It’s hard to manage what you don’t measure.
We’ve all heard the saying in various contexts, but this is especially true on the cyber front. In fiscal 2014, agencies reported spending $3.8 billion to monitor federal networks for internal and external malicious cyber activity and another $3.1 billion to detect, analyze and mitigate intrusions, according to an annual information security report to Congress. The 100-page report details a year’s worth of data on how well agencies perform a number of security-related tasks, including PIV card implementation, employee security awareness training and continuous monitoring.
But the truth is agencies — and oversight organizations — need a more dynamic approach for measuring if security investments are yielding results. While it’s helpful to see where agencies excel or fall short, the data is stale long before it’s printed and published.
That’s where the Department of Homeland Security’s flagship cybersecurity program comes in. The Continuous Diagnostics and Mitigation program, or CDM for short, has made great strides in rolling out automated tools to help agencies identify, prioritize and fix their biggest security risks first.
As you’d expect, a program of this magnitude is being implemented in phases. Phase one is focused on helping agencies better manage what hardware and software is connected to their networks, whether those assets are properly configured and what known vulnerabilities could cause the agency harm. “As of the end of FY 2014, over 1.7 million licenses for these security monitoring tools and products had been purchased and distributed to agencies,” the annual report noted. “This marked a major step in the implementation of CDM and demonstrated the efficiency of the BPA [blanket purchase agreement], which achieved $26 million in cost-avoidance when compared to the GSA General Schedule.”
A highly anticipated rollout under the program is the availability of agency-level dashboards, which will provide a consolidated view of an agency’s security posture and what impact the monitoring tools, or sensors, have in identifying risks, said Mark Kneidinger, Senior Advisor for the DHS’ Federal Network Resilience. Kneidinger, who spoke last week at the Symantec Government Symposium in Washington, D.C., said the dashboard will play a key role in helping agencies to make better security decisions and address their worst problems first.
He expects the agency dashboards will be available by June. Summary data from those dashboards will feed into a federal dashboard and provide a governmentwide view of network security. The federal dashboard won’t be available until the beginning of fiscal 2016, Kneidinger said.
One challenge that DHS and participating agencies will have to sort through is “how do you best use that information,” he added.
There will be increased information coming to the chief information security officer, and training will be required to show agencies how best to use their expanded inventory of sensors and the dashboard. The sensor base will assist in further protecting critical apps, but will that information be shared with the mission owners and other pertinent groups?
“That’s an area where further relationship building, I think, is going to be key,” Kneidinger said.
One solution to improve sharing of cyber data is to develop communities of interest that include CISOs, CIOs and mission owners from across agencies, who can exchange information on what they’ve gleaned from CDM data, what problems they’re facing and lessons learned. “Rarely are you really getting that sharing of details up and down,” Kneidinger said, noting that he expects communities of interest to expand.
CDM and OMB Reporting
Another benefit of the CDM program is that it should alleviate some of the struggles agencies have with submitting data to the Office of Management and Budget (OMB), Grant Schneider, CDM oversight lead for OMB, said at the Symantec conference.
Part of the problem is that OMB’s timetables for collecting data have changed over time, and so have the questions to agencies detailing what data OMB wants.
Through CDM, “we will be able to collect data in a way that it is repeatable and automated,” Schneider said. OMB is engaging with the CISO community as it develops information security reporting requirements for fiscal 2016. Meantime, OMB is also considering whether the 2015 reporting requirements need updating to align with the Federal Information Security Modernization Act that passed Congress in December. OMB is considering what policies must be in place to fully implement the law.
The end goal is to ensure “that we’re doing things that are actually helping us from an outcome standpoint, as opposed to helping us from a compliance only standpoint,” Schneider said.