Are agencies making the grade on cyber hygiene? DHS looks to find out with AWARE algorithm

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Agencies are supposed to be bolstering their network cybersecurity under continuous diagnostics and mitigation (CDM). But what if they had a single number, like a credit score, that tracked how much progress they’ve made on some of the cyber hygiene steps that lead to CDM?

That’s what Kevin Cox, the Department of Homeland Security’s CDM program manager, has in mind. Speaking Wednesday at a Federal Computer Week summit, he shed light on DHS’s Agency-Wide Adaptive Risk Enumeration (AWARE) algorithm, which assigns a score for where each agency stands on configuration management and supporting critical vulnerabilities.

“It’s looking at a few key variables and then assigning a score to that agency to help understand how that agency is doing overall with that cyber hygiene process,” Cox said.

Larger, more complex agencies have larger and more complex networks. But Cox said the AWARE algorithm takes an apples-to-apples approach to what agencies are monitoring.

“By looking at the total number of endpoints against the score, we can come up with a per-endpoint average, so you can look agency-by-agency how each agency is doing compared to the other agencies,” Cox said. “We’ll be able to have a scale as to what agencies are doing well and what agencies might need some additional support.”

How it works

Cox shed more light on what’s under the hood of the AWARE algorithm following the FCW event. For one thing, he added that unlike a credit score, a low algorithm score is actually a good thing.

“We want the score to be lower because that reflects that there are fewer vulnerabilities on that system, there are fewer misconfigurations,” he said. “The overall attack surface is smaller than what it would be if were a higher score.”

The algorithm calculates a final score for agencies based on 30 controls borrowed from the Defense Information Systems Agency’s Security Technical Implementation Guides (STIGs).

“It’s taking a look at the vulnerability data tied to the [Common Vulnerability Scoring System] scoring, and then kind of the special sauce that there’s some weighting occurring,” Cox said in an explanation of how the grading process works. “So it’s looking at particular vulnerabilities — if they’re the highest level of the scale, a 10, a critical vulnerability, that’s going to be weighted much higher than a three.”

The scoring also taking into consideration the age of critical vulnerabilities.

“So if the vulnerability is one week old versus two months old, the two-month-old vulnerability is going to have a higher weighting than lower,” he added.

In a lot of cases, Cox said the settings DHS borrowed from DISA’s STIG aren’t so much a letter grade as they are pass-fail.

“It’s really looking to see, ‘Is this configuration in place or is it not?’ And so if it’s not, then that gets reflected in the score,” he said. “Most of them are either on-or-off type settings. So it’s simply a check to see, is that configuration properly set, so then the agency is protected. And if it’s not set, then it’s an avenue that the adversary can use to get in on the system.”

The AWARE algorithm will grade agencies along 30 pass-fail controls. But Cox said DHS may eventually throw more controls into the mix.

“We’re recognizing that it would not be the best approach for us to come in and say, ‘Everybody now has to implement this one configuration baseline, and you have to do at the start 200 controls.’ So what we started with is the DISA STIGs,” Cox said.

So what if your agency gets a bad AWARE score? Cox said agency partners might have second thoughts about plugging into those networks.

“Eventually what we want to do is get the aware score down to the system level, so then if I am an agency, and I have a system connecting out to another agency’s system, and I want to make sure that I’m not connecting a system that’s not properly managed, I could take a look at their AWARE score, and if it’s a poor score, I’m going to have some questions about establishing that peer-to-peer connection,” he said.

Learning from other agencies

But DHS isn’t the first agency to have broken ground on algorithms like this. Cox explains how DHS learned from other agencies in this space.

State Department developed its iPost algorithm and the Justice Department has its Security Posture Dashboard. Both deliver similar functions.

“A lot of what they’re doing is the same thing,” Cox said.

DHS looks to roll out the AWARE algorithm sometime in fiscal 2020. Once fully launched, Cox said it’ll help give DHS a big-picture perspective on CDM.

“In many ways, AWARE is simply an instrument to get an overall view across the entire federal enterprise. As we work to operationalize over the next few quarters, we’re going to be looking at how each agency looks, what it looks like environment-by-environment,” Cox said. “But over time … that’s going to give us a sense of what the overall federal landscape looks like.”

DHS only makes up half the equation of CDM, but it’s finding buy-in from agencies — at least from those making the most progress.

Sanjay Gupta, the Small Business Administration’s chief technology officer, said the agency is working with Cox’s team at DHS to kick off a 90-day CDM pilot.

“We’re looking at a single set of tools. They’re implemented in the cloud and they have visibility across all IT assets in the Small Business Administration, Gupta said.

 Following his presentation, Gupta said SBA and DHS are still working on defining and scoping the pilot, and don’t yet have an estimate of when they’ll kick off the CDM pilot.

“It’s hard to predict, because we’re trying to make sure all parties — DHS, GSA, OMB and SBA — are in concert with that,” Gupta said. “So we’re trying to get organized.”

Federal News Radio Executive Editor Jason Miller contributed reporting. 

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.