Implementing Continuous Monitoring PlanDHS's John Streufert Addresses the $6 Billion Challenge
In the next five years, the federal government will work to centralize for civilian agencies' networks a way to identify cyberflaws and employ continuous monitoring tools to remediate them, the Department of Homeland Security's John Streufert says.
The DHS initiative, known as the Continuous Diagnostic and Mitigation program, offers federal, state and local government agencies the ability to purchase discounted hardware, software and services to assess risks and present those risks in a continuously updated dashboard.
Earlier this year, the federal government earmarked up to $6 billion to be spent for agencies to acquire goods and services for the project [see $6 Billion DHS IT Security Plan Advances]. The money for this initiative is not part of the funding plan Congress had failed to enact that caused the partial government shutdown.
"The belief was by doing that in a single location, DHS in this instance, there could be economies of scale in ordering and some unified effort as ... departments, agencies and other smaller federal organizations move to incorporate this technology in their daily business," Streufert says in the first of a two-part interview with Information Security Media Group [transcript below].
The first phase, a rollout occurring over three years, is aimed at getting civilian agencies to employee continuous diagnostic tools to improve vulnerability management, enforce strong compliance settings, manage hardware and software assets and establish whitelisting of approved services and applications, Streufert says.
"We know that 80 percent of the incidents which occur that involve some kind of problem of exfiltrating of data lean on cyberflaws that are previously known," he says. "The objectives ... in the first phase are designed in a way to see to it that the problems in those areas of civilian networks are reduced."
Later, the initiative will move into other areas, including those that deal with privileges, Streufert says.
"We're eventually trying to cover as many of the known weaknesses that are recorded in NIST [Special Publication] 800-53," he says. "That's a lot of ground to cover, so dividing it into approximately thirds was ... arrived at to balance against both money and the time available of the staff to work on these issues."
In the interview, Streufert:
- Explains why the federal government refers to continuous monitoring as "continuous diagnostics;"
- Discusses the goals of the Continuous Diagnostic and Mitigation program;
- Delineates the responsibilities of agencies and DHS in implementing the new program.
In the second part of the interview, Streufert addresses the challenges of managing the new program, including overseeing vendors [see Expanding Continuous Diagnostic Effort].
Streufert serves as the director of Federal Network Resilience within the National Protection and Programs Directorate at DHS. From 2006 to 2012, he served as the State Department's chief information security officer, where he instituted a program that resulted in an 89 percent reduction in risk in 12 months.
ERIC CHABROW: Before we get to the initiative itself, let's talk about its name. It seems that the federal government wants to call it continuous diagnostics, not continuous monitoring. Is there a difference?
JOHN STREUFERT: Clearly, the phrase "monitoring" is used in a lot of senses, formally and informally, both inside and outside the security field. There was a belief about a year and a half ago that the phrase "monitoring" would somehow be confused with the practices of the diagnostic activity of finding known vulnerabilities and weaknesses and repairing them before they became objects of attack. There was a decision probably in the middle of 2012 to concentrate on diagnosis and mitigation; and as time has gone on, the potential problems of misunderstanding the phrase "monitoring" has turned out to be important, and we're glad we settled in on the phrasing that we have.CHABROW: Please take a few moments to summarize how the continuous diagnostic and mitigation program works.
STREUFERT: The decision was made in the middle of 2012 that the federal government would centralize for the civilian networks a method of looking for cyberflaws and queuing up in a dashboard a method of locating worst problems first. The belief was by doing that in a single location, DHS in this instance, there could be economies of scale in ordering and some unified effort as the cabinets, departments, agencies and other smaller federal organizations move to incorporate this technology in their daily business. In order to obtain the support and understand the requirements better, they have established memorandums of agreement with the major federal organizations. The contract is then executed in a way that the 50 state governments and local governments can also order off of the contract. We have coordination of contracting activity, coordination of technical activity and supplying services for the diagnostics that go in place on the federal level.
CHABROW: If you had to summarize briefly, what would you say are the program's goals?
STREUFERT: We know that 80 percent of the incidents which occur that involve some kind of problem of exfiltrating of data lean on cyberflaws that are previously known. The objective for the sub-areas of vulnerability management, strong compliance settings, monitoring hardware, asset management and software asset management and whitelisting - all these capabilities in the first phase are designed in a way to see to it that the problems in those areas of civilian networks are reduced. Over time, we'll move into other topic areas that will deal with the privileges, but for the time being, the hardware, software, asset management, whitelisting and vulnerability cyberflaw corrections are the concentration of our activities.
CHABROW: And you just focusing on those first areas? Any reason you're not going into areas such as privilege, or are there other factors involved?
STREUFERT: A portion of it is money. A portion of it is historically we've found that the cybersecurity professionals working with the program managers, departments and agencies require a little bit of time to get used to the tools. We're eventually trying to cover as many of the known weaknesses that are recorded in the NIST 800-53 publication and the catalog. That's a lot of ground to cover, so dividing it into approximately thirds was ethically arrived at to balance against both money and the time available of the staff to work on these issues.
CHABROW: What are the responsibilities in this initiative of DHS and what are specifically the agencies' responsibilities?
STREUFERT: There was a recommendation early on that the historical lines of responsibility for implementing technology programs in the government would be honored and considered. The traditional method of funding is that dollars for the custom software of the government and the networks flow down from Congress to the departments and agencies, and that's where the responsibility for the risk decisions are made. DHS's role in this capacity is to provide the diagnostic reports that highlight the worst problems first that need to be repaired. The job of actually making the repairs is an assignment which is left with the department and agency which is responsible for the application. DHS will take on the additional role of the single interface with the General Services Administration, which is sponsoring the procurement initiative with 17 vendors, and we provide overall program management assistance, and we'll do the dashboard as well. The fixing is done in the departments and agencies, and balance of the technical acquisition and program rollout is being assisted through the Department of Homeland Security.
CHABROW: It's optional for agencies to participate?
STREUFERT: Historically, there has always been some kind of diagnosis and mitigation activity occurring. Probably the earliest of its kind was anti-virus. We have done vulnerability and compliance setting testing for certifications and accreditations over time. It's this second aspect that's required under the Federal Information Security Management Act that has the departments and agencies considering the importance of implementing the CDM program. Over time, there's a suggestion that portions of the testing which are required under the Federal Information Security Management Act can be done with the sensors and tools under the CDM program, as opposed to hiring contractors and using other internal staff to do the once-every-three-year certification and accreditation, later reauthorization, studies.
From the sense that we're required to do ongoing security testing and CDM is a tool that can help accomplish that efficiently, the program is going to be a standard feature of the federal departments and agencies that are on the civilian side. The Committee on National Security Systems and the Department of Defense will be making their own arrangements in this regard, although they can be placing orders off the contract where the CDM contract and its strategies are more optional and at the discretion would be the 50 state governments and local governments who operate for the non-federal systems under different guidelines than FISMA.
Questions from CISOs, CIOs
CHABROW: As this program is being laid out, what are you hearing form CISOs and CIOs about the program? What are some of the questions that they're raising?
STREUFERT: Many of the chief information security officers and CIOs appreciate the fact that Congress has set aside money for these purposes. It's not new to your listeners, but the federal government is in a very tight time for budgets. The fact that money has been allocated for these purposes to buy the tools that they currently don't have, the fact that the contract arrangements are in place that can allow them savings to buy the tools that they already have at discounted prices, are all very good news to the CISOs and CIOs.
A lot of their questions when we met with them ... focused on what the ordering procedures are that would be used, which kinds of procurements for commodities and services will be done in which order, and then what format could their requirements be communicated to take advantage of this program. I think a number of the CIOs and CISOs look ahead to the questions of what will be the formal procedures of government that might allow automated security testing to substitute for some of the contracted reauthorization studies that have been required once every three years in the past. Those CISOs who have an annual report to make to Congress or the Federal Information Security Management Act are wondering how the questions of the Office of Inspector General and the GAO may change over time as the government shifts to a greater percentage of continuous monitoring.
I think we're in a transition phase where a lot of these issues are on the minds of many of the senior people, as well as the working-level staff. What form everything takes in the future is right at a pivot point as the Office of Management and Budget announces its policies in these areas.
Policy, Legal Concerns
CHABROW: Do you know if it's just OMB policy that may be changed to ease some of the reporting requirements now that you'll have continuous diagnostics, or does this require a legislative change, or perhaps both?
STREUFERT: Those involved with policy and legal concerns have examined the original Federal Information Security Management Act. They find that the requirements to assure the security of government on an ongoing basis took very broad authority back in 2002 when it was originally adopted. The focus of attention now are some of those implementing regulations that are recorded and questions and answers for the annual FISMA review that are drawing the attention of many of the departments and agencies that are trying to organize themselves for the final reports that they co-write with the OIG [Office of Inspector General].
The conclusions are that there's enough authority. How we ask to conduct our annual security review, these are the topics that are under most active consideration at the moment. It's important to bring into the discussion that the activities of both the OIGs and the government are guided by the National Institute of Standards and Technology's documents and the 800 series. In these cases, we're also finding an encouragement to expand continuous monitoring where appropriate. I think you're seeing the beginning of the change, and it probably will take some time as we move through the very large numbers of systems that the government currently manages where these new methods could be applied.