The Defense Information Systems Agency is the latest agency to move to a continuous monitoring risk-based scoring system to better understand the health of its computer networks.
DISA is in the early stages of implementing this burgeoning cybersecurity methodology in order to measure cyber risk against mission needs. Dave Bennett, DISA’s chief information officer, said the continuous monitoring risk scoring system (CMRS) looks at a variety of factors to give the agency a score based on a set of predetermined analytics.
“One of those factors is continuous scanning of your environment to say what does your application look like relative to Security Technical Implementation Guide (STIG) findings or to Information Assurance Vulnerability Management (IAVM) implementations and other things like this,” Bennett said Wednesday after his speech at the AFCEA Bethesda Cybersecurity Technology Symposium in Washington. “What CMRS really drives you to is that constant awareness where you are constantly looking and constantly evaluating and looking at things from a slightly different perspective.”
Bennett said DISA will be able to determine threats against its networks individually and collectively to better determine how to mitigate or fix the problems.
“Those become some of the tradeoffs that CMRS and some of the tools like AKASS are starting to give us the capability to do is see how those things come together and look at it differently,” he said. DISA, like many parts of the Defense Department, is just getting started implementing CMRS. DISA’s webpage for CMRS says the online system displays risk dashboards based on published host based security system (HBSS) and assured compliance assessment solution (ACAS) data so users can determine cybersecurity risk.
Usable, understandable and consistent data
Bennett said at the same time DISA is implementing ACAS, a tool that automatically identifies configuration vulnerabilities, and includes a scanning device, report generator, and hierarchical reporting capability to the vulnerability management system (VMS). The ACAS tool is a follow-on capability to the secure configuration compliance validation initiative (SCCVI) tool.
“We’re working through what’s the best way to implement it and how to most effectively generate reports out of it so people can get access to the reports quickly and understand what they mean, and then take action against that, and that flows up to CMRS,” he said. “We really are working through those dynamics right now to figure out how to most optimally use things and build our concept of operations and tactics, techniques and procedures around the tools so we know what kind of information we can get out of it and what’s the value of it. Then, bringing that into CMRS and we can start to understand the context of things that says how is my capability more secure or less secure over a period of time with the context associated with it.”
Bennett said the goal is to provide the cyber risk data to all parts of DISA in a way that’s usable, understandable and consistent.
The move by agencies to a continuous monitoring, risk based scoring system has slowly been growing over the last five years.
And, of course, the Homeland Security Department’s continuous mitigation and diagnostics (CDM) program, led by former State chief information security officer John Streufert, includes this risk-based scoring system approach But for DISA, and DoD’s CRMS effort more broadly, it’s about more than just understanding the health of its networks. Bennett said DISA is trying to achieve accountability, centralization and standardization across all of its IT assets.
Bennett said CRMS helps bring all three to DISA at least from a cyber perspective. It creates accountability for the program owner because they know how secure their project is. It creates centralization because all of the data is reported up to a common dashboard. And it creates standardization because every program is reporting on the same metrics about its cyber health.
“We need to be ruthless on how we standardize around things,” he said. “We’ve had the mindset of supporting everything that comes through the door, any architecture, any technology. But that becomes very difficult from hosting activity perspective to ensure you have the right safeguards and defensive boundaries when you need to support everything under the sun. I’m not sure how to go about standardization in most effective way short of throwing manpower and leveraging tools. We haven’t mastered it yet.”
Bennett said the Joint Information Environment is a key piece to those three goals and it’s broader than just cybersecurity, though the implementation of joint regional security stacks do further add to the DoDwide security controls. Bennett said the long-time approach to DoD IT was to scatter capabilities across every camp, post and station with little to no interoperability or communication. He said it was hard to understand what the network looked like and how to defend them.
So now the JIE and the JRSS are changing that view of IT. “It is bringing a lot of that security boundary out of the post, camp and station and bringing it up to an intermediate level so that you reduce that footprint, you standardize and consolidate and reduce the number of touch points that you have to worry about,’ he said.
Bennett said achieving the standardization, accountability and centralization must take into account all stakeholders’ needs, including cyber, program or mission and developers.
“It’s basically a full team effort to look at what’s the right approach, what’s the right architecture, what’s the right security that goes around that architecture and what’s that architecture that folks can build to that is most supportive of how we want to do business going forward,” Bennett said. “When you have that dialogue upfront, then you are able to start driving things to a more standard approach, and have a better understanding from a security perspective, then it’s easier to monitor, maintain and operate in the long run.”