Nearly every agency and program in the government has its budget set on autopilot as a result of the continuing resolution Congress passed for the first several months of fiscal 2013. One of the few exceptions is in the Department of Homeland Security, which will have an extra $183 million to start transforming the way agencies defend their IT systems against cyber threats.
While a comprehensive cybersecurity bill is one of the many things lawmakers couldn’t agree on in the congressional session that’s about to close, funding for the executive branch’s effort to better secure federal agencies thorough continuous monitoring did manage to draw bipartisan support.
The funding boost will be available in the fiscal year which begins Monday, and DHS expects to begin expending the funds by awarding contracts to vendors who will install sensors capable of scanning for threats on IT systems across the government.
The next phase of solicitations in 2013 will let vendors compete to offer a concept DHS calls “continuous monitoring-as-a-service.” Those offerings would be used to do real-time threat scanning of existing federal systems, but they would also help lay a portion of the security foundation for FedRAMP, the government’s secure cloud computing framework.
The goal, said John Streufert, director of the DHS’ National Cyber Security Division, is to raise civilian agencies’ ability to see and counteract day-to-day cyber threats to a level comparable with what the Defense Department achieved with host-based security systems, an effort the Pentagon started several years ago.
Short term goals more attainable
The new governmentwide initiative is an extension of a continuous monitoring program Streufert led when he served as the State Department’s chief information security officer. At State, cybersecurity leaders lowered the department’s risk of cyber intrusions by a factor of 10 after working the problem for 11 months.
“We made those changes across 24 time zones without any face-to-face contact,” Streufert said Thursday at the third annual Cybersecurity Summit sponsored by Billington’s Cybersecurity in Washington. “The most significant finding we had was that we were able to leverage a wider workforce because our information security officers were able to focus on their worst problems first. Instead of having a group of people who were writing certification and accreditation documents, we were able to have 4,000 security professionals who were operating in concert and in unison.”
While the $183 million in dedicated funding will help get the continuous monitoring program up and running in 2013, the long-term goal is to use money the government is already spending for IT security and redirect it in a much more efficient manner.
The present-day setup requires auditors to manually assess an IT system and fill binders of paperwork with their judgments about whether or not it meets static requirements under the Federal Information Security Management Act (FISMA). Most systems get checked only once every three years, in what Streufert said is a time-consuming and very expensive process.
He said a White House budget analyst assigned to DHS estimated that the government spends $1.5 billion per year to comply with FISMA’s security requirements as they’re currently applied.
“There’s about $7.5 billion on the table over the next five years,” Streufert said. “We need to figure out to what degree we can turn that into a good investment of taxpayer dollars.”
Once the government stops plowing money into infrequent “check-the-box” certification studies, the replacement will be an array of sensors that feeds data about an agency’s cybersecurity risk and present threats into a continuously-updated dashboard that’s visible to technical workers and managers. In some agencies those scans would happen every few days. Others have already shown the ability to scan their systems every 20 minutes.
Five critical controls
DHS thinks the approach will let the government’s in-the-trenches security experts focus on the threats that are most significant on any given day and give managers the information they need to oversee the fight against their biggest cybersecurity problems.
The first phase of the program will focus on what DHS has deemed to be the most important five of the 20 critical controls security managers need to pay attention to, as identified by the nonprofit Sans Institute.
They include hardware asset management and software asset management along with white-listing designed to fight spear-phishing. Antivirus, configuration settings and management of expected vulnerabilities will be included as well.
Federal CIO Stephen Van Roekel directed that the continuous monitoring program be extended to cloud computing under FedRAMP, the government’s new program for certifying the security of cloud service providers.
There, Streufert said, the concept will be similar. DHS and agencies will have access to a dashboard that shows data about the security controls in the clouds that host their data or handle their computing capabilities.
“The most durable metaphor we’ve come up with is OnStar,” he said. “OnStar tells whether the doors are locked, whether there’s a check-engine light on or if there’s a loss of tire pressure. The theory is that the combination of dashboard mitigation routines will point the attention of the internal staff. The division of labor is that DHS will work on the diagnostic reports, and the mitigation will be done by the departments and agencies.”
Cloud service providers will have two options for implementing the continuous monitoring requirements: they can either hire a vendor under the forthcoming federal contract for continuous monitoring-as-a-service, or they can implement their own flavor of continuous monitoring based on security protocols DHS will publish, Streufert said.
Technology isn’t enough
While it’s a significant shift from the snapshot assessments many agencies currently perform, government IT leaders say continuous monitoring is far from being the only solution to the cybersecurity problems agencies face.
“If you just landed here from another planet, you’d think that our entire strategy for the federal government is about continuous monitoring,” said Ron Ross, a fellow at the National Institute of Standards and Technology.
He, Streufert and many others in government and industry say continuous monitoring is necessary, but it’s far from sufficient.
Ross said agencies must also integrate their cybersecurity experts into the teams that design and acquire technology so that systems are built securely to begin with.
“But once we do get that stronger, more resilient infrastructure, continuous monitoring provides near-real-time information about the security status of our critical systems and the infrastructure that surrounds those systems.”