As part of the preparation to implement cybersecurity continuous monitoring, agencies have one week to send the Office of Management and Budget their initial ideas of how they will move to a dynamic approach to protecting their computers, data and networks.
Under the OMB memo from November, the administration wants agency strategies by Feb. 28 on how they plan to implement information security continuous monitoring by 2017. Along with the strategy, agencies are to begin buying products and services to implement phase one of continuous monitoring.
The General Services Administration, working as the acquisition arm of DHS, awarded task orders to four companies worth a combined $60.4 million for products in January under the continuous diagnostics and mitigation (CDM) contract.
These initial deadlines kick off a summer of target dates around the CDM effort to improve governmentwide cybersecurity.
By April 30, agencies have to submit to OMB an analysis of human resources skill gaps and the names of those in charge of implementing this effort.
The personnel challenges continue to be among the hardest obstacles to overcome.
“There’s a lot of human capital employed on these cybersecurity tasks throughout all these agencies, whether it’s direct services provisions or if it’s intellectual discussions that are brought to bear,” said Peter Gouldmann, the State Department’s director of information risk programs, at a luncheon panel sponsored by AFFIRM Thursday in Washington. “Sometimes it feels like we are on the leading edge, and industry has quite caught up with us. Other times it’s the other way around. What I would look for would be a meaningful partnering engagement on the intellectual side of this problem and the creativity you speak of. Everybody is a collector of their experience and brings their broad experience to play, and we’d like to leverage a lot of that and force multiply that. It’s not enough to have that handful of cybersecurity experts at an agency. We really need hundreds, and it’s sometimes difficult to get them. We grow often within, but we’d like to ask a general call to our industry partners to focus on that human capital just like we are.”
Dashboard award imminent
By March 31, the National Institute of Standards and Technology will publish guidance establishing a process and criteria for agencies to conduct ongoing assessments and authorizations (A&A) to replace the certification and accreditation process under the Federal Information Security Management Act (FISMA).
Two months later, agencies need to be deploying information security continuous monitoring for all systems and ensure all systems have an authority to operate before initiating the CDM processes.
So over the next three months, OMB, NIST and other agencies have a lot of preparation for the changeover.
Agencies are waiting for a second cyber contract award for the dashboard that will collect and display cyber health data.
Steve Viar, the director of FEDSIM in GSA’s Federal Acquisition Service, said the task order under the Alliant small business governmentwide acquisition contract should be awarded in the next few weeks.
But even after GSA awards the contract, agencies still will have to come up with metrics for the dashboard.
Margie Graves, the deputy CIO at the Homeland Security Department, said the dashboard and agency surveys filled out months ago will help bring, for the first time, a unified view of cybersecurity.
“We’re all going to be involved in designing the metrics that will go on that dashboard, and what we want to make sure we do as we walk through that development is to pick those things that will be more relevant to us in order for us to be able to take those actions,” Graves said. “When we exchange those metrics and look across government, we are able to derive themes and conclusions. If you see a certain effect of an attack, being able to know what might be the root cause of that and being able to attack it from the root cause perspective.”
Graves says an interagency working group is just beginning the metric development process.
Ahead of the pack
While agencies are preparing for the move to dynamic cybersecurity, State and DHS already have taken those initial steps.
State, for example, widely is seen as the model for the CDM concept.
Gouldmann said State will have to make some changes to its current dashboard set up, called iPost. He’s unsure exactly what those changes will be because GSA hasn’t awarded a contract yet, and the metrics haven’t been determined.
At the same time, however, he said State used a lot of custom coding and a lot of design, so using the standard set of vendors under the CDM contract will be beneficial to how the department secures its networks.
DHS is a bit behind State, but Graves said it is testing the continuous monitoring concept.
“What we are doing right now is we’re taking a set of systems that we feel are camera ready for adoption of the new tools, new capabilities and new procedures that are coming forward, and putting those systems into a pilot,” she said. “Each one of our components is going through the paces of how you work in an ongoing authorization environment as opposed to what we used to do. At first, people were a little concerned because it’s a culture change. But when you tell folks that you’re no longer going to be putting the three-ring binder together and the cost associated with that, and by the way we think you will have a better picture of your system and where it sits today.”
DHS kicked off the pilot last summer at its headquarters offices, at the Citizenship and Immigration Services and at the Immigration and Customs Enforcement components.
Additionally, DHS Chief Information Security Officer Jeff Eisensmith is working across the DHS CISO council to figure out what tools the department and its components already own and are using, where the gaps are and how to integrate the CDM tools with existing technologies.
Graves said CDM will help DHS accelerate what the agency already had been doing over the past few years.
The potential of big data analytics
Even though the CDM program is just getting underway, Gouldmann and Graves said the long term vision must be about helping agencies move to a proactive state of security and away from being so reactive to threats and attacks.
“Getting the canary in the coal mine, so to speak, to work for you is predicated on what I talked about earlier, which is the analysts learning and beginning to see patterns, and those patterns becoming predictive and starting to give you a trend analysis,” she said. “At some point in time, even though we are all coming into this arena together and it’s relatively new, those patterns will be recognizable. We will not catch them all because there always will be a zero day attack. But there will be some things that you will be able to put into algorithm that when you see certain data coming together and it gets correlated, and you say, ‘that looks like pattern number X’ and then you can take appropriate approach to addressing that. That learning that occurs in the human element in this is key for us being successful in this.”
Gouldmann said better analytics is an important step along the road of continuous monitoring. Even though State is ahead of most others, he said it needs plenty of help. “NIST has done some things with its program under the SCAP, where they are trying to represent this information in a way they can introduce along with the data collected through machine collectors as a way to represent that broader picture,” he said. “This is something we are looking to the CDM program from DHS to lead us down this path. I believe that this will probably begin to show itself in the dashboarding when we start to look at the visualization of all this information, how we represent that and what it tells us.”
Gouldmann said by using these automated tools, especially to do analysis, more people resources can be put toward monitoring what’s going on across the network. As users see things and provide feedback, they become part of the solution to better cybersecurity.
He said the predictive and dynamic approach is the only way agencies can have a chance against the hackers and bad actors whom constantly look for new vulnerabilities and opportunities.