For the first time ever, the Commerce Department is building a real-time view of its overall cybersecurity posture. And with that information, it’s taking on a greater oversight role over the 14 different agencies within its purview.
Commerce officials emphasized that the establishment of a new Enterprise Security Oversight Center (ESOC) is not meant to be a takeover of the IT functions that have traditionally been managed by bureaus with disparate missions, ranging from the Census Bureau to the National Weather Service to the Patent and Trademark Office. Rather, it’s a recognition that the push toward continuous diagnostics and mitigation in the government only works if everyone’s sharing information — and if each agency is on basically the same cybersecurity footing.
“Right now, our bureaus have their own cybersecurity capabilities, and we see a lot of gaps between those capabilities,” said Roger Clark, a senior adviser for national and homeland security programs at Commerce.
Clark said the oversight center will be about the business of IT oversight, not management, including in the area of information assurance.
“The organizational units are still responsible for doing the day-to-day tactical activities to protect their networks,” he told a recent breakfast meeting organized by FedInsider. “The oversight organization is going to provide cross-organizational situational awareness so we have that common operating picture, and we can provide senior management with a better idea of what our security posture is so that they can make informed decisions. We’re more of an intelligence-gathering organization, doing threat analysis, but then letting the organizations take the appropriate mitigation efforts in their own systems.”
To build the oversight center, Commerce is relying on its National Oceanic and Atmospheric Administration to serve as a shared service provider. NOAA will procure and construct most of the back-end infrastructure, and Commerce expects to declare an official initial operating capability by the end of December.
But many of fundamental elements already are in place, giving the department situational awareness it’s never had before over the networks of its various bureaus. The new capability came in extremely handy earlier this fall when a bug known as Shellshock, a massive vulnerability that affects Unix-based operating systems, was first exploited by attackers.
“Functionally, we’re claiming that we have IOC now because of Shellshock,” Clark said. “My ESOC team is actually leading the department’s overall response to that now.”
Commerce already had been in the midst of buying some enterprisewide continuous monitoring capabilities when the Homeland Security Department and the General Services Administration first began to roll out their contracts for a governmentwide continuous monitoring-as-a-service program earlier this year. But Clark said the first phase of those task orders, which focus on asset management and configuration management, let Commerce speed up its own rollout.
He said the department now is beginning to see all of its vulnerabilities in one centralized dashboard.
“What it let us do was basically buy additional licensing for the product we were already rolling out across the enterprise. So one of the big advantages is the ability to have a standardized product that provides us that asset information, because you can’t protect it if you don’t know it’s there,” he said. “The usefulness in this has been being able to rapidly advise the department’s management council on how many assets we have that are vulnerable to the particular vulnerability of the day. The old method was we did a data call through a formal process, and hopefully we had an answer from the bureaus in a couple weeks. Now we can go to a console, take a look and report it up. Several of the bureaus wanted to stick with the old method, but we were able to prove to them that we have more accurate and more timely data through the CDM product.”
The Securities and Exchange Commission has had a similar experience. It, too, had been building a CDM capability long before it became a governmentwide endeavor.
But Tom Bayer, the SEC’s chief information officer, said the agency didn’t actually know how many vulnerabilities it had until it flipped the switch on its CDM system for the first time. The results, he said, were disconcerting.
“The SEC just recently replaced both of our data centers, and we thought we had an exceptional inventory of our assets because of that. But in the subsequent 18-24 months, we have seen that that inventory was not correct,” Bayer said. “Through continuous improvement, we have continued to improve our understanding of what we have deployed and attached to our network. We’ve learned a lot subsequent to that.”
The inventory and monitoring capabilities agencies like the SEC and Commerce are building is exactly the sort of thing the DHS and GSA wants all other civilian agencies to build, and part of the governmentwide CDM plan is to create one centralized view of all of the government’s vulnerabilities to relevant threats on any given day.
That governmentwide dashboard still is a work- in-progress, but GSA believes the experience agencies such as Commerce have had so far with the first phase of its CDM blanket purchase agreement validates the need for a cross-agency approach to purchasing cybersecurity services.
“The first delivery order proved to us that we could quickly to the departments and agencies, they were able to identify a list of products they needed, and we were able to quickly get those on contract,” said Jim Piche, the group manager for GSA’s Federal Systems Integration and Management Center (FEDSIM). “It proved there is work out there in CDM, and that the tools we have on the BPA are viable in meeting those strategies. It also proved the delivery mechanism we have through the BPA is pretty fast and efficient. Usually, it takes a number of months for any activity to happen on a BPA after it’s awarded, but our time to market on delivery order number one was very fast. The third thing we proved was the economic viability of this model. We are trying to consolidate requirements of the agencies to achieve the best possible pricing, and delivery order one realized approximately 30 percent savings off of GSA schedules for a total net savings of $26 million to the federal government. That’s enough by itself to fund the CDM program office for many, many years into the future.”