After awarding a contract in May for an updated, governmentwide cybersecurity dashboard, the Department of Homeland Security’s Continuous Diagnostics and Mitigation program plans to roll it out this fall, according to Kevin Cox, the CDM program manager.
The goal of the new dashboard is to give agency IT leaders greater awareness of cybersecurity vulnerabilities and how their IT security compares to that of other agencies.
“We already have a proof of concept underway in the lab environment of the new dashboard environment ... starting in the first quarter of [fiscal year] 2020, in the October or November time frame, we’re going to begin bringing that technology out to a handful of agencies,” Cox said on Sept. 5 at the Billington Cybersecurity Summit in Washington, D.C., according to Fifth Domain.
Starting Oct. 1, agencies that have access to the new dashboard will be able to compare their cybersecurity risk scores, known as Agency-Wide Adaptive Risk Enumeration risk-scoring algorithm, or AWARE, FedScoop reports.
As FedScoop notes, AWARE “measures how agencies are doing on basic security practices like vulnerability, patch and configuration management in near real time. A smaller cumulative score represents a smaller cyberattack surface.”
“We’re going to out of the gate have better visualization of the data for agencies, but we’re also looking to bring in better analytics, better business intelligence, as well as, ultimately, machine learning capabilities — being able to apply that to the data so that agencies are getting maximum benefit from their cybersecurity data,” Cox said, according to Fifth Domain.
When it comes to AWARE, 23 Chief Financial Officers Act agencies and 30 other smaller agencies are scheduled to get AWARE scores, with 40 more coming sometime thereafter, Cox said, according to FedScoop.
“We want to be careful not to share the scores out publicly because we know adversaries will be looking to see which agencies are having problems so they can go target them,” Cox said. “But there may be ways where, once everybody feels comfortable with their AWARE score — all the data is in good shape — that we share it with the deputy secretaries and everybody sees everybody else’s score.”
How Does DHS’ CDM Program Work?
Under CDM, agencies go through four phases (which DHS has started to call “capabilities”): identifying what is on the network, identifying who is on the network, describing what is happening on the network and defining how data is protected.
The CDM program gives agencies the resources to achieve these goals, including commercial hardware, software and services. Once the tools are in place, an agency will be better able to monitor its networks and respond nearly instantly to a vulnerability.
Agencies install sensors in their networks and infrastructure that perform an ongoing, automated search for known cybersecurity flaws. Data from the sensors then feeds into an agency dashboard, which then, in turn, creates customized reports that alert network managers of their most critical cyber risks, according to DHS.
Summary information from the agency-level dashboards feeds into a federal enterprise-level dashboard built with RSA Archer, which is used to inform key decision-makers and provide situational awareness into the cybersecurity risk posture across the government.
In late May, DHS awarded a contract worth $276 million to enhance the CDM dashboard into “a state-of-the-art ecosystem that includes ongoing advancements in data visualization, data ingest, indexing, and search performance,” according to a press release. Cybersecurity analytics will be delivered using business intelligence, artificial intelligence and machine learning technologies.
How CDM Will Evolve in 2020 and Beyond
Cox is bullish on AWARE’s ability to help agencies understand and improve their cybersecurity posture. Cox said the State Department and Justice Department piloted AWARE and learned that sharing the scores internally “generates the desire to get better within your shop,” according to FedScoop.
“At the end of the day, we’d like everyone to get to zero, but that’s not realistic because there’s always vulnerabilities coming out and patching activities,” Cox said.
DHS will offer agencies more guidance on how AWARE works, what the scores mean compared to the government average and how to reduce vulnerabilities.
“We can start to look at what are those different agencies doing that we can get some lessons learned that we can get out to all the agencies,” Cox said, according to Fifth Domain.
The Cybersecurity and Infrastructure Security Agency within DHS is considering allowing agencies to have a grace period to fix newly reported vulnerabilities before being held accountable, FedScoop reports.
In addition to the dashboard and AWARE enhancements, Cox used his appearance at the conference to spell out other priorities for the CDM program in the upcoming fiscal year.
DHS has been working with agencies to identify and protect high-value assets, which are the data and information whose unauthorized disclosure would hurt the government. CDM will help with that effort.
“We’re looking to see what types of technology are needed, whether it be data rights management, data log protection [or] more advanced threat capabilities sitting in front of those assets,” Cox said, Fifth Domain reports.
DHS wants agencies to ensure that they have “the proper protections in place for the data on the system.”
CDM will also focus on enterprise mobility management next year, according to Cox, which will be challenging, given that there are millions of mobile devices on federal networks.
“We want to help the agencies get full understanding of all the privileged users,” Cox said, according to Fifth Domain.