Many agencies have seen their IT and cybersecurity workloads balloon during the coronavirus pandemic and with more federal employees seeking remote access to networks while teleworking.
But aside from a few agencies focused on the brunt of pandemic response, the Cybersecurity and Infrastructure Security Agency has most agencies remaining on-target with keeping inventory of where their data is stored and how it’s protected under the Continuous Diagnostics and Mitigation program.
Kevin Cox, CISA’s CDM program manager, said the agency will establish the information exchange between agency dashboards and the new federal CDM dashboard in the second quarter of fiscal 2021, and will complete the migration by the end of the fourth quarter.
The new dashboard puts a focus on building agency trust in the underlying reporting data behind the dashboard and related algorithms. CISA released a minimal viable product for the federal CDM dashboard in April, and agency systems integrators are currently reviewing and deploying it.
“We have the overall process finalized, [we’re] working with agencies now to go through the criteria to make sure that data that they’re seeing down at the center level is being properly reported in the agency dashboard up through the federal dashboard,” Cox said Tuesday at a virtual Meritalk conference.
More recently, CISA has spent about nine months working on a data quality management certification process. This process, once started, will continue forward throughout the lifecycle of the program to ensure that agency officials are held to account “on what the reality is down-on-the-ground from a cybersecurity perspective,” Cox said.
Once complete, Judy Baltensperger, CISA’s project manager for the CDM dashboard, said CISA would put the federal dashboard out to seven pilot agencies by late August or early September.
Those pilots are broken up into several groups:
Group A – DHS
Group B – Agriculture Department
Group C – USAID
Group D – General Services Administration
Group E – EPA, Nuclear Regulatory Commission and National Science Foundation
Building a high level of trust in the cyber risk data allows CISA to act on this information through its Agency-wide Adaptive Risk Enumeration (AWARE) algorithm, which assigns a score for where each agency stands on configuration management and supporting critical vulnerabilities.
Cox said all 23 CFO Act agencies and 36 non-CFO Act are reporting their data to the federal dashboard, but none of their AWARE scores are fully turned on until CISA goes through the data quality management certification process.
“We want to make sure that the agencies are comfortable with their data being reported up before it’s fully operationalized through AWARE,” Cox said.
Cox said CISA has recently published the concept of operations for AWARE to help agencies understand how the algorithm works and how they can make the most of the data they get from the algorithm.
Cox said CISA will stand up a “tiger team” of specialists later this month that will work with agencies on ideas of how to evolve AWARE and how best to incorporate that feedback into the algorithm.
Baltensperger said CISA’s data certification efforts stem from agency concerns about data quality, as well as discrepancies and errors in the AWARE score data.
That will include system health monitoring for data quality, and make application error logs and system health connective status information available to the agency dashboard end-users, not just the back-end administrators.
“We’re going to start presenting that separate dashboard so that the users of the actual agency dashboard can get a health check. Is their dashboard working? Did I get full coverage? Did I see all the data sets within 72 hours and meet the proper currency? Did I have the minimum data sets to even predict an AWARE score? Because we don’t want people being graded on an AWARE score that had incomplete datasets,” Baltensperger said.
CISA, she added, will probably work through next summer to build in all those system health data quality metrics.
Following user experience testing, the new federal CDM dashboard will also provide new data visualizations beyond the AWARE score, which is based on three subsets of data.
“What we found in the past is when we only showed you the one number, you oftentimes did not understand what was the data sets that influence that number going up or down,” Baltensperger said.
In standing up the new federal dashboard, Baltensperger said CISA has taken what agencies have posted on the IT reporting platform CyberScope and used those metrics as a benchmark and compared them to what the new federal dashboard, still under construction, has shown.
“If there was a large gap, and we knew that an agency was still deploying the additional tools and centers, we were trying to measure that gap closing,” Baltensperger said. “Some of those data quality [efforts] that I was telling you about are going to start to visualize that on the screen, so that we can quickly see how close are we to having good coverage, because the agency knows what good looks like, but what we need is for both data points to match both what the user expects to see and what we are actually collecting from the tools and sensors. We want everyone to trust the data.”
CISA has also worked alongside the Small Business Administration on its efforts to secure data in the cloud through a CDM pilot. Cox said CISA recently finalized and published a report on that pilot and distributed it to agency CIOs and CISOs.
Through fiscal 2021, CISA will also focus on enterprise mobility management and work with the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence to get mobile asset reporting up on agency dashboards.
“As more and more work is done from a mobile perspective, this really lays the groundwork for us being able to do further mobile security efforts, including mobile threat detection, and being able to ultimately support agencies from things like mobile app vetting and other efforts to secure their mobile devices [and] secure the data on those mobile devices as much as we can,” Cox said.
Through the sensors and scanners deployed under CDM, Cox said CISA has helped agencies identify 75% more assets than they had tracked prior to CDM. About 80% of the unclassified IT environment, he added, has been equipped with CDM sensors.
While CISA seeks to eventually cover the entire CDM environment, Matt Hartman, the associate director of the agency’s cybersecurity division said that more than seven years into this effort, CDM meets its goal of allowing “agencies to fix their worst problems first.”