The strategy highlights three steps the government will take over the next three years, including integrating supply chain risk management capabilities and processes in the federal market.
“We will create a supply chain risk assessment shared repository, address deficiencies in the federal acquisition process, and seek more streamlined authorities to exclude high risk vendors,” the strategy states.
Brown said NGA is looking at how it scrutinizes the hardware and software connecting to its system.
“In my world, there is some confusion of whether it’s a counter intelligence problem or a cybersecurity problem? I like to say it’s an IT problem,” Brown said during a recent panel at the AFCEA NOVA IC IT day, which was recorded for a “Live Ask the CIO.” “If you looked up in the NGA directorate of office, you would not see a supply chain risk management office and we need that.”
He added NGA is focused on the big issues like the White House’s executive order banning Chinese companies like ZTE and Huawei, as well as the day-to-day challenges that come with technology.
Mike Ryan, the deputy chief information security officer at NRO, said on the same panel that supply chain risk management must go down to the chip level.
“We need to develop more of a zero trust approach where you can monitor and do something about it after you have the technology because you really can’t tell,” he said.
Ryan said NRO is applying the risk management framework to address not just supply chain challenges, but also ways to make it easier to get systems accredited and approved and add automation to ensure applications are continuously monitored.
Part of that effort is a new cyber heat map that NRO deployed.
“All of the systems of record are scored on their [cryptographic] hash level, their end of life software, how much of a risk they have depending on what accesses there are into the network they are running on, and we have redone our calculations to focus more on the basic hygiene on what systems have to do,” Ryan said. “It’s hard to go to a system and say here are 500 controls or vulnerabilities they need to patch now so we need to give them a way to prioritize that. We are looking at what vulnerabilities are exploitable from where you sit on our network. Patch those first and your score will go down.”
He said another key piece of this effort is ensuring configuration management processes are in place as part of the continuous monitoring effort.
DHS is piloting its Agency-Wide Adaptive Risk Enumeration (AWARE) algorithm, developed with the State and Justice departments, which provides a good analysis of the attack surface of an agency. AWARE uses basic measurements such as vulnerability management and configuration management, weighted by age and criticality.
Ryan said NRO is using the dashboard to help inform the system owner and CISO’s offices, but also the agency leadership.
“Some of the systems that were scoring high on the heat map were not necessarily the riskiest things to the director of our agency. We wanted to find a way to make sure he knew what systems really were the most risky that were connected to the internet with a connection to another enclave that we thought was protected, but it might not be,” he said. “That is when we started reevaluating and not just looking at the system as a whole, but expand it to where you are looking more at the mission threat.”
NRO also is planning to add confidentiality, integrity and availability scores individually and as an aggregate to the heat map. Ryan said those scores will help NRO make better decisions about the state of a system.
“Before the formula or algorithm we used was so complicated you just knew where you were relative to others, but it didn’t have any meat to it to explain what it is,” he said. “Now you have 100 systems with private IP addresses on it that when you scan, it’s not configured to tell you if it’s a Windows 7 or Windows XP box or what have you. We want to get people to get that hygiene better. The other thing is using the CIA’s formula, and having an aggregate will allow the director to make better risk decisions based on where the threat really is. We also will incorporate a kind of a credit score. How much credibility does the system have? If they have a plan of actions and milestones (POA&M) on their system to go patch XYZ vulnerability and they say they will do it at the next system up build, but they’ve done that for the last two years and keep getting extended, their credibility score will go down and that will impact their position on the heat map.”
Architecture review in progress
Brown said because NGA’s mission set has a big unclassified presence, the challenges around cyber hygiene are a bit different.
“We can’t just dump a new tool or capability into the architecture without saying what are we going to remove? The agents on the host are just adding up and the security stack on the boundary is second-to-none, but what results in that is the workforce being very frustrated with network performance. It’s very secure, but it can be very slow,” he said. “The last six months forced us to have very close relationships with what I’ll call the IT shop, who manage our IT operations and our design and build shops. When network is down or users have latency problems, it’s the helpdesk that gets the call. We have to partner with them to understand the problem and work with our engineering staff.”
NGA is conducting a review of its security architecture to identify overlapping tools, gaps and current and future requirements, especially as the agency moves more to the cloud.
“Over the last couple of years, we’ve spent a lot of cycles in standing up a cyber threat intelligence shop. We started slow, built that up and worked closely with our counter intelligence cyber teams,” Brown said. “On our risk management side of the CISO role, we have now recently a cyber threat team that is providing threat intelligence on systems we have to authorize.”