Over the next three to six months, the Department of Homeland Security will launch a new cybersecurity risk score for agencies.
The new algorithm, which is part of DHS’ Continuous Diagnostics and Mitigation program, incorporates DHS threat intelligence data and is called Agency-Wide Adaptive Risk Enumeration. AWARE will allow agencies to prioritize cybersecurity vulnerability mitigation activities, using threat data combined with agency dashboard data related to the existence of known vulnerabilities and the FIPS 199 information system impact level (high, moderate or low), as a White House report notes.
Agencies will be able to use this risk scoring approach to improve cybersecurity hygiene, the report adds. “The idea there is that we’re going to be able to take a look, agency by agency, to see how well agencies are doing with patching, configuration, etc., and be able to help ultimately get down to the system level as well,” Kevin Cox, the CDM program manager, said at an ATARC event in late August, according to MeriTalk.
DHS to Bolster Cybersecurity for Agencies Under CDM
By the end of September, all 23 of the CFO Act agencies will have their agency cybersecurity threat dashboards feeding into a federal dashboard, Cox said at the event. Four smaller, non-CFO Act agencies are reporting to CDM’s shared service dashboard, with another 15 expected toward the end of September.
The federal dashboard, which gives DHS an enterprisewide view of real-time threats across government, has been upgraded to a new version, “Release 5,” and DHS is working to upgrade each of the individual agency dashboards to the same release, according to MeriTalk.
Those agency dashboards inform data on the federal dashboard and help direct daily operational government cybersecurity activities. Given that, Cox said, it is important that those dashboards be optimized to receive the best information.
“We are working to make those agency dashboards even more useful to the agencies,” Cox said. “We’ve been working really diligently to make sure that with each new release of the dashboard, that we’ve got performance improvements and we’ve got reporting improvements.”
Another key part of the upgrades is the rollout of AWARE, which will serve as a score to show agencies where they stand in terms of cybersecurity preparedness. It will be “similar to a credit score,” Cox said at the event, but in reverse. The lower the score, the smaller the agency’s attack surface, according to MeriTalk.
“We want to help agencies identify their overall security posture, cyber hygiene as quickly as possible,” he said.
Chris Jensen, Tenable’s federal business development and capture manager, writes in a blog post that AWARE “is an evolving concept intended to drive CDM toward the goal of improving the way the government measures its cyber risk — that is, the degree to which known vulnerabilities continue to provide an unprotected attack surface for potential adversaries.”
AWARE, Jensen writes, will “continue to be refined in subsequent releases, increasingly taking mitigation and other relevant factors into account.” He notes that the “initial release represents an important step toward the overarching goal of sharpening the federal focus on performing basic cyber hygiene,” such as “making sure that software, applications and operating systems are promptly and regularly updated with their most recent versions.”