Agencies complete step one of DHS cyber directive, now comes the hard part

The recent completion of step one of the Homeland Security Department’s Sept. 13 Binding Operational Directive to remove all Kaspersky Lab products from their IT systems in 90 days may have been easier for some agencies than others.

Under BOD, agencies needed to identify where these products live on their networks or systems in 30 days. For about 20 who have implemented the continuous diagnostics and mitigation (CDM) program dashboard, the data collection was the easy part.

Laura Delaney, the deputy director of Network Security Deployment at DHS and a member of the Information Security and Privacy Advisory Board (ISPAB), said through the dashboards, agencies have, for maybe the first time, a holistic view of their networks.

“Previously for a data call like this, an email goes down through entire agency and it might hit some agencies past the due date, and sometimes not at all. And those who get the email have to determine if they have the data. Some don’t know and say ‘check the procurement records.’ But if the software was bought through other direct costs (ODCs), then who knows,” Delaney said at the ISPAB meeting on Friday in Washington, D.C. “CDM will ease getting information and improve the validity of the information.”

Advertisement

But identifying Kaspersky products may have been the easy part not just for those 20 agencies, but for all departments.

Over the next 60 days, agencies have to come up with a plan and remove these products from their networks once and for all.

While many cyber experts say removing any software product from a system or network is much more difficult — especially without any additional funding — than it seems, initial data shows Kaspersky products are not as intertwined in federal systems as many might think.

There is good news from step one of the BOD.

Michael Duffy, chief of the Federal Network Resilience Division in DHS, said Oct. 27 that not only have a majority of all agencies met the initial 30-day deadline to identify what products from Kaspersky Lab they have on their networks, but a less than half of all agencies say they actually have Kaspersky products on their systems.

Duffy, who spoke at the ISPAB meeting, said DHS and the Office of Management and Budget relied on the definition of a federal information system contained in Circular A-130 as to where agencies need to analyze.

Under A-130, OMB defined a federal information system as “an information system used or operated by an agency, by a contractor of an agency, or by another organization on behalf of an agency.”

Duffy said that means agencies had to analyze systems beyond those on premise, including those in the cloud and anything contractors are working on behalf of the government.

“We worked with the National Institute of Standards and Technology, the General Services Administration and OMB in partnership to make sure it was clear across all stakeholder groups in the government about what we were asking for and what was expected of them,” Duffy said. “What we’ve tried to do is have agencies determine the risk for themselves versus us trying to micromanage it.”

Agencies now move into stage two where they are developing a plan for how they will remove these software titles. Those strategies are due to DHS by mid-November.

Duffy said DHS may have a better idea of the challenges agencies face in getting rid of Kaspersky Lab software once the plans come back to them next month.

Agencies also are seeing benefits from CDM tools around closing critical vulnerabilities.

Duffy said at the board meeting that DHS found earlier in October that for the first time agencies had no critical vulnerabilities open for more than 30 days.

DHS has been tracking agency critical vulnerabilities since the 2015 cyber sprint when they found hundreds that has been open for more than 30 days.

“This is an incredible success,” Duffy said. “It shows our ability to measure and motivate. It’s not just a quick turnaround action, but it’s a change in way the dot-gov culture behaves. It’s part of a downward slope of bad things impacting agencies in the cyber environment across government.”

In a document obtained by Federal News Radio in 2015, agencies said they had more than 50 critical vulnerabilities open for more than 30 days and more than 75 active critical vulnerabilities. Several agencies listed double-digit vulnerabilities open for more than 30 days and/or active problems.

There has been a lot of impatience and doubt about CDM over the past four years, but these two initiatives not only show the value of the program and why agencies are chomping at the bit to implement it more quickly.