The second major piece of the continuous monitoring cybersecurity program is underway. The General Services Administration earlier this month awarded a contract for the cybersecurity dashboard to help agencies understand the health of their computer networks more easily and more often.
The Homeland Security Department oversees the continuous diagnostics and mitigation (CDM) program, and GSA acts as its procurement arm.
GSA awarded a $47.3 million contract to Metrica Team Venture — a team of five companies under the Alliant small business contract.
Metrica, InfoReliance, Decypher Technologies, Texas Management Associates and TIST Corp., received the one-year contract with four one-year options.
“We had a kick off meeting just yesterday where we saw some of the suppliers’ plans, calendars and timelines. We are expecting to get an initial operating capability of the dashboard in the fall, prior to Thanksgiving is the initial thinking and based on their initial plans,” said Jim Piche, a group manager at GSA’s FEDSIM office, who oversees the management and administration of the CDM contract. “First the operational level, a roll up level at the agency level and then an even higher roll up at the federal government, a federated level. What we are dealing with here is trying to make sure that the right levels of government staff have the information they need to deal with the problems. We are not suggesting that we take the operational level information from the departments or from those network operations centers because you end up with information overload, analysis paralysis. We want that actionable data to reside with those organizations that have the ability to do something with it. But the information that is truly dashboard information then gets rolled up at the agency level and then further at the federal level.”
Federal view only at first
A GSA spokeswoman said the Metrica Team Venture will “provide software design and development services and software/hardware for a series of dashboard releases, or instances. The dashboard created under this procurement will be used to automate FISMA compliance reporting mandated by OMB, including reporting through the currently used FISMA reporting tool, CyberScope.”
The spokeswoman said DHS’ longer-term goal is to make the completed dashboard functionality available to other agencies so they can manage and report their vulnerability to cyber-attacks.
The current task order, however, is only for the implementation of a federal level dashboard.
This latest task order award was the second in what is expected to be a series of contracts under the $6 billion CDM program. GSA awarded 17 companies a spot on the blanket purchase agreement in August to provide product and services. The dashboard task order, however, was not through this BPA.
GSA made the first award under the CDM program in January for $60 million worth of cyber tools.
Piche, who spoke as part of a panel discussion Wednesday on CDM sponsored by the FedInsider and the ImmixGroup in Washington, said GSA is working on several other RFQs in the coming months for products and services based on like characteristics among agencies, such as geography or technology architecture or their current install base of systems.
All of these tools and dashboards are leading to really one main goal of this program.
“As we do this, it is important to get back to the data. But getting to the data is not the reason we do this. It’s to make risk decisions,” said Bob Brese, the Energy Department chief information officer. “The piece about continuous authorization has to get the people to have the impact part of the risk equation in their pockets. I will tell you from my experience that’s been the most difficult part of this whole project is getting the people that own the impact part of this equation to take ownership for it, to articulate it and to be communicative with us so we can figure out what the ‘R’ is in the equation. Because in the end, it’s their risk. If they don’t own it, no one owns it.”
Educating what risk means
He said it’s that risk decision that matters the most because a threat or vulnerability at one part of DoE may not mean the same risk to another part of the agency.
Brese said the dashboard will help technology officials and business process owners decide how meaningful the data is so they can determine risk more uniformly.
Jeff Eisensmith, the chief information security officer at DHS, said educating the mission owners about cyber risks is among his biggest jobs.
Eisensmith said he expects the dashboard to provide actionable information for security experts and business owners alike.
“I hope the dashboard will show a screen that the information security officer will see in the morning and he or she will know what the top 10 systems are to prosecute that day. They need to be patched, they’ve got vulnerabilities or something is wrong,” he said. “What are the three systems that I knew were there yesterday, but are not on the map today so let me go hunt those down. And this one over here, I don’t know what it is so I have to chase that down. That to me is what I hope to do with the data from the CDM. It has to be actionable and the dashboard is going to be a huge piece of that.”
GSA’s Piche said the dashboard contract is part of the phase 1 capabilities, which also includes the initial set of tools around hardware and software asset management, configuration and vulnerability management.
Phase 2 will provide agencies with access control management, credentials, authentication tools and boundary protection. Piche said phase 3 capabilities are expected to be in place in 2015 and will include tools and services around risk management, policy management and governance.
Piche said GSA also is looking to add new products to the CDM contract, but the vendors have to be on Schedule 70 to be added to the BPA.
While GSA and DHS work on putting the CDM capabilities in place, several agencies are moving ahead with installing continuous monitoring capabilities.
DHS and Energy both are ahead of many agencies when it comes to CDM, which includes dashboards.
Out of the pilot stage
Eisensmith said DHS has moved 22 systems out of a pilot stage into a full production environment under its ongoing authorization and accreditation (A&A) program.
“We briefed the Office of Management and Budget; we briefed the National Institute of Standards and Technology. NIST is going to go back and reevaluate and maybe make some adjustments to 800-137. And overall, the level of engagement from the mission owners in making those risk decisions about the systems is wonderful,” Eisensmith said. “The biggest gain that we got is it’s no longer just the security professionals making those decisions about risk. There is something called an operational risk management board. That board is made up of mission owners, people from network operations as well as security people. So, risks are now made at a holistic mission oriented decision point to say, ‘what does this mean to me, not just from a security standpoint, but from a mission delivery standpoint.’ That’s one of the major things that we said, ‘Yeah let’s go ahead and do this. That’s the way forward.'”
Eisensmith said he’s preparing several systems to come under the A&A standard, but first the system owners must decide which controls are most important and which ones can be automated.
“Right now, it’s only those systems that have a really good continuous monitoring framework, are getting great continuous monitoring scores, the owners are engaged and if I feel all those things are present, then I allow them in,” he said.
At Energy, Brese said the national labs have accepted continuous monitoring as a best practice and are moving to use these technologies.
Brese said Energy has a dashboard featuring the 30 biggest threats or vulnerabilities for their Windows, Linux and end point devices.
But Brese said Energy may never have one program across all parts of the department.
“We need more than one solution. It’s not reasonable or a technically responsible position to take that the DoE should be homogenous in the way that it approaches cybersecurity and CDM,” he said. “While there are times when we would love to identify a solution we could spread ubiquitously throughout DoE, and holistically solve world hunger, on the cybersecurity side, it’s not going to happen. We really have to look a lot more toward standards of practice, and best practices becoming common practice, and information sharing is an incredibly important part of that. It’s one of the things we probably spend more time on in the department than anything else.”
Brese said the next step is to sell the notion to others around the department and look for ways to improve continuous monitoring so it becomes a much more effective capability.