Expectations rise for DHS cyber initiative in wake of recent ransomware attack

Download Federal News Radio’s new CDM E-book where you can read the entire interview with Kevin Cox, CDM program manager.

The recent WannaCry ransomware attack was a perfect example of why 2017 is a big year for the Homeland Security Department’s continuous diagnostics and mitigation (CDM) program.

When DHS got word of the ongoing attack in Europe and Asia, officials told those agencies who had implemented CDM dashboards to go check them and figure out where the biggest areas of vulnerabilities existed and take care of those systems.

Those agencies without such a dashboard had a more difficult time tracking down that data.

Over the next seven months, Kevin Cox, DHS’s CDM program manager, said his office plans to deploy the dashboards at some of the larger federal agencies as part of Phase 1 of CDM.

Kevin Cox is the continuous diagnostics and mitigation (CDM) program manager.

“Currently, we’re also working with those agencies to deploy their agency dashboards, and we have 11 agencies that currently have those in place and we’re working with them to configure the dashboard for full use so that they can begin to use and get the visibility of the current state of their networks, and help prioritize areas of cyber risk,” Cox said during an interview on Ask the CIO. “What the agency dashboard will be doing is taking feeds of the data from all of the tools and then allowing the agencies to run reports across their enterprise to identify where the strengths of their network are, in other words those systems that are well configured have good overall cybersecurity hygiene, and then where the areas of weakness are so that they can get resources out there to get those assets, those end-points, those network devices patched to bring those areas, those assets up to a proper level of cyber hygiene. So then that’s allowing the agencies to prioritize and ensure the worst things are getting fixed first and then once the agency dashboards are in place, we’re looking at the summer to get the federal dashboard to get it in place. It will be authorized by around June/July time frame. We’ll do a little testing thereafter.”

Eventually DHS expects to launch the federal dashboard which will take summary feeds from all the agency dashboards to help get an enterprise view of the government’s cyber posture.

The federal dashboard will help DHS and the Office of Management and Budget decide on the areas that need more focused resources to further strengthen systems and data, and continue to combat the ever-increasing threat.

“What we’re looking at right now is if we’re deploying the federal dashboard out by the summer, what we will do from there is start to work with the individual agencies that already have their agency dashboards in place and work one-by-one with them to get the connection set up so that they can send their data up to the federal dashboard,” Cox said. “The schedule for getting all of the agency dashboards out — definitely through the end of the calendar year 2017 on into the first quarter of calendar year 2018.”

When those dashboards are fully operational, the next time—and there will be a next time—a massive cyber attack hits the private and public sectors, agencies will quickly be able to pull the necessary data and implement fixes in a short amount of time.

By getting the agency and federal dashboards running in 2017, DHS can spend more time moving agencies to Phases Two and Three.

The General Services Administration, acting as DHS’s procurement arm, awarded a contract for Phase Two in November. Under a $102 million deal, CGI will provide software for privileged-user management and for credential user management tools.

Cox said the privileged-user management tools will give agencies a better “understanding of the administrative users on the network and what they’re doing.”

The credential management will help agencies track anyone within the agency that has credentials for the network.

Cox said the credential management tools will help agencies “ensure that we have the awareness of the users but also an awareness of what they have access to.”

Under Phase Three, DHS will look for tools to help agencies understand what is happening on their networks and gain more visibility into the actual network traffic.

“It’s looking at the perimeters of these agency networks to ensure that any gaps that there may be today, that the tools are procured to help those agencies get visibility in the areas that they need. And more importantly, it’s really looking at a lot of process,” he said. “So Phase Three includes the implementation of an ongoing assessment, ongoing authorization, which is the idea of really transforming the way cybersecurity is done today in the federal network. Traditionally it’s been manual assessments of controls and continuous three-year assessments of the agency systems to this idea that once a system is authorized it can continually be assessed and then that authorization is ongoing. There doesn’t necessarily need to be a break in that, rather the system is always monitored. The agency always has awareness of how well it is patched, how it is configured. So that’s going to be a big part of Phase Three, is really getting that ongoing assessment, ongoing authorization process defined and then deployed, working with the agencies throughout the agency environments.”

Cox added the other key piece with Phase Three is the idea of making sure that all the agencies are standardized in regards to incident detection and incident reporting up through the US-CERT and the National Cybersecurity and Communications Integration Center (NCCIC).

The other part of CDM that Cox expects to make considerable progress this year is the continuous monitoring-as-a-service (CMaaS) initiative.

GSA awarded an $85.4 million contract in July 2016 to ManTech to provide CMaaS to 44 small and micro agencies.

“[T]he shared services is providing those non-CFO Act agencies both Phase One and Phase Two capabilities. And that process is underway,” Cox said. “The advantage of doing the shared service is that it allows us to achieve some cost efficiencies through the centralization and it allows the agencies to have their own view into their environment but use it in a centralized environment. Where we are with that shared service roll out to the non-CFO Act agencies for Phase One is we’re starting to move into the security authorization process for that shared service system.”