NSF Scores Well on Security
Each year, the House Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census issues a “Federal Computer Security Report Card,” grading how each agency protects its computer systems from malicious code and hackers. Each year the results are typically poor. In 2002, the federal government as a whole received an F. In 2003, it earned a D.
A notable exception to the government’s generally lackluster performance was the National Science Foundation (NSF), which improved to A- from D-. George Strawn, the NSF’s chief information officer, says that the various tactics his organization used to strengthen its networks could be emulated by the private sector.
The NSF’s first move was to look for weaknesses in the network by hiring consultants to run penetration tests. “The first time or two, they found some wide-open doors,” says Strawn. “But now, it’s to the point where they have trouble finding things to penetrate.”
Another change at NSF was to develop a program for certifying and accrediting major applications and general support systems, such as the local area network (LAN) and the data center. To do this, his team looked to government guidelines. NSF consulted Special Publication 800-37 of the National Institute for Standards and Technology (NIST), Guide for the Security Certification and Accreditation of Federal Information Systems, which includes “extensive procedures for doing the certification and accreditation of systems and applications,” Strawn says.
There were some side benefits to developing these certification and accreditation processes as well, according to Strawn. “One thing we found ourselves doing is tidying up documentation that should have been there in the first place, and we discovered it wasn’t,” he recalls.
The third issue that Strawn concentrated on was improving the organization’s IT security policy. “We’ve created an NSF-wide security working group which I chair,” he says. “We are in the process of creating, implementing, and promulgating policy to change our culture to make sure we’re all aware of what can be done to improve security, and that we are doing it.” This includes an annual security awareness training requirement for all employees and contractors.
The NSF’s efforts have also addressed problems in novel ways. For example, the organization plays host to scores of visitors for scientific panels, many of whom prefer to use their own laptops for presentations. This exposes the network to computers that may be infected by viruses or other malicious code.
Strawn solved this problem by splitting the LAN into two parts: a guest LAN and an internal LAN. Visitors, Strawn says, can only connect to the former—and then only after their machines are scanned to ensure that their antivirus software is up to date and that their machines are properly patched. “That’s a fair amount of effort,” he admits, “but we’ve discovered an awful lot of systems that weren’t patched or whose virus DATs [signatures] weren’t up to date and so forth, and the visitors have appreciated that notification.”
Instead of resting on its laurels, NSF is moving forward toward wireless networking, which is notoriously difficult to secure. “We’re investing quite a bit of effort in promulgating wireless networking within our building in a sufficiently secure fashion,” Strawn says, keeping “at least one eye on the security implications of doing so.”