The Homeland Security Department plans to launch a “risk radar” next fiscal year aimed at helping agency leaders better understand their cybersecurity strategies.
Mark Kneidinger, the director of federal network resilience at DHS’ Office of Cybersecurity and Communications, said the radar would include data from DHS’ Continuous Diagnostics and Mitigation program and agencies’ performance under the Federal Information Security Management Act (FISMA).
“A risk radar takes in consideration not only regards to the information that, at the operational level, agencies are aware of, and can address — patching and other things of that nature — but takes a look at how we can pull all the various information stores together,” he said Wednesday at Splunk’s Data-Driven Cyber Security event in Washington.
The radar will take a close look at the cyber threats agencies face, and their readiness to respond to those threats.
“What’s the capability of the agencies from a resource perspective, to address that? What’s the budget perspective in regards to being able to address that situation? What is the level of threat? You need all of those, in essence, in a mosaic, to be able to start coming up with a perspective, where the agency grades on each of those areas, to help the executives understand, ‘OK, this is where I need to be able to concentrate,'” Kneidinger said.
The risk radar aims to help agency leaders, not just chief information officers, understand their cybersecurity risks.
“We have that breakdown between the CIOs and the executives. This is one of the ways of being able to promote that, and to be able to help the CIOs, to be able to provide that translation a common taxonomy, so that they can understand what the risk is to their mission area,” Kneidinger said.
DHS’ risk radar announcement comes just a few months after it released its Binding Operational Directive 18-02, which tasks agencies with creating a chain of command for protecting high-value assets (HVAs).
“When we see some threat occurring across the government, DHS has the authority to put binding operational directives out to all agencies. Basically, ‘you shall do, within this timeframe and you need to report that you are doing it.’ That could be seen as heavy-handed at times, especially with some of our initial BODs, but we have basically incorporated a realization that for our BODs to be successful, we need to make sure that the agencies have the capability of addressing what those requirements are,” Kneidinger said. “We’re working very closely with the agencies and identifying future binding operational directives to make sure that they can be successful, but also where else can we partner with them to ensure there’s success.”
Kneidinger said DHS helps agencies protect the “crown jewels of the government,” the applications that would impact major national security if compromised. But going forward, he said DHS would provide more support to help agencies secure their high-value assets.
“We’re involved in regards to the most critical, critical assets. In other words, when we get the full list of thousands of HVAs, we take a look at which ones are most critical nationally. We work with the agencies at that level, but there’s many, many more,” Kneidinger said.
“The intent of the center there is to address both strategic and systemic risk. But to do it in partnership with industry and the private sector. The center will basically be an entity where we’ll be bringing in the private sector and industry, working side-by-side with government in regards to taking a look at solutions for those strategic, cross-sector risks,” Kneidinger said.
DHS named Rob Kolasky as the director of the new center. He served as the acting assistant secretary for infrastructure protection at DHS’ National Protection and Programs Directorate. He discussed his new role with members of the Senate Judiciary Committee at a recent hearing.
Looking ahead, Kneidinger outlined some of the steps DHS needs to go through to get the national risk management center fully operational.
“The center is basically being set up at this point in regards to structure, and there’s a short sprint to get it to the point where we can start engaging with our industry partners,” he said.