From: BankInfoSecurity.com
$6 Billion Initiative Addresses Holes in Federal, State Systems
In the next five years, the federal government will work to centralize for civilian agencies’ networks a way to identify cyberflaws and employ continuous monitoring tools to remediate them, the Department of Homeland Security’s John Streufert says.
The DHS initiative, known as the Continuous Diagnostic and Mitigation program, offers federal, state and local government agencies the ability to purchase discounted hardware, software and services to assess risks and present those risks in a continuously updated dashboard.
Earlier this year, the federal government earmarked up to $6 billion to be spent for agencies to acquire goods and services for the project [see $6 Billion DHS IT Security Plan Advances]. The money for this initiative is not part of the funding plan Congress had failed to enact that caused the partial government shutdown.
“The belief was by doing that in a single location, DHS in this instance, there could be economies of scale in ordering and some unified effort as … departments, agencies and other smaller federal organizations move to incorporate this technology in their daily business,” Streufert says in the first of a two-part interview with Information Security Media Group [transcript below].
Phase One
The first phase, a rollout occurring over three years, is aimed at getting civilian agencies to employee continuous diagnostic tools to improve vulnerability management, enforce strong compliance settings, manage hardware and software assets and establish whitelisting of approved services and applications, Streufert says.
“We know that 80 percent of the incidents which occur that involve some kind of problem of exfiltrating of data lean on cyberflaws that are previously known,” he says. “The objectives … in the first phase are designed in a way to see to it that the problems in those areas of civilian networks are reduced.”
Later, the initiative will move into other areas, including those that deal with privileges, Streufert says.
“We’re eventually trying to cover as many of the known weaknesses that are recorded in NIST [Special Publication] 800-53,” he says. “That’s a lot of ground to cover, so dividing it into approximately thirds was … arrived at to balance against both money and the time available of the staff to work on these issues.”
In the interview, Streufert:
- Explains why the federal government refers to continuous monitoring as “continuous diagnostics;”
- Discusses the goals of the Continuous Diagnostic and Mitigation program;
- Delineates the responsibilities of agencies and DHS in implementing the new program.
In the second part of the interview, Streufert addresses the challenges of managing the new program, including overseeing vendors [see Expanding Continuous Diagnostic Effort].
Streufert serves as the director of Federal Network Resilience within the National Protection and Programs Directorate at DHS. From 2006 to 2012, he served as the State Department’s chief information security officer, where he instituted a program that resulted in an 89 percent reduction in risk in 12 months.
Leave a Reply