The Homeland Security Department received new marching orders last week from the Office of Management and Budget to scan certain agency networks.
This is on top of an already crowded set of cyber initiatives in front of DHS.
But Andy Ozment, the assistant secretary of the Office of Cybersecurity and Communications in DHS, said his office has a plan to continue to advance agency network security over the next year.
He said the continuous diagnostics and mitigation (CDM), the Einstein and the Enhanced Cybersecurity Services programs are all progressing well, causing DHS to deal with the fact that there is more demand than supply.
The CDM program is among the agency’s and the Obama administration’s top cyber priorities, and is moving into task order 2 of phase one.
“We do not have any delays in our schedule. Departments and agencies are clamoring for CDM,” Ozment said in an exclusive interview with Federal News Radio. “Our biggest problem right now is increasingly departments and agencies realize how incredibly useful this will be and they all want to be first in line. So honestly, one of our biggest challenges is coming up with a fair and equitable way of determining who is first in line. We’ve done that now and are moving forward. It gets into the procurement process so I am not going into deep detail, otherwise to say we are in great shape.”
Ozment said under phase one, DHS bought tools and services, but they have not yet been deployed across several agencies. He said task order two under phase one for different tools and services remains under development, but should be awarded and implemented over the next year.
DHS has faced an uphill battle to some degree with the CDM program. The most recent challenge is over the confusion of the dashboard contract and whether or not DHS chose a vendor or just finalized a set of vendors to bid on for the contract.
No delays in CDM task order 2
Additionally, an April/May survey by the SANS Institute found nearly a third of respondents said their agency still was unfamiliar with the CDM program, and agencies haven’t been doing the preparation to implement the tools and services. SANS found only 21 percent of respondents said their agencies had done a formal gap assessment. Another 36 percent pointed to “informal” reviews of their agencies’ security gaps, but 44 percent said their agency had never done a comprehensive assessment of its cybersecurity weaknesses.
Recent media reports also highlighted a delay with the CDM program.
“Task order two is what I think the reports are referring to. I’ll be honest, I don’t know of anything that suggests task order two is delayed,” he said. “I think we are on schedule. I think there are plenty of folks who wish we could have done it faster. But that’s not the reality. We do have to make sure we are doing it right, and the capabilities and tools we are getting are the tools and capabilities that departments and agencies need.”
While DHS is just getting started with CDM, it’s been implementing the Einstein program since 2004.
Agencies have been using versions 1 and 2 of Einstein for several years now, but DHS is pinning its expectations on version 3.
DHS says EINSTEIN 3 Accelerated (E3A) program can detect malicious traffic targeting federal government networks and prevent those attacks from getting inside. The agency counts on commercial Internet Service Providers (ISPs) to deliver these capabilities as a managed service. The ISPs follow DHS’ instructions to provide intrusion prevention and threat-based decision-making services on network traffic entering or leaving participating federal civilian networks.
“Einstein 3 is now deployed and covers about 25 percent of the civilian government by people. The agencies where it’s deployed really love it. We are getting positive feedback,” Ozment said. “We are doing two things. One, we are working with service providers to extend the coverage to the rest of the civilian government. Two, Einstein 3 is really composed of a number of different counter measures. It can block this type of attack, and it can block that type of attack. We are working with existing providers to add new types of attacks for Einstein 3 to block. We are both making it more capable and covering more of the federal government.”
As of Sept. 9, DHS says nine civilian agencies are using E3A services, and several other agencies are working to schedule on-boarding dates to receive services.
DHS says it has signed memorandums of agreement with 29 agencies as of Sept. 9, and created a secure mission operating environment to analyze E3A data.
Ozment said Einstein 3A isn’t at more agencies not because of funding, but rather scheduling challenges. He said E3A has been funded well by Congress over the recent years.
“One of the interesting things about the Einstein program is the way we structured it. We did all the work in advance of issuing the contract so all the challenges have been challenges prior to issuing contract. So what that’s meant is we haven’t gone over budget at all, but when we have had something crop up that was been unexpected, it’s cost us in terms of schedule,” he said. “We took this approach because Einstein 3 was a totally different way of doing government security. We know it was novel. We knew that there would be some challenges we didn’t expect and would have to deal with those when they came up.”
Einstein and CDM are focused on the federal internal networks, but a third priority for Ozment’s office is focused on information sharing with private sector.
He said the Enhanced Cybersecurity Services is designed for the government to securely share classified cyber threat and vulnerability data with companies, and for companies to share similar data back to the government.
ECS is a service provided mainly by ISPs to other vendors with the help of DHS.
“The program started off as a pilot. When we did the pilot, we assessed it. We found some shortcomings and have been working since to address them,” he said. “I think there is still a remaining concern about ECS and a lot of that is from folks who heard about the problems with the pilot and don’t know how much we’ve done to improve.”
DHS assessed the data that comes from ECS to ensure it’s unique. Ozment said if the data isn’t unique, then ECS is not providing any value.
Ozment said the good news is the data was unique, but also admits the last assessment was some time ago and it’s time for a new one.
“One of the challenges here is the data doesn’t lend itself to easy comparison, unique compared to what? Well, compared to what the private sector has, well who in the private sector? How many companies’ data do we need to look at before we are comfortable that this is unique?” he said. “We are wrestling with those questions. We’d like to get to a point where this analysis happens continuously and in an automated fashion. We’re not there yet.”
There are only two approved commercial service providers (CSPs) — AT&T and CenturyLink. But Ozment said there is plenty of interest from other vendors to be CSPs, but DHS can’t keep up with the demand.
“We think there is value in using this information to protect companies,” Ozment said. “But ultimately we will look to the market to innovate around this information, to provide add-on services, to find different ways for their customers to pay for it. We are not involved in the pricing. We are not involved in getting people to sign up for the program. We are feeding a market and the CSPs have to go out and find the customers. It’s not a criticism of the CSPs. It’s a new program so it will take a while for people to understand the value that is out there. We do think there is that value and we see a lot of demand to be a CSP, which suggests to me that the market is large.”