As the Homeland Security Department prepares to launch the federal continuous diagnostics and mitigation dashboard later this summer, DHS is thinking about how it can utilize the cloud to manage more CDM tools in the future.
“Definitely as we go forward we’re looking at doing more in the cloud, including potentially at some point in the future, placing the federal dashboard in a high [baseline] cloud,” Kevin Cox, CDM program manager at DHS, said during a June 21 discussion at a Tenable and MeriTalk GovProtect forum in Washington.
This comes as DHS continues its work with 44 small agencies. The department has been assessing those agencies’ environments and deploying multi-tenet dashboards in the cloud.
“We’re looking at how we interface with the cloud, whether it be infrastructure, platform or software,” Cox said. “But at the end of the day wherever there is government data being processed, we need to get the agencies the visibility. We need to get federal leadership the visibility as to how that data is being secured, who’s accessing it and how it’s being used.”
Agencies are still deploying their own individual dashboards now, which organizations can use to report on the threat environment in near-real time. Cox said the agency dashboards paid off during the recent WannaCry ransomware attack. DHS officials told those agencies who had implemented CDM dashboards to go check them and figure out where the biggest areas of vulnerabilities existed and take care of those systems.
Those agencies without such a dashboard had a more difficult time tracking down that data, Cox said.
The federal dashboard will compile summary feeds from all the agency dashboards, which will give the administration a broad view of the government’s cyber posture. Eventually, the federal dashboard will help DHS and the Office of Management and Budget decide where best to direct their resources to strengthen agency systems.
Listen to Nicole Ogrysko on Federal Drive with Tom Temin
The CDM dashboard is one specific area where agencies can be held accountable for their progress. But the Trump administration wants agency leaders to put more skin in the game.
The cybersecurity executive order that President Donald Trump signed last month designates the specific responsibilities for members of an agency’s executive suite, and it explicitly details how those officials will be held accountable. Cybersecurity isn’t a check-list that agencies should address at the end of their mission requirements; it plays an inherent role in serving the public.
“In terms of federal networks, we operate those on behalf of the American people, so the idea that we are protecting Americans’ data, Americans’ information, has to be at the forefront,” Rob Joyce, White House cybersecurity coordinator, said.
And this comes as the White House begins to push a slightly different message about its approach to cybersecurity.
“We are now going to treat federal networks as an architecture,” Joyce said. “We’re going to look at them holistically. That doesn’t mean one big, federal government network. What that really means is we’re going to consider all of the components because they have interplay. To think about a federal network as an architecture, we have to do a lot of thinking about risk.”
Under the cyber executive order, agencies are taking stock of what they have on their networks and talking to the White House and Office of Management and Budget about the risks they’ve accepted.
As OMB continues to take a more enterprise-wide approach to securing federal networks, it’s also taking a holistic view for recruiting and retaining top cybersecurity professionals, especially young graduates who may be familiar with more high-profile government agencies like the National Security Agency or the Defense Department, but not smaller organizations.
“What are the odds that they’re going to raise their hand and say, ‘I want to go work at the Bureau of Reclamation?'” Joyce said. “[It’s] probably not going to going be at the top of their career options.”
Instead, Joyce sees the potential of building a kind of shared service network of cyber professionals.
It’s a concept that others like Rep. Will Hurd (R-Texas), the chairman of the House Oversight and Government Reform IT Subcommittee, has suggested. He’s advocating for the creation of a cyber “national guard” to help fill talent gaps across large and small agencies.
“We have to think about that as we do plan for the defense of federal networks,” Joyce said. “We have to have these shared services that … we can bring people in to both defend big DHS components as well as the Bureau of Reclamation and other small agencies.”