The Federal government is taking the next step in security with a new set of guidelines. The new guidelines, which will be issued in the next six months as part of the “Consensus Audit Guidelines”, will represent a change of focus that makes a lot of sense. The new policy will be to first focus on fixing vulnerabilities that are most often exploited.

In the government sector, there is a lot of low-hanging fruit. Easy exploits that are easily prevented are very common, and addressing this unfortunate fact will actually result in a very large difference in frequency of attacks. The fact is, lots of people want to hack or attack the US government’s computers, but very few of those attackers are savvy enough to come up with something completely new. Attackers tend to be opportunistic, and the first thing they do is look for an obvious flaw or vulnerability, such as a server that still has the default password, or an email account with a password that is the account owner’s first name. Fixing the large, gaping holes in security first, and then focusing energy on the hypotheticals, will shut the door on most attacks.

The Consensus Audit Guidelines will give government agencies an extensive list of controls, which can stop known attacks. The guidelines will also provide examples of real-world attacks (as opposed to focusing on theoretical attacks that have not yet been perpetrated). An article in NextGov quotes a former Air Force CIO, espousing the common sense strategy of “Let’s figure out what are the vulnerabilities being exploited and fix those first.” This should have done this a long time ago. This isn’t to diminish the importance of stopping “zero-day” attacks and unknown flaws, but good security is about priorities as much as it is specific technologies.

Fixing known vulnerabilities and flaws first may seem obvious, but it still represents a big change in government security policy. The older policy revolved around the Federal Information Security Management Act (FISMA), which focused more on certification and accreditation and generating enormous amounts of paperwork. FISMA was actually a mixed bag as far as securing government computers. By design, it didn’t do much towards actually fixing problems directly, although it did raise awareness and force agencies to start working towards implementing sensible policies.

Earlier this year, a Senate sub-committee actually held a meeting to discuss FISMA’s shortcomings. The criticism of FISMA’s compliance initiatives indicate that compliance doesn’t necessarily mean better security–it may just mean more paperwork.