The success or failure of the continuous diagnostics and mitigation program comes down to a simple premise: Will the right people in each agency use the data to solve their most pressing cyber threats immediately or will the information languish with the wrong people?
The Homeland Security Department is betting on the former by taking specific steps to ensure the right people have the right data to protect federal networks.
John Streufert, the director of federal network resilience at DHS, said one of the future task orders under the CDM program is to pair subject matter experts with agency chief information security officers and system administrators to ensure they understand and use the information from the network sensors and other cyber tools, including a dashboard, currently in the implementation stage.
“That dashboard will see to it that the sensor data, which is collected, queues up those worst problems, first in a way so the departments and agencies know every morning when they open their list of problems to take care of, they are working on the most serious problem affecting the organization from a technical point of view,” Streufert said in an interview with Federal News Radio after speaking on a panel Wednesday about CDM at the Cybersecurity Summit sponsored by AFCEA’s Washington, D.C. chapter.
“We really have a composite of actions to take which are to find the most challenging of the technical problems, but also to understand how those systems affect the business operations of the cabinet department or agency,” he continued. “So it’s that extra involvement of the business executives that benefit from many of the current FISMA quarterly reports will have that added bit of information to highlight exactly the kinds of changes that are most necessary to protect their systems and important data.”
Foundation under construction
To help agencies get the most out of the sensors, DHS will run a series of task order competitions in the coming weeks among the 17 CDM blanket purchase agreement contract holders to provide both the technology and the subject matter expertise to meet this goal.
“We have to get the labor to run the sensors. We’ve already purchased tools to fill in the gaps for a number of agencies who are starting from scratch or need to get a common look across their entire organization. We expect that to dominate the rest of this fiscal year’s competitive activity,” he said. “Then we are setting the stage for the next phase of our program, which will talk about managing privileges.”
DHS issued a request for information on April 21 to get vendor feedback on how best to manage privileges of system administrators under CDM. Streufert said DHS plans to host industry days, webinars and to release a draft RFP in the coming months.
Some experts say the CDM program could falter if agencies don’t understand the difference between mitigation and monitoring.
Alan Paller, the director of research for the SANS Institute, said, during the panel, that mitigation is solving the most pressing cyber problems. Monitoring is knowing there is a problem, but not necessarily acting on it.
“We are on the edge,” he said. “If we are only sending data and no one is using it, what’s it matter?”
“Automation is essential, and it’s worth every dollar you spend on it, but it’s oversold and has failed in almost every case because you need the people to do something with the data,” he said.
SANS is planning a CDM workshop in August where Paller promises to call out the vendors who are providing mitigation versus monitoring.
In fact, Paller said SANS may also detail public ratings on vendors and agencies in how they meet the goals of CDM and how they implement SANS 20 critical controls.
Streufert said it would be a “tragic mistake” for agencies not to use the data provided by the sensors under the CDM program.
“A portion of the system challenges come through outdated software or system elements that do not meet all the needed business purposes of the department or agency, and that’s where the ongoing conversations between known threats on existing systems and the future directions that the technology programs of the departments and agencies need to take can come together in a very beneficial way.”