CAG Consortium Set to List Automated ToolsVendors' Tools to Link to Specific Security Controls
Vendors offer an array of tools, but often it's unclear which tools are aligned with specific control, said John Gilligan, the former Air Force and Energy departments chief information officer who leads the consortium. Next week's consortium report will not only show that alignment but provide search capabilities to make it easier for users to compare tools and controls.
"There are a lot of tools out there that, absent something like the specific description of controls, weren't quite clear what they did," Gilligan said in an interview. "Now, with the ability to align them against specific control measures, it becomes much more clear what the tools do. You can now search and compare tools, in terms of characteristics, features, robustness across a number of different controls. And, in some cases, there are tools that do things we didn't even know about."
Gilligan said the consortium did not rate the vendors' tools a la Consumer Reports, but will provide user references for each tool listed.
An example of such a tool would be a program that continuously monitors a network to determine if an unauthorized device is attached to a network and disables the hardware once it's identified. The first of CAG's 20 critical controls is an inventory of authorized and unauthorized hardware. Of the 20 critical security controls it published in February, 15 can be automated.
Gilligan said the publication of the tools-controls links could lead to efforts to persuade the General Services Administration, the federal agency charged with developing government purchasing guidelines, to create a contract vehicle that would encourage use of the listed tools. Doing so, he said, would not only help assure the acquisition of more security-prone IT wares but could provide federal agencies and state and local governments discounts by pooling their purchases. "The next step would be to try to increase the availability of these tools and get the price point to something that's attractive," Gilligan said.
The former Air Force and Energy CIO also said the Federal CIO Council and the Office of Management and Budget should consider issuing guidance to federal agencies that map how these controls could be leveraged with security control guidance developed by the National Institute of Standards and Technology.
The public-private consortium that published the CAG is sponsored by the not-for-profit SANS Institute, a computer security training, certification and monitoring organization, and the Center for Strategic and International Studies, the Washington, D.C., think tank that hosts the Commission on Cybersecurity for the 44th Presidency.