From: Jones,
Jack (NIH/OD) [E]
Sent: Tuesday,
April 21, 2009 10:59 AM
To: 'icddir-l@list.nih.gov';
List DEPDIR-L; OD-Senior Staff; OD-Small Staff; List EOFULL-L
Cc: IC
Director's Assistants; List ITMC-ALL; OD-Senior Staff Assistants; OD-Small
Staff Assistants
Subject: ACTION:
Timeline for Ensuring NIH Enterprise Information Security
TO: IC Directors
IC Deputy Directors
IC Executive Officers
CC:
IC Chief Information Officers
FROM: Chief Information Officer, NIH
SUBJECT: ACTION: Timeline for Ensuring NIH Enterprise
Information Security
This memorandum provides important information and requests your support in
implementing a critical timeline of needed changes that will provide NIH with a
real-time network monitoring program to ensure maximum security of Information
Technology (IT) across the NIH.
As
you are aware, one of my high-level responsibilities as the NIH Chief
Information Officer (CIO) is to manage and ensure that NIH enterprise information
security is effective in protecting NIH’s IT resources. When I assumed
this position, I made this an important focus of my tenure.
NIH
is under attack every minute of every day. In an average week, over
50,000 attempts to penetrate the NIH network perimeter are recognized and
successfully blocked. While we have collectively made great strides in
our IT security programs at NIH, several recent events, such as the Conficker
worm penetration, have illustrated to me that NIH still does not have the
proper level of enterprise security infrastructure in place to respond to
security incidents or to even meet minimal HHS and OMB requirements for
accurate reporting of security related information in a timely manner.
Indirect
reporting practices across NIH have led to significant gaps in our IT security
awareness that have real consequences. This is highly evident when we
evaluate the reporting of computer patching, laptop encryption, or user account
practices. Further, knowledge gained from the recent response to
the Conficker worm, the breach of patient information on an unencrypted laptop,
and the July 2007 penetration test performed by the HHS Office of Inspector
General (OIG) on the NIH active directory (AD) and network, also proves that
current NIH security practices are fractured, disjointed, and putting our data
at risk.
Further,
a recent HHS-funded evaluation of NIH security architecture comparing NIH to
current best practices noted that, “NIH needs to begin to upgrade its
infrastructure and security practices to improve situational awareness and
close security gaps…” These are ‘gaps’ that intruders are currently
leveraging to their advantage. Without enterprise wide visibility into
NIH networks and IT infrastructure, my office is unable to judge intruder
activity or to quickly determine if NIH is secure and prepared for the next
worm or new security threat.
In
order to mitigate these risks, enhance the controls in place to secure NIH
data, and fulfill obligated mandates, the NIH IT security infrastructure and
program need to be unified so that a responsible approach to IT security can be
achieved. IT security is a shared concern and responsibility across
NIH. As such, I respectfully request that you and your senior staff
provide the needed support to your CIO for this critical effort to ensure that
the necessary elements of our IT security program are in place and executed in
a timely and effective manner. You should also be aware that due to the
need for higher-level focus on this area, NIH management has created
performance elements concerning the protection of NIH information and
systems. These elements have been added to performance plans of
individuals at appropriate IC management levels, to better ensure that this
needed oversight and support is provided.
The
following is a list of critical projects that are underway for significantly
enhancing our NIH enterprise IT security program, along with firm deadlines, to
meet these obligations in a timely manner. In most cases, my office
has been coordinating these activities with the NIH IT security community and
IC CIOs for a long period of time, so you are probably aware that they are
underway; however, your continued focus and support is key to ensuring these
changes are implemented as planned. I also felt it was appropriate that I
personally communicate this information to you since your security commitment
and support of these initiatives and programs will now be evaluated as part of
your performance. Your CIO should be able to give you an update on your
IC’s status.
1. May 15, 2009 – Each IC
must have an Office of the CIO (OCIO) approved project plan for implementation
of AD consolidation and fully implement the OCIO enterprise monitoring of
Windows domain controller security configuration and management of Active
Directory (creation/deletion of objects, etc.).
2. May 30, 2009 – Each IC must
fully implement the OCIO enterprise vulnerability scanning program. (We
are well on our way to finalizing this.)
3. September 1, 2009 - Each IC must
fully implement HHS policy for encryption of all laptops, including Windows,
Macintosh and Linux. (The requirement to include Mac and Linux laptops is
new.)
4.
October 1, 2009 - Each IC must fully implement the OCIO
enterprise configuration scanning (SCAP) program. (This program still
needs continuing support from the ICs.)
5.
June 1, 2010 – All IC Active Directory child domains must be
consolidated into the centralized NIH domain.
6.
November 18, 2011 – NIH implementation of HHS security architect
report recommendations, including enterprise security event management and
Network Access Control (NAC). (We will be communicating future
implementation plans and projects for this over the next year.)
We
will continue to be faced with challenges in how we manage and monitor our IT
infrastructure and your IC’s cooperation in achieving these important NIH IT
security initiatives, and your continuing support is valued and
appreciated.
Should you have any questions or concerns or need
information regarding the status of your IC involvement in these initiatives,
please feel free to contact me directly, or the NIH Chief Information Security
Officer, Daniel Sands, at 301-402-4445 (sandsd@mail.nih.gov).
/s/
John “Jack” F. Jones, Jr., Ph.D.