With ever increasing information security and privacy risks, we must make our systems and processes more robust. Several federal agencies and well-established institutions have legacy systems built using an architecture that was deemed vigorous 40 years ago, but stand no chance exposed to the modern security threats and real time interactions of today. Our mission essential functions are performed in a legacy mainframe environment that is costly and extremely resource heavy in order to protect high value assets and customer data from increasing cyber threats. This concern is compounded by our aging workforce and the scant number of individuals with these legacy skills in the job market today. By re-engineering our legacy systems, we reduce the inherent risks associated with a veteran staff of which 50% can retire today, many taking with them the institutional knowledge acquired over 40+ years. Working closely with my Chief Information Security Officer (CISO), my risk management and privacy strategy is to prevent and detect impending attacks through continuous monitoring. By modernizing our legacy systems, we ensure that our enterprise architecture is stable for years to come, is flexible enough to accommodate new innovations, and can enable the encryption and security aspects necessary to keep our high-value assets and data safe.
Cybersecurity is not a onetime activity, but rather a continuous effort requiring vigilance at all times. We can close 1,000 windows, but the bad guys will get in through the one window we missed. To improve their security posture, federal agencies continue to make progress towards a compliant information security program.
"We increase network protection through continuous monitoring"
Federal agencies are mandated to manage risk in critical infrastructure, whether it is in asset management, identity management, remote access, or network protection. We have made it a top priority to strengthen Identity, Credential, and Access Management (ICAM), better manage user permissions, prevent data loss, secure remote access, and address insider threats.
Asset Management – Agencies must mitigate the risk of unauthorized hardware and software in their environment. An automated hardware and software inventory is essential to properly account for all assets, including their purpose for being on the network, and who owns them. Our participation in the Department of Homeland Security (DHS) Continuous Diagnostic and Mitigation (CDM) ensures that we address these cybersecurity risks. We have also started the incremental and iterative process to transform our legacy mainframe software systems. By adopting the central management of hard drive encryption through the Microsoft BitLocker Administration and Monitoring (MBAM), we are ensuring that by default all agency laptops and mobile devices have the necessary data encryption.
Per the Office of Management and Budget (OMB) Circular M-17-25 and the President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, we have enhanced our Information Security Continuous Monitoring (ISCM) strategy. Our renewed focus is in the identity, protect, detect, respond and recover areas. In today’s connected systems it is essential to build partnerships with other sources, such as the DHS/CDM, which work alongside agency efforts to combat cybersecurity threats. In simple terms, the CDM program is an external set of eyes looking at the agency network, and sending out alerts on any abnormal or suspicious behavior that is observed. Although slow to implement, the CDM program shows promise to bridge the gap in vulnerability assessment, hardware and software management, configuration management, and privileged account management.
Identity Management – We ensure that all federal and contractor staff establishes their identity using the PIV card. We have also built a partnership with Login.gov for identity proofing and identity management solutions for all our external customers from the railroad community. Currently we are transitioning our external self-service digital solutions to use identity proofing and Multi-Factor Authentication (MFA) via Login.gov. This is planned for all public-centric services implemented on our external website and customer portal. Just like online banking services, these self-service solutions are built using secure communications with strong MFA and identity management. With the recent data breach at a major credit bureau, and assuming that personal financial information and credit histories may have been compromised, we are working with Login.gov to use alternate proofing solutions.
Remote Access – Having deployed managed services for hardware encryption along with upgraded network firewalls, the agency has strengthened the information security controls for VPN remote access. We enforce MFA and all users login using the PIV card. At any time during an average work day, about 85-90% of our users, in our Chicago headquarters or from remote work-at-home locations, are logged in this way. Our target is to achieve 98-100%. Besides the compliance factor, our agency is better protected using MFA. With the support of our senior leadership, we continue to take significant steps to further enhance the security aspects of our remote access solution. We have also made new mandatory “always on” VPN profiles for all remote connections. From the outside, when an agency employee connects to the Internet using the agency-issued workstation, such as a laptop or mobile device, the VPN connection is established, thereby greatly enhancing the security of both the workstation and the agency network. As an added layer of security, this standard VPN profile also requires the use of the employee’s government-issued PIV card to connect to the VPN.
Network Protection – As part of the ISCM, strategy we perform routine activities such as scanning our internal network for the published Indicators of Compromise (IOC); patching all known critical vulnerabilities; reducing the number of privileged system accounts; accelerating enforcement of multi-factor authentication using the PIV card; and performing an inventory of high-value assets. Our defense-in-depth configuration is based on the Intrusion Prevention System (IPS), Network Admission Control (NAC), and the Security Information and Event Management (SIEM). We have deployed the essential Data Loss Prevention (DLP) solution to encrypt all external email messages that contain PII. Last year we expanded our DLP solution to scan for PII in the subject line of all emails. This enhancement has reduced the amount of false-positive incidents to less than 7 per month. Without proper encryption controls, these emails would have resulted in significant privacy risks. Our target is to expand the DLP solution to Internet-facing and browser applications as well. In addition, with the DHS/CDM program all unauthorized hardware will be blocked from accessing the agency network for effective network protection.
Managing the virtual office of today requires new ways to protect an infrastructure from cyber-attacks—there is no longer a physical boundary to consider; instead security is enabled at each end point device. We increase network protection through continuous monitoring. Patching systems is not an afterthought or a failure, but is a chance to stop adversarial behavior. Patching applications or virtual servers is now frequent, automated, and transparent to the end user. All applications and web plugins are digitally signed to prevent malicious code and tampering. Advances in hardware and firmware have enabled better security management by using Trusted Platform Module (TPM), a secure crypto-processor that stores cryptographic keys which protect information on motherboards. These advances allow us to use network access protection tools to verify the health of the end point device before connecting to the network.