Manfra, assistant secretary for the office of cybersecurity and communications at the Department of Homeland Security, thinks agencies need to update their IT governance and procurement to be more risk-based. During a keynote address Tuesday at the 2017 Symantec Government Symposium in Washington, D.C., Manfra said that cybersecurity decisions need to be based on mission risks agencies face. It’s the same approach President Donald Trump called for in an executive order on cybersecurity.
Agencies must not just modernize legacy IT systems, which create vulnerabilities, Manfra said, but must “look at modernizing the whole thing,” including how they buy and manage technology. Agencies must make “risk-based procurement” decisions for IT, “which we currently don’t have a good way of doing,” she said.
The goal, she said, should be to give an agency head or cabinet secretary “full insight into what is happening on their networks” and the risk they are accepting.
Getting More Cybersecurity Insights from IT Environments
Manfra noted that often, when assessing why particular cybersecurity decisions were made at agencies, the answer usually circles back to a need to work within the existing IT architectures. IT across the government is often federated and decentralized, Manfra noted, with few ways to streamline it.
DHS has tried to do that with its Continuous Diagnostics and Mitigation program, which allows agencies to monitor their IT systems and then respond almost instantaneously to vulnerabilities. The program enables agencies to prioritize the risks based on how severe they might be in an effort to let cybersecurity personnel mitigate the most significant problems first. CDM offers commercial off-the-shelf tools — hardware, software and services — that agencies can access via a central fund.
DHS's Jeanette Manfra speaks Dec. 5 at the 2017 Symantec Government Symposium in Washington, D.C. Photo credit: Phil Goldstein
Sensors in agency networks give administrators and CISOs visibility into what devices are on the network and how users are acting. Then, that information is standardized and fed into agency dashboards. DHS is working with agencies to produce reports based on those dashboards that let agencies know what their vulnerabilities are and how they can be patched.
DHS is also standing up a federal dashboard, which will collect the feeds from all of the agency dashboards to give a governmentwide view of threats. Kevin Cox, program manager for CDM at DHS, told FedTech in October that the federal dashboard would be fully deployed in February. Manfra confirmed last week that all 24 CFO Act agencies would be plugged into the federal dashboard by the end of February, Nextgov reports.
CDM, Manfra said at the symposium, allows DHS to “work with agencies to deploy tools in line with their requirements.” The National Cybersecurity and Communications Integration Center, a centralized hub within DHS that monitors cyberthreats across agencies and critical infrastructure, can be in “a position to understand enterprise risk” if it is receiving data back from all of the sensors in agency networks.
The government should aim to automate and correlate the threat data it is getting from CDM, Manfra said. The more the government can do it, the easier it can achieve “a network view of the world” and allow DHS and other agencies the ability to “see things you may not have thought to ask the questions for.”