Baking Security into the Configurations of Department of Defense Systems: Radical security improvements while lowering costs
Paul Bartock, NSA; James Clausen, DoD; and Bill Lord, Air Force receiving the National Cybersecurity Innovation Award, with White House Cyber Coordinator Howard Schmidt, at the National Cybersecurity Innovation Conference in Washington DC.
WASHINGTON DC, October 31, 2011
The SANS Institute announced today that the U.S. Central Command, the CIOs of DoD, U.S. Air Force, U.S. Army; and the Department of Defense Joint Consensus Working Group have jointly won the 2011 U.S. National Cybersecurity Innovation Award for baking security into the configurations of computers deployed to the war zones and ultimately to all DoD computers.
Between 2003 and 2005, the U.S. Air Force Chief Information Officer (CIO) pioneered the concept "baking security in" to the hardware, software and services the government procures. Trying to add it after systems are developed and deployed is a failed strategy, according to the commission. The Air Force has demonstrated why and how such an approach works - and more important, how it has resulted in tighter security for its networks.
The CIO transformed the procurement process for personal computers and personal computer software to ensure the safe configurations was installed as the standard for more than 500,000 Air Force desktops. Resulting in centralizing the management of security and standardizing security settings, shorten the time to deploy critical patches from 57 days to just 72 hours, reduce the costs of patch testing and help-desk support, reduce system administrators' workloads, respond faster to new threats, and save hundreds of millions of dollars.
To extend the success of the Air Force's initiative, the Department of Defense CIO established a Joint Consensus Working Group, which includes the Air Force, Army, NSA, Defense Intelligence Agency (DIA), and DISA. The resulting Universal Gold Master Disk (UGM) was first adopted by U.S. Central Command J-6 under Brigadier General Brian J. Donahue, and has yielded many benefits such as:
By baking security into its systems and its buying power, the Air Force generated huge security improvements, more operational flexibility and savings. Using standard configurations allows commercial and government software developers to reduce the time and cost devoted to testing upgrades, maintaining a complex system and certifying products are secure.
Centcom J-6, along with the DoD, Army, and Air Force CIO's and their teams and the DoD Joint Consensus Working Group win the 2011 National Cybersecurity Innovation Award in Eliminating Security Weaknesses that Allow Targeted Cyber-Attacks To Succeed and their solution results in a consistent infrastructure across the enterprise that can be changed dynamically in response to actual or potential threats.
The National Cybersecurity Innovation Awards recognize developments undertaken by companies and government agencies that have developed and deployed innovative processes or technologies that (1) is innovative in that it has not been deployed effectively before, (2) can show a significant impact on reducing cyber risk, (3) can be scaled quickly to serve large numbers of people, and (4) should be adopted quickly by many other organizations. Nominators for the include most of the senior government officials involved with cybersecurity as well as those from the major Cybersecurity Information Sharing and Analysis Centers (ISACs). Corporations and individuals, including SANS instructors also nominated innovations. Each nomination was tested by SANS research department against the criteria; those that met *all* four were recognized. More than 50 nominations were received; 14 were selected.
Established in 1989 as a cooperative research and education organization, SANS' programs reach more than 400,000 security professionals, auditors, system administrators, and network administrators who share the lessons they are learning and jointly find solutions to the challenges they face. At the heart of SANS are the many security practitioners in government agencies, corporations and universities around the world who invest hundreds of hours each year in research and teaching to help the entire information security community. (www.sans.org)
For more information:
Alan Paller, firstname.lastname@example.org, (301) 951-0102 x108