The Commerce Department hasn’t been waiting patiently for the continuous diagnostics and mitigation program to get going.
For the last several years, Commerce has been testing and trying out the different tools and services that would come under the CDM program.
Rod Turk, the Commerce Department’s chief information security officer, said the goal isn’t to undermine what the Homeland Security Department is providing, but rather to make sure his agency is as prepared as possible when the tools do arrive.
“We have found that we need to upgrade our infrastructure for CDM so that it is a high rated system rather than a moderate rated system as far as the Federal Information Security Management Act is concerned,” Turk said. “We are making some investments on our own to put controls in place for that high system. In addition to that, as we move more tools from the CDM program into our environment, we will have to increase the size of our infrastructure so that we can actually handle all of the tools and the data flows so we are working very closely with the CDM program to help us in that regard as well.”
Turk said over the last several years Commerce has been investing in cyber tools. So when DHS started providing software under the CDM program, Commerce could round-out its investment and make the entire department centered on those tools.
“We now have our task order that we are working on right now. We are working on the planning phases of that. But I’m working to transition from more of the planning to more of the doing because I do have many of the tools in place,” he said. “We’re working very well with the DHS folks and we meet with them on a continuous basis and we are moving forward.”
Commerce, along with the departments of Justice, Labor and State and U.S. Agency for International Development, is in the third group getting CDM tools and services under DHS’s plans.
Turk said Commerce has built out its enterprise security operations center run by the National Oceanic and Atmospheric Administration to begin accepting the data feeds from all the bureau’s cyber tools.
“By the end of this fiscal year, we expect to have all of the feeds, for all of the bureaus and for all of the events and incident management type of feeds feeding into a security information management (SIM) tool so that we can use that information that we’ve gathered and provide an early warning system and incident response system for all of the department,” he said. “We also are looking at layering in to that the classified piece. We want to take the data that we gather and layer into the secret and top secret information that we have in the intelligence community. That, we think, will give us a powerful security operations center so that we can support our bureaus with incident response.”
The dashboard will provide the three basics of the CDM program: hardware management, software asset management and vulnerability management.
“You can’t protect what you don’t know you have. That is pretty basic cybersecurity. That will help us tremendously make sure we have a full bag of our assets identified so we can make sure everything is secure,” he said. “Then as we start moving into the vulnerability side, we are seeing some of it with the Binding Operational Directive, with the scanning DHS is doing and the vulnerabilities they are presenting to us by their scanning, but we expect that as this matures, we will be able to do more and more of that in-house … so we can get the vulnerabilities identified internally.”
DHS Secretary Jeh Johnson issued the first Binding Operational Directive in May 2015 requiring agencies to mitigate the most critical vulnerabilities on its Internet-facing systems within 30 days. In addition to the BOD, the Office of Management and Budget gave DHS in October 2014 the authority to regularly conduct proactive scans of certain civilian agency networks.
Turk said the new CDM tool will provide Commerce bureau CIOs more information about 62 high-value assets.
“We took the top 18 and did our own assessment last fall,” he said about the 62 high-valued assets. “The results of that, the plans of actions and milestones (POA&Ms) that were created and entered into our systems, those 18 became the basis for the number of high-valued assets we provided to the federal government for the federal government to use that list to select the ones they wanted to assess. We have three or four that have been identified and will go through the DHS process.”
Turk said the governmentwide process is classified so he can’t talk too much about it.
Commerce also continues to assess the remaining 44 high-value assets to ensure they are secure.
“We expect each one of our bureaus will continue with the standardized processes and procedures now that they have been identified and they are aware of the high valued nature of these assets that they are, in fact, going to expeditiously patch, expeditiously change operating systems if necessary and identify cybersecurity vulnerabilities as they come forward,” he said.