John Streufert, director of the National Cyber Security Division at the Department of Homeland Security, is helping guide a massive DHS effort to standardize government security protections. (Mike Morones / Staff)
There’s a lot riding on the Homeland Security Department’s new $6 billion cybersecurity contract.
DHS has committed $185 million this year to fund the initial roll out of monitoring tools capable of firing billions of automatic security inspections across civilian networks every 24 to 72 hours. DHS has additional funding budgeted for at least the next two years, pending congressional approval.
“We need tools to automate security testing and specialized experts to make those tools effectively operate and interpret the results,” said John Streufert, who leads DHS’ Continuous Diagnostics and Mitigation (CDM) program. “It’s how we make the repairs,” Streufert said. “In tightening budgets under sequestration, we are trying to make that repair labor more efficiently applied.”
While many agencies today use network scanning tools to detect rogue devices, flawed software applications and other security risks, the technical capabilities vary. So does the departments’ in-house expertise to diagnose and fix those flaws.
DHS’ goal: Standardize security protections across the government over the next three years.
“Agencies are trying to manage threats in real time,” said Andy Maner, a managing partner with IBM. “That is the goal of this vehicle.”
Key to that will be equipping agencies with both tools and experts through a $6 billion, five-year contract it awarded to 17 vendors earlier this month. The General Services Administration awarded the blanket purchase agreement on behalf of DHS, and GSA will charge agencies a 2 percent fee to use the contract.
Funding for monitoring
DHS is now developing task orders on behalf of civilian agencies as part of the first phase of the CDM program. Agencies can also place task orders using their own funding and contracting officers, according to DHS. State and local governments can also work through GSA to use the contract.
Under the contract, DHS will fund operations of the scanning tools or sensors at the basic network level, while agencies will have to fund monitoring tools for mission and custom applications. Funds for remediating security problems will also come out of the agencies’ budgets, Streufert said.
Until now, the administration’s push for agencies to bolster continuous monitoring has been an unfunded mandate, said Niels Jensen, regional vice president of federal sales at ForeScout. “Now, not only is there a mandate but Streufert has done a good job working with the administration and making sure there is funding.”
ForeScout offers a software solution that can detect devices on an agency’s network and determine if the device is properly configured in line with agency policy. Nearly a dozen of the 17 vendors DHS selected have included ForeScout’s offering as part of their wider suite of tools.
While use of the contract is not mandated, Jensen said the DHS program is “very much a top-down” initiative that the administration expects will assist agencies in meeting security goals.
“There are many observers of the federal government that expected substantial resistance to adopting the CMD program and, without the facts available to them, made some characterizations that things were going slower than they actually were,” Streufert said.
So far, most large civilian agencies have agreed to use the contract, with the exception of the GSA, he said. Because of internal issues, including some technical challenges, GSA has not made a formal agreement to use the contract, but Streufert expects the agency will do so next fiscal year
“We have a substantial portion of the entire government covered now,” said Streufert, noting that the 21 largest civilian agencies represent more than 90 percent of the federal workforce.
The program will roll out in three phases, starting with a focus on managing all hardware and software that has access to agency networks and managing known vulnerabilities and preventing unauthorized programs from operating on the network. The second phase will include the roll out of tools to determine who uses the systems and when and the role of that account user. Phase three will offer capabilities for responding to cyber incidents.
A separate contract will be awarded for a dashboard, which will provide agencies a more comprehensive view of their security risks, Streufert said. Based on past experience running continuous monitoring programs at the State Department, he said it takes about that long to understand how to use the new tools and address any false positives from security scans.
“Our strongest objective is to diagnose what those cyber flaws are and leave the data at the department and agency on the detailed level and not move that sensitive information of the content of information that is being protected to the Department of Homeland Security,” Streufert said. “Instead, what we’re worried about on a macro level is how many of the doors are unlocked of the 2.2 million personal computers of the civilian government.”
Embedded into the dashboard will be a method for calculating security risks to help agencies track risks numerically, weight their severity and interpret actionable reports so they can better prioritize which problems to tackle first.
“The actual practices of how [agencies] measure risk will be worked out over time,” Streufert said. “We’re not grading our security in terms of pass/fail but looking at our precise results.”