When federal Chief Information Officer Suzette Kent spoke on May 9 at the Justice Department’s cyber symposium, she teased the fact that three new cyber policies were coming soon.
At the time, she said in the next 30 days, the Office of Management and Budget and the Homeland Security Department would issue updated guidance on the Trusted Internet Connection (TIC), cloud computing and managing high-value assets.
Little did we know at the time, DHS had issued a new Binding Operational Directive (BOD) two days earlier to change the way civilian agencies manage high-value assets (HVAs).
DHS published the BOD on Friday — more than two weeks after Kent spoke — detailing new requirements, expanded use of risk and vulnerability assessments (RVAs) and security architecture reviews (SARs), and extending the scope of the agencies that need to report the systems and the data that matter to the most to them from just the CFO Act agencies to every civilian agency across government.
“Based on operational insights and lessons learned, DHS is enhancing its approach to conducting these [RVA and SAR] engagements to provide agencies with improved results and findings by expanding system scope, refining assessment methodologies, and using less-constrained penetration testing approaches to resemble tactics, techniques, and procedures used by advanced threat actors attempting to gain unauthorized access,” DHS states in the May 7 directive.
This new BOD replaces the one DHS issued in 2016 that created the focus on and protection of HVAs for the largest agencies.
Joe Stuntz, the vice president of client services and cybersecurity practice leader at One World Identity and a former policy lead for the OMB’s cyber and national security unit, said the BOD moves agencies closer to addressing cyber risk from an enterprise perspective.
“Performing system architecture reviews are really important. It’s good to talk about protecting HVAs when you are building new stuff, but it’s hard when dealing with the legacy systems the government has. So by doing architecture reviews you can see where the faults and issues are being put into the system and where design changes are needed,” Stuntz said in an interview. “It’s not just about patching everything, but architecture reviews could help fix a system at the fundamental level. SARs for all HVAs is important because it’s also helpful to understand system interfaces because if you don’t understand where it’s connecting and sending data to, you will be less effective in securing the enterprise.”
Another major change in the new BOD is when DHS can perform penetration testing.
“Agencies shall impose no restrictions on the timing and/or frequency of the assessments, the services to be provided by DHS, or the scope of systems that are part of or related to the HVA being assessed,” the BOD states.
Stuntz and other former federal cyber officials say this is an important change because agencies were trying to tell DHS not to test their systems during certain times of the day or weeks of the month, but the reality is hackers don’t take any days off. The BOD stops limiting DHS’ access to assess risk and no longer puts the government at a disadvantage to the advesaries.
Over the last two years, DHS conducted 100 RVAs, and plans to do another 60 in 2018 alone. DHS says the RVA and SRA efforts are making a big difference with agencies reducing the time to patch critical vulnerabilities to 10-to-15 days on average down from 200 days in 2014.
John Banghart, a senior director for technology risk management at Venable and a former director of federal cybersecurity at the National Security Council under President Barack Obama, said this change also signals the trust agencies have in DHS.
“I think what we’ve seen thanks to the great leadership at DHS, people like [former DHS Deputy Undersecretary for Cybersecurity and Communications for the National Protection and Programs Directorate] Phyllis Schneck and now [current DHS Assistant Secretary for Cybersecurity and Communications] Jeanette Manfra and [the nominee to be the new Undersecretary of NPPD] Chris Krebs, the use of the BOD has been backed by an allocation of resources and expertise that really help agencies,” Banghart said in an interview. “It’s not just DHS telling them do this or that, but telling them here is what we need to do and here is how we will get you there. Agencies are trusting DHS to come help them and that goes to the overarching mindset that we are one large government agency and we are under attack in an interconnected environment.”
Stuntz agreed that the maturation of DHS and the high-value asset process led to the expansion of the BOD.
“The BOD sets in clear language that this is a priority and DHS has approval and authority to do what they need to do,” he said. “Agencies should not try to reschedule or limit them as the agency would not get the value and are wasting the capacity the government has. So the language in the BOD gives DHS the freedom to do what they need to do.”
The BOD didn’t resonate with everyone.
John Pescatore, the director of emerging security trends at the SANS Institute, said while he is supportive of focusing on HVAs, the BOD is too much of a compliance exercise. Instead, any BOD should give agencies specific actions to take and be more tactical.
“The downside of the HVA approach is historically if agencies say, ‘If I call this major application or now a HVA, and I don’t fix it quickly, I’ll get yelled at,’ so there always has been a reluctance to call something a high-value asset or a major application,” he said in an interview. “When NIST created the risk management framework, all agencies were supposed to create a risk rating for each system. What’s missing in all of this is if the government just focused on raising the security hygiene for everything instead of making 24 agencies report similar stuff, they’d be better off.”
Pescatore said he is a fan of BODs like the one for email security or to turn on secure sockets layer. He said the government took leadership in requiring agencies to use Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol
“When the BOD is another level of paperwork and to look at things, I’m not sure that increases the security of them,” he said. “Doing something increases security, but throwing new requirements over the transom haven’t been as effective historically.”
Stuntz and Banghart say the 2016 BOD has been effective and changed the way agencies protect their systems and data.
“Agencies now have two years of experience working with DHS, and, at least publicly, we haven’t heard anything breaking or shutting down because of these efforts,” Stuntz said. “Agencies know what DHS can do and they are coming in to help get more information and better prioritization. DHS provided that value back so hopefully they are more open to gaining more upfront. I do find it interesting that DHS runs the process, but OMB has a role in the selection of HVAs that get analyzed. I think that’s important from an enterprise risk perspective, and if it can be coordinated with the IT modernization efforts, that could make it even more valuable.”