The Homeland Security Department (DHS) is taking a multi-pronged approach to improving federal cybersecurity — one that will more clearly define its role and expectations of agency IT leaders and include a mix of mandated and optional security services for agencies to use, according to a senior DHS official.
Speaking at the Symantec Government Symposium on Tuesday, Jeanette Manfra, Assistant Secretary for DHS’s Office of Cybersecurity and Communications, told reporters that DHS met with federal chief information and security officers to better define what the department will provide them and what they are expected to provide the department.
“Some of it will be mandated services because we need to raise the baseline of security for all agencies,” Manfra said of the services DHS will provide. “Some of them [services] will be if needed. There are some agencies that have more resources than others, that’s just the fact. And so some agencies will need some more assistance, and so we are going to be having more capabilities that will be available but not necessarily mandated.”
For background, DHS provides a host of governmentwide services and programs for the federal government, including the Continuous Diagnostics and Mitigation (CDM) program and EINSTEIN. DHS is also responsible for “scanning internet-accessible addresses and public-facing segments of federal civilian agency systems for vulnerabilities,” as noted in an Office of Management and Budget memo.
The Oct. 25 memo provides agencies with fiscal 2019 reporting guidance and deadlines to meet requirements of the Federal Information Security Modernization Act (FISMA). For those outside of the IT security community, acronyms like FISMA might not mean much, but they have huge implications for the way your agency responds to and reports cyberattacks, security breaches or any incident for that matter.
When asked what this new FISMA guidance means for agencies and DHS-run programs like CDM, Manfra said the memo reflects an evolution in cybersecurity — one that is shifting away from check-the-box security requirements.
“This has always been the case, but I think you see it much more clearly in the FISMA guidance now is agency heads, you’re accountable for your cybersecurity,” Manfra said. “DHS has programs and capabilities that are available to you.”
The guidance specifically states that “agencies are solely responsible for the state of their cybersecurity posture and must work closely with DHS in order to accomplish CDM program goals at the agency level.”
To define the benefits of CDM in layman’s terms, Mantra explained that it means agencies know every piece of hardware and software that’s connected to their system. “You can’t defend what you don’t know, so having that picture is critically important,” she said.
Most of us remember the internet panic over Heartbleed, which was a major vulnerability in the popular OpenSSL cryptographic software library. Manfra said there was a manual process across government to figure out agencies’ exposure to the vulnerability.
Now agencies can use the dashboard provided under the CDM program to quickly understand their vulnerabilities and respond accordingly. Manfra used the WannaCry ransomware as an example. Agencies could see the full scope of where they might have been exposed without having to play telephone with other chief information officers and operations managers to figure out their exposure.
“What that allows us to do now … for the next year is have faster processes,” she said.
In terms of the new guidance and its impact on CDM adoption, Manfra said, “Most agencies are very eager to take us up on CDM, so I don’t really see that this is in any way, somehow it would shift… I actually see them more eager to take our services.”
In terms of 2019 priorities, Manfra said the focus includes:
- Automating the way agencies manage vulnerabilities
- Ensuring researchers know how to connect with the government and identify vulnerabilities
- Creating environments where analysts are not overwhelmed but able to rely on machines where it makes the most sense
- Ensure analysts can understand emerging malicious-actor tactics, techniques and procedures