DHS Inspector General Embraces Continuous Monitoring

The OIG runs automated security scans on 80 to 90 percent of its IT assets every 10 days and is working to boost those metrics.

The federal inspector general community is known for shining a light on wrongdoing and deficiencies outside its walls.

So, when Jaime Vargas with the Department of Homeland Security’s Office of the Inspector General agreed to share how his office is faring in the security realm, FedTech jumped at the opportunity.


Photo: Courtesy Jaime Vargas

Jaime Vargas, chief information security officer for the Department of Homeland Security’s Office of the Inspector General.

The OIG has one of the highest FISMA compliance scores in the federal government, and Vargas, its chief information security officer, was honored last month for designing, developing, and implementing an Information Security Continuous Monitoring (ISCM) Program.

The office runs automated security scans on 80 to 90 percent of its IT assets every 10 days and is working to do it faster and across more devices. “Within 30 days, we have a good picture of what’s happening and what is the next problem to resolve,” Vargas says.

But that wasn’t always the case.

Making the Grade

About a year ago, the IG office was scanning and reporting only 10 to 30 percent of the required assets. The organization’s overall compliance scorecard was red — meaning there were serious security deficiencies. Agencies may see their compliance scores slip as they discover new assets on their network or as reporting requirements change.

Around that time, the administration made a push to collect more detailed agency data frequently to better understand the state of federal cybersecurity. One of those reporting metrics required agencies to document how quickly they install critical patches.

“Every year, there has been a more strict metric to meet,” Vargas says. “We, like pretty much everyone else, had deficiencies on those parts. Knowing what was coming ahead and that we wanted to be a role model, we started to try to be ahead of the ball.”

Continuous Monitoring on a Budget

Without a pool of funding to acquire new tools, the IG office coded a lot of the software internally, Vargas explains. “What we created was a way to orchestrate all these tools that don’t talk to each other in such as way that we can collect data in a proactive way and with high fidelity.”

Vargas is considering how that source code could be accessible to other agencies. He says the software OIG developed will not replace the tools being offered on a $6 billion DHS continuous monitoring contract, which the OIG and other federal agencies have agreed to use.

Governmentwide, agencies are moving toward an automated process for monitoring IT assets and whether certain security controls are in place. “We want to support those policies and show that we meet those standards,” Vargas says about adopting continuous monitoring and taking corrective action at the end of each scanning cycle.

Today, his office scans some 1,500 workstations and servers, with an 80 to 90 percent scan coverage. That number will increase as the IG adds mobile devices, printers and network switches to the list, which could be as soon as the end of this year.

weerapatkiatdumrong/thinkstock
Jul 10 2014