Legislative and budgetary challenges are hindering the Homeland Security Department’s ability to implement the continuous diagnostic and monitoring program.
Suzanne Spaulding, the nominee to be the deputy undersecretary of the National Protection and Programs Directorate (NPPD), told Senate lawmakers Wednesday that DHS is working toward CDM implementation, but “there are some departments who have legal constraints that get in the way of allowing DHS to move forward with CDM.”
After the Senate Homeland Security and Governmental Affairs hearing, a DHS official offered more details about those legal constraints.
The official said by email that “the authorizing statute for CDM notes that the appropriation of funds ‘shall not apply to the legislative and judicial branches of the federal government and shall apply to all federal agencies within the executive branch except for the Department of Defense, the Central Intelligence Agency and the Office of the Director of National Intelligence.'”
The official said every civilian CFO Act agency has signed a memorandum of agreement with DHS to implement the continuous monitoring tools and software. DHS received $183 million from Congress in 2013 to implement CDM.
DHS in August awarded 17 companies a spot on a blanket purchase agreement to bid on task orders to implement more than 20 tools to improve agency cybersecurity.
The DHS official also said while the law does not let DHS pay for implementation at ODNI, DoD or the CIA, the agencies still can order from the CDM contract.
Spaulding, who has been the deputy undersecretary of NPPD since September 2011 and has been acting undersecretary since May, would replace Rand Beers if confirmed by the Senate.
Beers is the current acting DHS secretary and is expected to leave government when a new DHS secretary is confirmed by the Senate. President Barack Obama has yet to nominate a replacement for Janet Napolitano, who left earlier this month to be president of the University of California.
Beyond legal constraints, Spaulding also said the CDM program is facing budget challenges.
In an answer to pre-hearing questions from the senators about how sequestration has impacted NPPD, Spaulding wrote in fiscal 2013, “NPPD delayed the development of new National Cybersecurity Protection System (NCPS) capabilities to address emerging cybersecurity priorities, reduced the number of federal devices that will be covered by the CDM program … .”
She didn’t offer more details in terms of how many devices and which ones DHS had to delay.
The NCPS program is the umbrella program run by the U.S. Computer Emergency Readiness Team (U.S. CERT) that includes the Einstein 3 intrusion detection and prevention program and information sharing capabilities.
Spaulding wrote to senators that DHS will achieve initial operating capability of the information sharing tool in 2015 and full operational capability in 2018.
“DHS has received appropriated funds for information sharing, and it has begun the planning efforts necessary to implement all elements of NCPS Information Sharing and is preparing for an Acquisition Decision E-2B review in second quarter FY 2014,” she wrote. NCPS “will provide a secure environment for sharing Cybersecurity information with a wide range of security operations and information sharing centers across federal, state, local, tribal, private, and international boundaries.”
The Einstein program also needs legislative help.
Spaulding wrote that DHS requested legislation to clarify its authority to deploy Einstein across federal civilian networks and to provide operational assistance to OMB’s oversight of Federal IT network security efforts under Federal Information Security Management Act (FISMA), among other things.
The legislation needs to:
Modernize FISMA and reflect the existing DHS role in agencies’ federal network information security policies;
Clarify existing operational responsibilities for DHS in cybersecurity; and
Update the Homeland Security Act to reflect organizational maturation of DHS cybersecurity mission and provide acquisition and workforce flexibility to support that mission commensurate with flexibility of federal partners such as the DOD.
The House in April approved an update to FISMA, but the bill doesn’t codify DHS’ authority to secure the dot-gov domain.
The Senate has yet to consider an update to FISMA.
Spaulding offered details on the progress of several other cyber initiatives, including the Federal Network Resilience office is finalizing the Cybersecurity Performance Management Operations guide to add clarity around FISMA metrics.
The document will provide users with a matrix outlining communication activities, clarity into the procedures, practices and expectations among agencies and an impact matrix to identify specific criteria to assess the quality of cyber questions.
Spaulding also continued to press Congress in her pre-hearing questions to give DHS special hiring authority for cybersecurity employees.
Special hiring authority still needed
DHS wants legislation that would establish cyber positions in the excepted service, letting the secretary make direct appointments, set compensation rates and pay additional benefits and incentives.
Additionally, DHS is ensuring its current workforce has the cyber skills necessary.
“As part of this work, the department has identified 1,200 positions performing mission critical cybersecurity work, and experts from across [the] components are developing and executing departmentwide human capital strategies, policies and programs intended to enhance that workforce,” she wrote. “Currently, the department is finalizing training and evaluation standards aimed at ensuring cybersecurity employees have access to the highest quality training and that new DHS hires are recruited and developed in alignment with departmental standards. In addition, several pilot programs have been launched to grow the pipeline for DHS cybersecurity talent through targeted outreach to academic institutions as well as organizations dedicated to veterans’ employment.”