Last spring, then-Defense Department Chief Information Officer John Zangardi said automation would be the key to the next iteration of the cybersecurity scorecard.
Now, almost 10 months later more details are coming out on what the DoD cybersecurity scorecard 2.0 will look like, how it will harness automation and if it will actually act as more than just a barometer for cyber hygiene in the department.
The first version of the cybersecurity scorecard was created to help senior leaders get a feel for where their agencies are when it comes to protecting networks.
DoD hopes to turn that scorecard into an actionable plan and system that will strengthen DoD systems and possibly save money.
“When we talk about automation, we talk about the provisioning of services that are automatically instrumented. I’m sure you’re familiar with the concept of continuous monitoring, you’re probably heard about comply to connect. Part of what we are talking about for scorecard 2.0 is how do we provisions services and introduce comply to connect in an operational context in a way that we either assure ourselves and each other that the enterprise is to a level of health that we can see operationally,” acting DoD Deputy CIO for Cybersecurity Ed Brindley said during a Feb. 27, AFCEA event in Arlington, Va.
For those who don’t know, comply to connect requires a device is updated and patched before it can connect to a network.
Brindley said DoD currently collects and integrates some data manually, but with scorecard 2.0 it wants to integrate automation on the frontend and backend of a system. The goal is to use the automatic collection of data to glean cybersecurity hygiene trends about an agency or service.
“Rather than a data call ‘Hey I need your latest, give me your scorecard input,’” Brindley said, those data points would be automatically collected and aggregated into conclusions.
Acting Director of Cybersecurity and Information Assurance for the Army CIO Col. Donald Bray said the technology to achieve exists; it’s just a matter of monitoring and updating cyber control they use as systems face new risks and threats.
“Once you are into operations, we’ll be able to build security into provisioning services and monitor the current state… We really haven’t fully employed continuous monitoring,” Bray said. He added that DoD currently does not have all the tools it needs to do that.
Zangardi announced DoD was also looking at updating its cybersecurity scorecard back in May.
The first version measured 11 things and it was static and relied on self-reporting, Zangardi said in May, 2017.
Some of those things included ensuring that:
Host-Based Security Systems (HBSS) are implemented.
Every computer is (a) properly patched and (b) properly configured.
All internet-facing web servers are moved to approved demilitarized zones.
All (a) Windows XP, (b) Windows server 2003, and (3) older operating system software is removed from both the unclassified and classified networks.
“It was a move from not knowing what you have, to beginning to know what you have, and when you can measure something, you can do something about it,” Zangardi said. “Because we measured things, we could cajole people, we could encourage people to do the right thing, to make the investment.”
But the way those items were measured wasn’t dynamic, Zangardi said, which is why 2.0 will be more about automated reporting and looking at things like a heat map, “so we understand the threat better.”
“So we want to improve what we’re doing, drive higher standards,” he said. “But we want to be dynamic, we want to be able to get to the latest information about our network quickly.”
Brindley said DoD still needs to have a discussion about what metrics matter.
“What you measure and what you pay attention to will give you insights or maybe confuse you, maybe let you pull the thread on something or drill down and really what we want in terms of automation is to associate operational indicators in terms of the infrastructure and automate the way we generate the metrics and we want the metrics to matter in a way that we can scale,” Brindley said. “Today we’ve got a core set of metrics that are very fixed. We’d like to relate it for the commanders who have to run the structure, for the operators and the services providers who have to run the day-to-day and for the leadership.”