When it comes to protecting its network from cyberattacks, the Commerce Department wants to see all its computing assets, no matter where they are in the enterprise, at all times.
The department is installing continuous monitoring tools that give members of its IT staff fresh visibility into the security of its IT resources. It's also building an enterprise security operations center (ESOC), which will monitor the department's networks and computing systems 24/7.
"We want as close to real-time situational awareness as we can get across the Department of Commerce and its component bureaus," says Commerce CIO Steve Cooper.
The federal government's Continuous Diagnostics and Mitigation (CDM) program, which is spearheaded by the Department of Homeland Security (DHS), has been successful in the short time since it's been launched. About 87 percent of agencies met a May 30 deadline to begin deploying tools to support continuous monitoring, according to DHS.
The CDM program provides funding and a strategy for strengthening network security, so agencies can monitor their IT systems and address vulnerabilities in near real time. The first phase of the program, which is well underway, focuses on protecting endpoints, such as PCs, notebooks and servers.
The second phase, which DHS is currently planning, focuses on managing the correct use of credentials and privileges, while the third phase focuses on boundary protection and event management and includes data loss prevention and forensic analysis tools.
A year ago, DHS partnered with the General Services Administration on a five-year, $6 billion acquisition program to provide agencies the tools and services they need for CDM. In January, they awarded $60.4 million in contracts to acquire the first batch of tools for agencies.
This summer, DHS announced a second set of orders, which includes continuous monitoring tools and services for small agencies, says John Streufert, director of federal network resilience at DHS. Contracts for the second order, called Task Order 2, will be awarded in 2015.
"We're not only covering the sensors that are needed, but supplying the labor at the same time," Streufert says. "Specialized labor is most urgently needed in small and micro-agencies where the number of cybersecurity staff is more limited."
Tackling Continuous Monitoring
The Nuclear Regulatory Commission will use Task Order 2 to implement the first phase of CDM. The NRC will revise and enhance its vulnerability management and application and web-whitelisting capabilities, as well as hire a systems integrator to help it deploy the CDM program, says NRC CIO Darren Ash.
The commission is also working to shift away from conducting a paper-based risk assessment study every three years. Instead, it will take a more automated approach to granting authority to operate (ATO) for its IT systems.
"We want to augment and enhance what we've got and create greater visibility into our operations," Ash says.
Elsewhere, the Commerce Department is using a mix of new and existing tools to implement its continuous monitoring program.
The department previously installed intrusion prevention and detection tools, firewalls, full-disk encryption to protect data on its computers and forensic tools to analyze security incidents that have occurred, says Mike Maraya, the department's acting chief information security officer.
More recently, Commerce purchased sensors for its 100,000 desktop computers, notebooks and servers by leveraging the government's CDM funding, which is expected to result in a cost avoidance of $7 million over two years for the department.
The sensors help the department meet the three main requirements for phase one of CDM: asset management, or knowing what's on the network; configuration management, which ensures that the devices are configured securely; and vulnerability management, which makes sure the latest software patches are applied.
"The sensors give us the ability to see what is going on in every device in near real time," Maraya says. "The security team can know if there's a vulnerability and fix the problem immediately."
The near-real-time data from the sensors and other security tools will feed into the ESOC, which is expected to launch with initial operating capability on Dec. 31, he says.
The ESOC will aggregate and analyze all the security data coming in from the department's 12 bureaus, including four that have their own security operation centers, and provide an all-encompassing view of the department's security posture, he says. If security issues are discovered, the department's computer security incident response team will respond and mitigate the problems.
"It could be sending an email to an operating unit that an employee has a misconfigured device and is vulnerable to hackers or telling two operating units that they are facing attacks on their networks, so they need to block some ports," Maraya says.
The Commerce Department's next step with CDM is to build an agency-level dashboard that will aggregate all the data captured by the department's security tools. The dashboard will quickly analyze the combined information and rank security vulnerabilities by severity, so the department and its bureaus can fix the worst problems first.
In early fall, DHS was in the process of choosing a commercial dashboard product on which to standardize. DHS expects to deploy a dashboard with initial operating capability in 2015, Streufert says.
Realistically, the Commerce Department believes it will take about two to three years to get the DHS-approved, agency-level dashboard fully functional. "You have to do a lot of integration to get products to work together to have a single dashboard," Maraya says.
The U.S. Citizenship and Immigration Services (USCIS) agency grants citizenship, green cards and work visas to immigrants, so it houses applications with sensitive information that must be secured.
The DHS agency has spent two years bolstering its IT security. As part of its continuous monitoring strategy, the agency is now conducting security authorizations of IT systems every month instead of producing risk studies every three years, which had been the norm, says Larry DeNayer, USCIS's chief information security officer.
USCIS has drawn direction from National Institute of Standards and Technology (NIST) Special Publications 800-37 and 800-137, which provide guidance on implementing continuous monitoring. The goal is to automate as many security controls as possible to provide visibility into the department's security posture in near real time.
"We are now looking at key metrics on an ongoing monthly basis and asking ourselves, 'Does this system have too many vulnerabilities to operate?'" DeNayer says. "Those two NIST guidelines drove us to put agility into our security process."
In addition, the agency, which used to run monthly security scans of IT systems, is now doing automated scans once a week. DeNayer's goal is to eventually do scans daily. "It takes a lot of processing power, but it needs to be as real-time as possible," he says.
USCIS currently uses a full complement of security tools: web filters to protect against malware and viruses, deep-packet network inspection tools and host-based intrusion prevention and detection tools. The agency uses scanners to analyze not only network traffic, but also applications, websites, databases and even software code, DeNayer says.
All the data is fed into a security information and event management tool, which correlates and analyzes the information, flags suspicious activity and sends out alerts.
The agency's security operations center follows up on alerts that require an immediate response. IT security staff, systems owners and program managers address nonurgent issues at monthly meetings where they grant ATOs to IT systems, DeNayer says.
Moving forward, USCIS will focus on application security and application whitelisting and work to continuously monitor its custom applications. But overall, DeNayer feels the agency is in good shape securitywise.
"We have work to do, no doubt, because technology evolves," he says. "But as far as where we are in implementing continuous monitoring, we are on solid ground."