Continuous Diagnostics: Getting StartedDHS's John Streufert on Monitoring of Government Systems
The initial phase of the continuous diagnostics and mitigation initiative, a new program to secure government computers, concentrates on helping federal agencies identify and manage their software and hardware assets.
See Also: Case Study: The Road to Zero Trust
"We would like to have a good, accurate identification by department and agency of all of the components which are in use," says John Streufert, director of Federal Network Resilience within the Department of Homeland Security's National Protection and Programs Directorate, in an interview with Information Security Media Group (transcript below).
The DHS initiative, unveiled this summer, offers federal, state and local government agencies the ability to purchase discounted hardware, software and services to assess cybersecurity risk and present those risks in an automated and continuously updated dashboard - enhancing their ability to see and counteract day-to-day cyberthreats (see $6 Billion DHS IT Security Plan Advances).
"We would like to have a good, accurate identification by department and agency of all of the components which are in use. But we also want to make sure that there aren't any hidden rogue devices or operational pieces of software components that are not being tracked," says Streufert, who heads the initiative that relies on continuous monitoring, a term out of favor with some federal government officials who believe it can be confused with the government monitoring online activities of citizens.
Streufert says the process will assure that continuous checks on network devices are in sound condition. "We look at this initial phase of CDM as foundational for later work, which will concentrate on privileges and the management of the integrity of the network," he says.
In the interview, the second in a two-part series, Streufert:
- Reviews the products and services federal agencies and local and state governments can acquire under the program from 17 approved vendors;
- Explains how agencies can judge the success of the initiative; and
- Provides an overview of when various components of the initiative will be offered.
In part 1 of the interview, Streufert discusses the goals of the continuous diagnostic and mitigation programs, delineates the responsibilities of federal agencies in implementing the new program and explains why the federal government refers to continuous monitoring as continuous diagnostics (see Feds Tackle Continuous Monitoring).
Before joining DHS, Streufert served from 2006 to 2012 as the State Department's chief information security officer, where he instituted a program that resulted in an 89 percent reduction in risk in 12 months (see Beyond FISMA: State Dept.'s Next Gen Metric).
ERIC CHABROW: Address the kinds of services agencies can expect to get from the 17 approved contractors.
JOHN STREUFERT: The contract terms allowed for these 17 integrators to supply combinations of sensors and hardware-related devices that assist in performing the security function, and there was also the opportunity to include services, training and the kinds of assistance that would allow those sensors to effectively operate on an ongoing basis. You find a number of the departments of agencies that have had a traditionally strong program in continuous diagnosis over time - let's say the Department of Justice or Veterans [Affairs] - and you could find them coming to the contract to acquire tools that they did not have before, or maintenance on their existing tools, at a favorable quantity discount.
We find other departments and agencies who have no program in place and will be looking for what might be characterized as an enterprise solution, which would be a combination of sensors in those initial four areas that I mentioned, as well as the services to turn around and run them. Our program had to take into account any accommodation of everything from a fully operational program that just needed to add a few diagnostic features right down to departments and agencies that have no automated security program in place and would need a combination of those tools and services.
Measuring Program's Success
CHABROW: How will you know if this initiative will be successful?
STREUFERT: Much attention - appropriately so - is on the sensors and services at the beginning. We know that the dashboard, when it's connected to the sensors, will allow the civilian departments and agencies to track their progress toward reducing these known cyberflaws that can be the starting point of incidents that can result in loss of information. The dashboards that are currently functioning around the government attend to what percentage of these known cyberflaws have actually been repaired. We have a method called risk scoring, which attaches numbers to these flaws. At the point that the flaws are taken care of, the individual numbers assigned to them disappear. ... [R]educing known risks and expanding the coverage of scanning across the government that will all be taken into account to measure our progress.
Hardware, Software Management
CHABROW: When you talk about these flaws, are you talking about things such as failure to patch on time or identifying specific malware in a system? Can you be a little bit more specific?
STREUFERT: The initial phase of continuous diagnostics and mitigation is concentrating on hardware asset management and software asset management. Here we would like to have a good, accurate identification by department and agency of all of the components which are in use. ... We also want to make sure that there aren't any hidden rogue devices or operational pieces of software components that are not being tracked.
We will undergo a process of making sure that ongoing checks of the devices on the network are in sound condition, and this will include network mapping of the devices that are assigned to the particular departments and agencies for management. The field of vulnerability management is among the longest existing for the civilian government. The National Institute of Standards and Technology has a catalog of these vulnerabilities, which numbers some 40,000 or more discrete methods under which the absence of a patch can run into openings that can be used to initiate cyber incidents. Our goal here with the scanners is to go through the hardware devices and key utilities, look and make sure that those known vulnerabilities are effectively patched with the most recent update that comes from the vendor or the owner of that operating system or utility.
In terms of compliance setting management, our attention is taking the settings of the utilities and the software that we have and making sure that all of their features are in the strongest condition possible, and here we follow the guidelines of the Department of Defense, who has had some of the longest and most effective uses of strong settings in terms of protecting systems. In these instances, we try to push patches and see to it that the policies that enforce the strong configurations are in place and mark the instances where they're not in terms of potential severity or risk for the system. But first, all of these items we mention - hardware/software asset management, vulnerability management and compliance setting management - have a special concentration on the general support systems which host the application software. We also anticipate in the first phase doing some scanning of settings, vulnerabilities, websites, databases and then software code, and we will be establishing some of the initial capabilities in a number of the departments and agencies in this important area where sensitive data is managed or stored.
All in all, we look at this initial phase of CDM as foundational for later work, which will concentrate on privileges and the management of the integrity of the network.
Rollout of Components
CHABROW: How long should the first phase take and when will the second phase begin?
STREUFERT: This is occurring because of the conditions on the ground in a rolling effort across government. The commodities, hardware/software asset management, vulnerability and configuration setting tools are in the process of being purchased now. Because of the quantity, the number of vendors bidding and the wide scale of supporting more than 2 million devices in civilian government, [it] all translates into a very large and comprehensive operation. It will take a number of months to complete those purchases. We have an activity of also getting specialized diagnostic labor in place for that same group of 23 [of the largest federal] agencies, and the evaluation of the services bids for that will also take a little time to do. I would anticipate that for the first phase components that were funded in 2013, you will see a gradual installation and setup of the services in 2014, and then approximately an equal amount of time will be required to initiate and roll out the second and third phase. We anticipate that after three years of programs, we will be in a maintenance mode on this core set of activities for what will balance out to be all together about a five-year program of getting it set up, getting the sensors connected to the dashboard and then moving to higher levels of maturity.
Local, State Government Participation
CHABROW: You mentioned local, state government and other agencies that may participate in this program. Can you tell us a little more about that?
STREUFERT: Word is beginning to move out to a number of the states that this contract is available to make purchases of diagnostic tools. Some of the states already have these tools in place and are looking for better prices. Some of the states are in initial conversations with their senior leadership and their legislatures about the importance of protecting taxpayer information. As the price competition has been very favorable on the federal level, the state and local governments can take advantage of those pricing opportunities under the cooperative purchasing program under the GSA schedule. [The] numbers of participation in terms of states and local governments are going up. The initial activity at the present time is distributing buying guides. As the ordering gets consolidated by the state governments themselves, usually through associations of some kind that serve those organizations, all of that is in the process of being assembled at this point and contacted by half a dozen different states. Each day we're recording an additional number of city governments that are beginning to explore what opportunities exist under the contract. I would put this at very early stages, but over time would expect that the things would fall under pattern for the governments outside of Washington, just as we're concentrating in getting the ground-laying done here in the immediate metropolitan area.
CHABROW: Is DHS offering to do any kind of dashboard or things for the state and local governments that you are doing for the federal agencies?
STREUFERT: We're going to try to make available the dashboard of tools that are developed at the federal level for the use of the state governments, but we will not be collecting or monitoring progress by the states under the existing regulations in place. Those activities are managed on the local level by each state government and local government for their own purposes. But we're going to do our best to share the lessons that come out of the federal program. These will be published in what we call toolkits that assemble frequently asked questions and guide the technical managers as they go about setting up their own programs. I would say there will be a good flow of information outward for Washington, but we will not be formally collecting any data from the state governments or local governments on their progress.