommendations including directing the Office of the Chief Information Officer to employ the services of the National Security Agency (NSA) to conduct independent penetration testing to further evaluate the Information System Security Program and outline a range of technical and procedural countermeasures to reduce risks.

On December 13, 2013, James Millette, the chairman of the Steering Committee and the State Department’s Comptroller who also heads the State Department’s Bureau of the Comptroller and Global Financial Services (CGFS) sent the OIG a written response which says  that they “respectfully disagree on the level of severity these weaknesses collectively represent.” Part of the response also includes the following:

Your memo recommended that the MCSC direct IRM to employ the services of the National Security Agency (NSA) to conduct independent penetration testing. The Committee believes that DS, like the OIG, has direct lines to the Secretary and has the capability to be independent in these matters. In addition, DS assured the Committee that they have the capability and work with and have the confidence of NSA in these matters. We believe OIG would not disagree that DS has the capability to adequately perform the testing. However, we fully understand the issue of perception of independence. Therefore the MCSC is supportive of DS and IRM having further discussions with the OIG on this matter to determine the best plan of action to perform penetration testing that meets the needs of the OIG and Department management. In addition, at the meeting, we suggested that there may be other alternatives to NSA, such as using a 3rd party to review the methodology used by DS.

That’s an old timer at the State Department telling the new IG that the Committee believes that Diplomatic Security (DS)  like the Office of the Inspector General (OIG) has “direct lines” to the Secretary?  Really!  It is a fact that DS reports to “M” or the Under Secretary for Management  and not directly to the Secretary.  (Unless, the Committee thinks the OIG also reports to “M” just like DS)?  OIG is one of the ten offices at State that reports directly to the Secretary.  If  the Secretary in practice delegates that authority, he has two deputies above the under secretaries, and one of them is for management and resources.

On Jan 13, 2014, the Inspector General sent another memo to the Management Control Steering Committee. The memo indicates closure of one recommendation but left the other two issues “unresolved.” This is also where the OIG patiently explains to the Committee what it means by “independence.”

OIG considers Recommendation 3, pertaining to independent penetration testing, unresolved. The MCSC indicated that it is supportive of the Bureau of Diplomatic Security (DS) and IRM having further discussions with OIG on this matter, but it further stated that “OIG would not disagree that DS has the capability to adequately perform the testing.” The issue, however, is not about DS’s “capability” but its independence and perceived independence.

According to the National Institute of Standards and Technology (NIST):

An independent assessor is any individual or group capable of conducting an impartial assessment of security controls employed within or inherited by an information system. Impartiality implies that the assessor is free from any perceived or actual conflicts of interest with respect to the development, operation, and/or management of the information system or the determination of security control effectiveness.

Because DS is actively involved in the Department’s Information System Security Program, it cannot be considered an independent, impartial assessor. The recommendation will remain open until OIG reviews and accepts documentation showing that independent penetration testing has been implemented. The penetration testing must be performed by the National Security Agency or an equally qualified organization independent of the Department and approved by OIG.

The NSA is already conducting pentest on critical U.S. infrastructures among other things.  Why is State thinking only DS, or third party and not NSA?

* * *

Related item:

-01/13/14   Mgmt Alert on OIG Findings of Significant and Recurring Weaknesses in the Dept of State Info System Security Program (MA-A-0001)  [6298 Kb]