The establishment of the General Service Administration’s (GSA) new continuous diagnostics and mitigation (CDM) blanket purchase agreement (BPA) is likely to completely overhaul the federal government’s approach to cyber security. At least that’s what a panel of government security executives hope will happen. The executives came together for the Federal Cybersecurity Update: Managing Info Security Risk Through CDM event, sponsored by immixGroup, last month.
“As a security weenie, I despise the three-ring binder” full of security checklists, said Jeff Eisensmith, the CISO for the Department of Homeland Security (DHS). “In a time of scant resources, it’s tough to say I want to check every box in this binder [since the question is] am I any more secure? At the end of the day, [the answer is most often] no.”
The usual governmental methods – congressional dictates or Administration executive orders that get translated into a one-size-fits-all procedure, with deadlines set by the calendar – are not able to keep up with the rapidly changing threat environment. Cyber security professionals are spending their time working through checklists so they can create the artifacts to meet the requirements of a binder are not able to simultaneously keep an eye on daily network operations.
Robert Brese, CIO at the Department of Energy (DOE), agreed that working off standardized lists does not advance the goal of better cyber security.
“I sat down and talked to our [inspector general] and asked, ‘Based on advanced persistent threats can I have 100% FISMA compliance and still be tipped over?’ ‘Yes,’” Brese said.
These two departments are taking very different approaches to improving their cyber security, something that the CDM BPA accommodates easily.
Eisensmith said that DHS is aiming to have as standardized a network environment as possible, which will make it easier to have a set of standard cyber security tools across the very large, geographically dispersed department.
By contrast, Brese said, each national laboratory in DOE is a unique computing environment, with very little in common from lab to lab, a tendency by the scientists to “tend to ignore national directives” on such things as cyber security, and to fall into the “not invented here” mentality.
“The good news is … that CDM is one of the things where DOE is making a great deal of progress,” he said.
GSA has issued task orders for cyber security dashboards, said Jim Piche, GSA’s group manager for FEDSIM DHS. “We should have initial operational capability before Thanksgiving,” he said.
The dashboards should be able to monitor and report on both low- and high-level activities, to help security officers make day-to-day decisions on such fundamentals as managing software patch schedules as well as reveal potential breaches, unauthorized data access, and other ongoing threats.
The dashboards also should work with whichever of the numerous CDM solutions agencies opt for, Piche said. He likened it to the tire pressure sensor on new cars – there’s only one sensor, but it’s able to track the information regardless of which of dozens of manufacturers, each with different specifications, provided the tires on the vehicle.
It is not enough to deal with daily cyber threats, Brese said. “Vulnerabilities are interesting, but it’s risk that’s important. Getting the data is not the reason we do this, it’s the risk equation.” CDM provides the information needed to develop risk avoidance strategies, even as it brings down costs, he said.