A pioneer when it comes to network protection, John Streufert introduced continuous monitoring at the State Department in 2008, where in one year, he helped reduce known security threats by 89 percent. Now, he's leading the charge to implement a similar, more extensive real-time cybersecurity strategy throughout the federal government.
As director of Federal Network Resilience at the Department of Homeland Security (DHS), Streufert is spearheading the government's ambitious continuous diagnostics and mitigation (CDM) program, a multiyear effort that offers agencies a phased approach for deploying continuous-monitoring technology, plus some precious funds to help get it done.
Last August, DHS partnered with the General Services Administration on a five-year, $6 billion acquisition program for the security tools and services agencies need to monitor their IT systems and address vulnerabilities in near real time. Through a series of blanket purchase agreements (BPAs), the two agencies in January awarded $60.4 million in contracts to acquire the first batch of tools for 21 agencies and departments.
"We have the key building blocks in place to do diagnostics and mitigation," Streufert says. "We are at the juncture of meeting the first round of customer requirements in the cabinet departments and agencies, but the proof in the pudding will be to lower known risk and achieve the ultimate goal of better protecting taxpayer information."
As high-profile information leaks, retail data breaches and other cybercrimes dominate headlines, the federal government is racing to protect its IT systems from internal and external threats. CDM became a priority last November when the Office of Management and Budget (OMB) issued new guidance requiring agencies to deploy the capability by 2017.
CDM marks a shift in the way agencies are required to ensure the security of their IT systems. Since 2001, they've spent roughly $1.8 billion a year producing risk studies to comply with the Federal Information Security Management Act (FISMA). However, as cyberattacks grow more rampant, such an exercise in "filling three-ring binders" cannot accurately capture the true state of cybersecurity — day to day, or minute by minute — throughout the federal government, Streufert says.
"The idea is to find out your security posture from a real-time perspective," says Deltek research analyst John Slye. "CDM is about trying to make FISMA more automated."
NIST Provides a Roadmap
To implement CDM, agencies are drawing direction from National Institute of Standards and Technology Special Publications 800-37, 800-137 and 800-53 Revision 4. The NIST guidelines provide the overarching vision for how agencies should deploy monitoring programs. The CDM effort at DHS will help agencies execute a portion of that vision by automating as many security controls as possible, says Ron Ross, a NIST fellow in charge of the FISMA Implementation Project.
Last year, NIST finalized SP 800-53 Revision 4, which addresses the need for continuous monitoring by adding security controls to deal with insider and advanced persistent threats. It also emphasizes that agencies should build systems more securely the first time so hackers can't easily exploit security flaws. "If you don't build it right," Ross says, "then continuous monitoring is much less effective." (This spring, NIST planned to release SP 800-160, which provides guidance on how to incorporate security throughout the design and building of applications and systems.)
60 billion to 80 billion The number of security checks per day across civilian agencies when continuous diagnostics and mitigation are fully implemented
SOURCE: Department of Homeland Security
Not every security control can be monitored through automation, Ross admits, but the DHS program will play a big role in helping agencies meet CDM requirements. "Our ability to build a comprehensive cybersecurity program will depend on a good foundation, and DHS is laying the foundation," he says.
The Phased Approach
Streufert and his team at DHS met with civilian agency IT leaders to develop a CDM strategy and agreed on a three-phased implementation approach. The first phase, underway now, focuses on protecting endpoints, such as PCs, notebooks and servers, and concentrating on known vulnerabilities.
"The majority of attacks are currently happening on end-user devices, so that's where our attention went to first," Streufert explains.
After reviewing NIST SP 800-53, they focused on four foundational areas for phase one: hardware and software asset management, vulnerability management and configuration-setting compliance.
The second phase, which DHS will start planning this year, focuses on managing people. It is important, Streufert says, for agencies to adopt the right training, credentials, account access and privileges to prevent insider threats.
To prevent data theft, for example, agencies should evaluate how much authority to give system administrators. "We want to provide privileges to manage a LAN, but not necessarily broad privileges that expose sensitive information to those who don't have a need to know," Streufert says.
The third phase, which DHS is calling "boundary protection and event management," includes technology such as data loss prevention and forensics analysis.
"When I visit agency CISOs and CIOs, I know they are making progress, but because the security threats they face are so challenging, they sometimes feel like they're taking two steps forward and one step back."
—Ron Ross, NIST Fellow
"There is need now for phases two and three, but we have to pursue CDM in digestible chunks," Streufert says. Plans for phase two were scheduled for release this spring.
The overall strategy includes an agency-level dashboard that will aggregate data captured by network sensors and give agencies a list of detected security flaws. The local dashboard will also rank security concerns by severity, so agencies can fix the worst problems first. In addition, a federal-level dashboard will collect, aggregate and summarize agency-level data in one central view, including agencies' progress in correcting flaws.
"It will provide situational awareness across the federal government," says Streufert, whose organization awarded the contract to begin work on the dashboard in March.
Currently one-third of federal agencies have deployed some form of CDM. These agencies can use the program's BPAs to fill any gaps in their security arsenal. Agencies starting from scratch can use the BPAs to purchase everything they need to implement the first phase, Streufert says.
Available phase one tools include vulnerability scanners, anti-virus software and patch management software. By centralizing purchases through the BPAs, agencies can leverage the buying power of the entire government, resulting in volume discounts and cost savings, Streufert adds.
"We found a rich set of commercial off-the-shelf products that we can buy in quantity as commodities," he says.
Progress to Date
The United States Postal Service (USPS) and the Department of Health and Human Services (HHS) have robust continuous-monitoring programs in place, but their chief information security officers say they look forward to seeing what the DHS CDM program has to offer.
"As we reach the end of life with some of our tools, we're looking to see if there are some new tools out there that can help with our customers' needs," says USPS Chief Information Security Officer Chuck McGann.
To combat security threats, McGann uses a mix of commercial and custom security software linked together to give the agency's computer-incidence response team up-to-the-minute information on its IT environment.
USPS has standardized on certain tools, such as patch management, data loss prevention, anti-virus and anti-malware software. Network tools analyze traffic volume and behavior. McGann prioritizes the most business-critical applications and gets alerts when security risks or network anomalies are found, such as rogue wireless access points or a spike in bandwidth usage that may indicate a denial-of-service attack.
"We know immediately when a baseline is changed," he says. "It may or may not be authorized, so we take a look at it when it occurs and investigate."
HHS built a Computer Security Incident Response Center that monitors the department's networks and computer systems 24/7. But each of its 11 operating divisions has adopted continuous monitoring to varying degrees, says HHS CISO Kevin Charest.
Last year, Charest met with each HHS operating division to develop a departmentwide CDM implementation strategy, as required by OMB. "I wanted to know if they were doing the fundamentals, such as patch management, asset discovery and network access control, and they were somewhat hit-or-miss," Charest says. "Not everyone was doing all of them, so we didn't have a baseline approach."
The group of HHS IT leaders developed a plan to implement CDM in phases and will use the CDM program to shore up gaps, Charest says. He also looks forward to creation of the DHS dashboard so he can implement it throughout his organization. "I want to pull all the data feeds together into one dashboard, so I can get a scorecard of how our agencies are doing and make sense of what is happening in our environment," he says.