DHS hones dynamic approach to securing agency computer networks

From: FederalNewsRadio.com 1500AM

By Jason Miller

For more than a decade, the biggest criticism of the Federal Information Security  Management Act is the static nature of how agencies reviewed their systems — on average every three years.

Congress has attempted to update FISMA for more than three years with requirements  for agencies to take a new, dynamic approach to securing their systems, but its  efforts have stalled. So the Obama administration slowly has been using policy and  regulations to make the change to continuous monitoring.

The Homeland Security Department took the biggest step yet Monday by releasing  policy, detailing requirements on what continuous monitoring looks like and giving  agencies and vendors a clearer idea of how they will be expected to implement it.

“For the last several years, we’ve been talking about getting away from the  elements of process and compliance of an earlier time and heading out to  continuous monitoring,” said John Streufert, the director of the National Cyber  Security Division at DHS, in an interview with Federal News Radio. “So with our  discussions with colleagues in the continuous monitoring working group [of the CIO  Council] we are settling in on five core capabilities of continuous monitoring.”

The five areas are:

  • Hardware asset management
  • Software white listing and asset management
  • Vulnerability management
  • Configuration settings
  • Anti-virus

These are five of the 20 most common system vulnerabilities as determined by a  government-private sector group of experts. The group, which included the FBI,  DHS, the National Institute of Standards and Technology and several others,  published the Consensus Audit Guidelinesin February 2009.

DHS would spend more than $200 million in fiscal 2013 to install a common set of  tools, including a diagnostic dashboard, and implement a security data warehouse  on each agency’s network. Agencies then would provide DHS with summary data  through the CyberScope tool, giving them a more complete view of the  vulnerabilities and threats across government. In the fiscal 2011 FISMA  reportto Congress, the Office of Management and Budget found 78 percent of  agencies submitted data automatically to CyberScope.

Congress still must approve President Obama’s request for DHS.

Lawmakers have responded positively to the $202 million budget request. The House  approved the White House request in full, saying in the reporton the DHS spending bill, “Specifically, the funds  shall be used to provide adequate, risk-based, and cost-effective cybersecurity to  address escalating and rapidly evolving threats to information security, to  include the acquisition of an automated and continuous monitoring program.”

The full House passed the DHS appropriations bill June 7.

The Senate would allocate $183.6 million for these efforts. In its report, the committee stated continuous monitoring “will  provide for robust implementation but also a disciplined approach to ensure  lessons are learned before deployment to all federal agencies.”

Both bills require DHS to submit an expenditure plan with details on timeline and  process for implementation before they can spend a majority of the funds.

“If it should be passed, we anticipate discussions with department and agencies  for implementations beginning in 2013,” Streufert said. “An important aspect of  this is the fact that some of these continuous monitoring standards will widely  across the methods of implementations for technology.”

Agencies should begin planning now

Until Congress approves DHS’ spending bill, the agency is preparing both agencies  and vendors to implement the five security controls.

Earlier this week, DHS held a series of meetings outlining the requirements and expectations, including a  concept of operations and how continuous monitoring fits in with the cloud-first  and share-first policies, which OMB is emphasizing.

“We would really like to have industry to comment on them and get their best ideas  so we can incorporate it in the future planning of the government around  continuous monitoring,” Streufert said.

DHS also released two memos to agencies: one offers guidance on implementing  continuous monitoring and another details the requirements for cloud boundary  defense.

DHS officials say the memos have not been made public or provided to industry yet.

One official, who requested anonymity, said 49 criteria are in the cloud boundary  defense. The requirements grew out of the Trusted Internet Connections initiative.  DHS expects to issue the requirements for TIC 2.0 in September.

Alan Paller, director of research at the Sans Institute, said the policy and  requirements are a game changer for federal cybersecurity.

“This is the single highest leverage project in cyber security,” Paller said. “By  ensuring only software and services that meet these specs can be deployed in  federal agencies, they will immediately enable the kind of continuous risk  reduction and high-speed response to new threats that have long eluded most  federal agencies. This also seeds the commercial world with technology that  enterprises all over country can but to get the same benefits.”

Sans was one of the main private sector supporters of the development of the  Consensus Audit Guidelines.

Few agencies have all tools in place

Streufert said nearly every agency has one or two of the tools, but few have all  five. He said the State Department, the U.S. Agency for International Development,  the Veterans Affairs Department and the Justice Department are out in front in  both using the tools and taking advantage of continuous monitoring.

In their presentationto industry and agencies, DHS said 80 percent of  all attacks take advantage of known vulnerabilities and configuration management  weaknesses. These five tools would help close up those unprotected areas, and give  agencies a more immediate approach to finding and fixing new weak spots in their  network defenses.

“The goal of this proposed DHS program in 2013 is to infuse a little bit of money  and try to get some standard approaches to these five areas and get them as evenly  as we can across all of dot-gov,” Streufert said.

The concept of operations for continuous monitoring includes three implementation  approaches:

  • Internally operated services, where DHS installs and agencies run their own  sensors and dashboard. 
  • Continuous monitoring-as-a-service (CMaaS). DHS plans on issuing a request for  proposals in 6-to-9 months for public or private sector organizations to provide  these services to other agencies. 
  • Cloud provider security services. This approach is considered “turn-key,”  where vendors provide all aspects of the cyber services, including hardware,  software and security. It’s an entirely outsourced operation, DHS officials say.

Each agency will have to decide which approach works best for them based on the  application they are putting in the cloud. If the software needs to be protected  as the moderate or high level, then running the services internally or using a  federal CMaaS provider may make the most sense.

Vendors wanting to provide cloud services and/or cloud security services to the  government will have to meet the continuous monitoring requirements detailed in  the documents. They also have to get their systems approved by the third- party assessment organizationsunder the FedRAMP program.

DHS said agencies who are just cloud security providers would self-certify they  meet the federal standards, and then have one of the third-party companies review  their self-assessment.

Homeland Security officials would not comment on their acquisition strategy or how  many vendors would provide these cloud security services.

“We are looking for industry help in three particular areas: continuous  monitoring, which includes the five areas, the display and action of the data all  hinges on the dashboard and the third area we are beginning to study in greater  detail and will come back to industry on is getting continuous monitoring as  service,” Streufert said. “We want to get the right sensors, the right dashboard  and get industry involved in the question of how those tools are put to work in  departments and agencies.”

Streufert said agencies need to start planning how those sensors will be put to  use on their networks and how continuous monitoring will substitute for the  current static approach to FISMA reviews of systems.

The DHS official said there will be multiple opportunities for agency and vendor  participation in the coming months, including the ability to comment on a Federal  Register notice to change procurement regulations to include continuous monitoring  requirements.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published.

Please Answer: *