The Homeland Security Department will stand up the federal continuous diagnostics and mitigation dashboard later this month, as close to 20 agencies now are reporting threats in near-real-time on their own dashboards.
The federal dashboard will compile summary feeds from all the agency dashboards, which will give the administration a broad view of the government’s cyber posture. Eventually, the federal dashboard will help DHS and the Office of Management and Budget decide where best to direct their resources to strengthen agency systems.
“[DHS] will be receiving feeds from those agency dashboards,” Jeanette Manfra, assistant secretary of cybersecurity and communications at the department, told the House Homeland Security Cybersecurity and Infrastructure Protection Subcommittee Tuesday. “That will then allow us to have more near-real-time understanding of what those sensors are identifying on those agency networks and allow us to better prioritize vulnerability management for our agencies.”
“We do see a lot of potential for CDM in the ability to deliver tools at a lower cost across agencies,” Manfra said. “This is the first time that many agencies have had access to this level of automated data to understand what is on their network. We see a lot of potential for this, but for many agencies, there’s a lot of capability that has to be built. We’re continuing to take advantage of things like shared services [and] more capability from DHS to deploy to agencies who need it most.”
Congress, meanwhile, is still looking for a comprehensive cybersecurity strategy from DHS.
The 2017 National Defense Authorization Act gave the department until March 23 to outline the details of DHS’ role in securing federal networks and how it plans to deal with future challenges.
That strategy is still in draft form in the DHS Office of Policy, said Christopher Krebs, senior official performing the duties of the undersecretary of the National Protection and Programs Directorate.
The department is still complying with the reporting requirements in the president’s own cybersecurity executive order, Krebs said, and DHS is waiting to see how those new reports may inform the strategy it submits to Congress.
A complete reorganization and restructuring of the department’s cybersecurity functions may also play a part in the DHS strategy.
The House Homeland Security Committee passed the Cybersecurity and Infrastructure Security Agency Act, which would reorganize and rename the National Programs and Protections Directorate. The legislation would redesignate NPPD out of the DHS headquarters function as its own cybersecurity agency.
Committee Chairman Mike McCaul (R-Texas) has received strong support from former federal cyber executives and private sector experts to create a separate DHS agency focused on cyber. But the bill hasn’t gone to the House floor for debate.
The committee passed a similar bill last Congress, but again, the legislation never made it to the House floor for debate or a vote.
Krebs said he’s seen confusion play out recently over the NPPD and its roles and responsibilities when he visited Puerto Rico last week with acting Secretary Elaine Duke to discuss the DHS response to Hurricane Maria.
He briefed officials on the territory’s communications infrastructure, where he was introduced as the senior official performing the duties of the undersecretary of the National Protection and Programs Directorate.
“Try repeating that back; it’s not easy,” Krebs said. “Someone who has never heard that before immediately went on to a press interview, and alongside the TSA administrator, vice commandant of the Coast Guard, the secretary of homeland security, the FEMA regional administrator, and she said, ‘We have FEMA, TSA, Coast Guard and the comms guy.’ She didn’t know how to describe me. When I’m out engaging my stakeholders, they don’t understand the mission I deliver. I need help in clarifying that.”
Both Krebs and Manfra said they backed the House committee’s bill.
“It’ll allow us to introduce some operational efficiencies, looking at common infrastructure across the organization, push them together so that we are more streamlined in how we engage and deliver services from a customer-service orientation,” Krebs said. “Second, it’ll help with our branding and clarify roles and responsibilities, not just within NPPD but more importantly with our federal partners, state and local partners and with the private sector. Finally, what that’s going to do is give us the ability to attract talent.”
Attracting cyber talent has long been a challenge for DHS, and it’s continued to be longstanding frustration even after Congress gave the department direct hire authority to recruit for top professionals.
The National Protection and Programs Directorate and DHS Office of Cybersecurity and Communications has about 76 percent of their cyber jobs staffed now. NPPD will have 85 percent of its jobs staffed once candidates completely get through the hiring pipeline.
Manfra said her office is working with the DHS Office of the Chief Human Capital Office to find ares where they can cut down the time to hire.
The department did cut down its average time-to-hire for cybersecurity professionals by 10 percent, Manfra added.
Currently, it takes DHS about 224 days to hire a cybersecurity professional, she said. The security clearance process eats up the majority of that time, as most of the department’s cyber positions require a top-secret clearance.
“That sounds long, but that … include[s] a top-secret SCI clearance process, which is actually, for the benchmark of the rest of the government, we’re actually doing quite well,” Manfra said.
The Homeland Security Department, like many other agencies looking for top cyber talent, has struggled to quickly recruit and retain certain professionals.
Manfra believes before the congressional direct-hire authority, DHS wasn’t fully using the hiring flexibilities and recruitment programs it already had to bring on new people. She said now, with full attention from the DHS CHCO and other leaders, the department will have multiple pathways to recruit and retain new cyber talent.