John Streufert, Director of Federal Network Resilience at DHS, delivers the keynote address at the Federal Times Breakfast Series discussion about Federal Cybersecurity at the Ritz-Carlton Pentagon City in Arlington, VA on Wednesday, June 11, 2014. (Mike Morones)
As director of the Federal Network Resilience Division at the Department of Homeland Security, John Streufert oversees a $6 billion effort to secure public-sector networks against cyber threats. That effort, called the Continuous Diagnostics and Mitigation (CDM) program, aims to apply a strategic sourcing acquisition strategy toward the purchase of network sensors, dashboards, expertise and a variety of services to identify and fix the worst vulnerabilities threatening the dot-gov enterprise. Streufert provided an update on that program as the keynote speaker at a June 11 event hosted by Federal Times and its sister publication C4ISR & Networks. Following are edited excerpts of his address and an interview with Federal Times Editor Steve Watkins:
We’re about to harvest the work of the past two years and begin actually implementing the first increment or phase of diagnostics and mitigation in dot-gov. But to set the context of what the [Continuous Diagnostics and Monitoring]CDM Program is and why it matters at a 30,000 foot level, I’d like to take you up to satellite height for a minute and set the context of why this iteration, this investment that the Congress has made and the executive branch has formulated a program on is so important.
Frank Reader, leading a study group on behalf of Jim Lewis at the Center for Strategic and International Studies, said in a report about a year ago, “Our adversaries are well equipped and agile. Our defenses must be equal to the threat — this is now focusing on government systems in networks — and they are not.” It goes on to say that changing FISMA [Federal Information Security Management Act] requirements from a process and compliance approach that focuses on process rather than outcomes to one of continuous monitoring is the single most important action that OMB can take for cybersecurity. We recommend that the Office of Management and Budget use authority provided in existing statute — that would be the Federal Information Security Management Act, and other authorities available to the Executive Branch — to effect this important reform. That was exactly the spirit under which the continuous diagnostics and mitigation program was launched.
The urgent need for continuous monitoring
Why the CDM program? [Center for Strategic and International Studies] found in its document, “Raising The Bar For Cybersecurity,” that CDM and continuous monitoring-like programs that are used across government can stop 85 percent of the cyberattacks by — what? — searching for, finding, fixing and reporting the worst cybersecurity problems first.
CSIS went on to say that 75 percent of the attacks use known vulnerabilities. More than 90 percent of the successful attacks require only the most basic techniques, and 96 percent of the successful breaches where an exfiltration is involved can be avoided if the department or agency puts into place simple or intermediate controls, which would include identity management.
Well what’s the problem?
Every three days, there are trillions of cyber events aimed at the parameters of the government networks. There are millions of attempted attacks at network speed, and hundreds of attacks succeed.
Every three months, our US CERT [DHS’ U.S. Computer Emergency Readiness Team] records more than 10,000 successful attacks. Terabytes of data are being stolen if we look on an annualized level, and unfortunately a manually oriented process of plans of action and milestones files 7,200 reports each three months. This is something that we need to stop. The problems are piling up faster than we can document them in a manual mode. We need to begin working toward automation and dashboards and a combination of other protections of our perimeter to do better.
Every three years, under existing OMB guidance not just changed, we’re required to file reauthorization reports, and I think the cost of those once-in-three-year reports are of concern to all of us. The Office of Management and Budget documented that civilian, military, and the [Committee on National Security Systems] community are spending not less than $600 million a year just in contractor-funded studies once in every three years, called Reauthorization Reports. When you take into account the labor which is associated with those reauthorization studies, the cost to the U.S. government are not less than $1.9 billion a year and what we estimated at the State Department was $1,400 per page to generate.
The output of the government for the place that I worked a number of years ago, extrapolated across each of the sections of government, generated manually created reports once in three years, well after the data was no longer within focus and valuable, would stack 438 feet high or two thirds the height of the Washington Monument annually. To what effect? Limited effect in comparison to the benefits of automation that was practiced under the host-based security system at the Defense Department in 2008 and beyond and what now will become the Continuous Diagnostics and Mitigation Program for civilian agencies.
We went to the CISOs at the civilian agencies and said, “What proportion of your energies are devoted to process and compliance reports under FISMA?” Well, their answer was that 65 percent of their energies were devoted to process and compliance reporting, even as cyber threats were rapidly evolving and causing trouble.
In short, we told OMB that our prior approaches, though foundational, were unresponsive, uneconomical, and unsustainable in comparison to the threat. So the proposed alternative — to automate security control testing and progress tracking in a way that would provide closer to near-time results by the benefit of putting sensor data in dashboards — would begin prioritizing every security action of civilian government, concentrating on the networks and later other systems to fix the worst problems first.
If there are an overwhelming volume of incidents, then placing no priority — from inconsequential attacks to those that were costing the government a great deal — made no sense. We need to put priorities in our security initiatives and that is a backbone initiative of the diagnostic and mitigation program. The proposed alternative will accelerate defenses through faster updates of those sensors. So we are about to begin a process where a series of deployed subject matter experts from industry, across the civilian government, will see to it that the commercial off-the-shelf sensors are updated for those checks that will be occurring from every 20 minutes up to not less than every three days.
Finally, we will gather enough information to allow the cyber defenders of dot-gov to identify and mitigate flaws with the benefit of these to-do lists that put the worst problems on the top of the to-do stack.
When the program was conceived in 2011, and briefed to the Defense Department, there was a proposal of doing security-as-a-service — later defined as continuous monitoring-as-a-service. It would be cheaper due to economies of scale. It would be faster by providing solutions rather than decided services for each subcomponent. And we counted them: 268 logical organizational subcomponents of dot-gov, if it had not been for the intervention of CDM program, would have designed and executed their own technical systems and solutions for cybersecurity, without which the benefits of a full situational awareness would have come about.
It was critical that we get civilian government on one page. I am pleased to tell you that in fact that happened.
CDM contract winners
I’m pleased to draw to your attention the 17 winning vendors of the continuous monitoring-as-a-service contract, which brought the best ideas of cyber defense to a single portal and which will be available to all of the government sector. So the foundation was laid. Now the question is, “If we build it, will they come?” They did, and in overwhelming numbers. The current status for the CDM program for the protection of dot-gov networks: There are at this point more than 47 memorandums of agreement signed, covering better than 96 percent of the federal government and covering 23 of the 23 CFO Act agencies where the bulk of the most sensitive systems of civilian government are managed.
A substantial portion of the contract will be available to the Defense Department, the Defense Industrial Base, the 50 state governments, local governments, territory and tribal governments in a government sector that I estimate to cover as many as 25 million users in the U.S. economy.
In the first task order, which was awarded in January of 2014, CDM tools were supplied for 19 agencies. In the competition that occurred, there was an average reduction against the GSA Schedule 70 baselines of the 17 winners of the program, and that generated a budget avoidance in the first task order of $26 million. You can say that very likely we funded in the budget avoidance of the first task order sufficient labor to cover our internal staff and put a dent in the cost of GSA FEDSIM [the General Services Administration’s Federal Systems and Integration Management Center] in putting up the entire instrument for the rest of government.
We are now positioning for task order number two, which will supply solutions under competitive task orders to the better part of the 23 of 23 CFO Act reporting agencies within the next 20 weeks. These will be in six competitive task orders where departments and agencies are grouped against the kinds of requirements they have. Some of them are adding to a strong baseline of existing continuous diagnostics and mitigation. Some departments and agencies have a patchwork quilt of requirements and need to standardize as the Department of Defense did in 2008. Some of them have zero protections in place. To avoid the unwelcome outcomes of being target practice for the cyber adversaries out there, we want to put those first mechanisms in place that function a lot like General Motors OnStar. We want to know whether the windows are open, the doors are locked, whether the tires are low, or it’s time to do a check engine on our basic previously known vulnerabilities and weaknesses.
So think of the continuous monitoring-as-a-service contract as putting subject matter experts and sensors in position, but none of it will have been worth the trip unless the data from those sensors can be gathered together at the agency level and the civilian government level for meaningful conclusions. A multi-tiered architecture of the CDM dashboard will be put in place. Agencies will maintain their own dashboards locally. The federal dashboard will hold only summary information and provide an enterprise risk picture.
The dashboard schedule is complementary to what we’re doing in the task order two. We awarded a contract to a consortium of five small businesses. This summer, we will do a commercial off-the-shelf tool alternatives review. We will select from that and look at the range of government requirements that need to come to bear. In the August timeframe, we will communicate with the civilian government about the dashboard design. And we are aiming toward initial operating capability early in calendar year 2015.
Back in 2011, I gave a presentation to the Defense Department that identified six challenges. Those challenges were that we lacked economies of scale and tool purchases. I’m pleased to say that the continuous monitoring-as-a-service contract and the strong sign-up of civilian agencies has accomplished that objective in its initial phases.
I pointed out that there were a lack of economies of scale in cloud security offerings. FedRAMP [Federal Risk and Authorization Management Program] is our step forward in this regard, but over time my prediction would be that cloud-based contracts, security of protection of the entire enterprise, and diagnostics and mitigation with third-party assessors are likely to form the future. I am pretty sure that cloud is going to be in the next generation of contracts that are going to be doing continuous monitoring as a service.
Early Continuous Diagnostics and Mitigation Program in the government showed that it was feasible when concentrating on worse problems first to reduce previously known vulnerabilities and configuration setting weaknesses by a factor of 10 and 12 months and a factor of 20 in two years — but if, and only if, the sensors and the sensor data related were pulled into a common place and individuals were assigned to make the necessary repairs against their network and progress was tracked on a daily basis, which is in fact the design of the dashboard which is coming.
We further found, by highlighting worse problems first, that we could go from zero to 84 percent patched in seven days and zero to 93 percent in 30 days, using the power of worst problems first embedded in the dashboard. The combination of reducing the attack fabric in the first instance with hygiene and the command and control derived from raising risk scores to rapidly provide corrective action are the elements of the command and control system which I’m highlighting would be beneficial. In later phases of CDM, we will take not only good hygiene and the command and control elements, but we will cross-correlate with intrusions that have been identified and incidents that involve particular people to harvest the combination of understanding that comes from taking care of known problems, identifying who is being attacked, and how they’re being attacked to greatest advantage.
The next steps in the CDM Program include taking the intellectual property which has been under development the last ten years and posting it on the US CERT website for everyone in the government sector to use. I am pleased to say that the initial steps to put the training that we’ve been providing more than a half a dozen times to civilian government is now accessible for anyone in the government sector to get access to.
We will continue over time to implement the NIST risk security framework. We are taking proactive action to train the civilian workforce in how to use the diagnostics and mitigation program. We have plans to institute a recruitment and retention program to see to it that the workforce is onsite with the correct training to do CDM as intended.
We eventually want to take not only the CDM output in the diagnostic phase, but with industry over time — and not all of this is funded yet — but concentrate on the meantime toward patch with the full benefits of automation. There are tools in industry that are being used in the private sector and in subsets of the CMAS [continuous monitoring as a service contract] offerings that can actually automate in the background corrective action across enterprises taking care of known classes of threats and emerging threats in rapid fashion. We have instituted a method of leap-ahead technology and have already put through a dozen and a half firms to assure that the tools purchased in the second and third phase are the latest that industry has to offer, and also update the technologies that are available in the first phase as we move out to the full range of dot-gov.
Finally, we’re in the process of creating up a critical application resilience program that will take the controls that are protected in the dot-gov networks and apply them to the custom software of civilian government. The numbers at large are that there are 6,000 moderate and 1,200 high systems of government. There are set of controls that are especially presented in software in the cloud systems that we need to undertake.
The scale of that effort on software is large. If you were to accept for a minute that 40 to 60 percent of the federal IT spending is on critical applications, my estimate is that the outflow that needs security protection is $31 billion to $47 billion annually. What our objective in the security program of diagnostics and mitigation is to assure that when security testing is taken against the out flows to that magnitude that we’re using the best that private industry has to offer and shy away from manual techniques when they are no longer necessary to use.
You mentioned in the next 20 weeks we should see a flurry of task order activity: draft RFPs, final RPs, awards and so forth. Can you update us on the timetable for rolling all that out and how soon do you expect to see some actual awards?
Well, the actual timing of the awards is linked to how industry organizes itself to bid on these six streams of activity that will be launched in calendar year 2014, and with the FY 13 and FY 14 dollars. We won’t know until the actual competitions are announced and the proposals come in how many of the 17 vendors are going to go it on their own, and in what cases, because of the scale of activity that we’re doing — covering some 2.2 million seats of civilian government — will result in some kind of teaming. But if there are a smaller number than 17, the procurement schedules will go faster. If all 17 bid, the review of each of the 17 bidders with time to evaluate the price and technical proposals will likely result in awards beginning at the end of this year and spilling into calendar year 15.
The contracting officers, of course, hold very closely what the kickoff of any one of those specific events are and in what order and the objective is to keep a level playing field among the industry vendor community. And we have worked very hard to keep that level playing field while keeping the lines of communication open. I was reflecting on the timing of this particular presentation this morning. It was almost a year next week when the first industry days were called for on the continuous monitoring as a service contract, and in the two months later, there were a set of industry webinars that received industry input. Then multiple rounds of exchanges on the award of the contract and the initial task order. So although the process is time-consuming, the thing that I would highlight at this moment as we get ready for action, this program has had almost unparalleled input from the 124 elements of civilian government and industry, which brings us to this point that we’re substantially on one page for the competitions that are coming ahead.
So it sounds like you’re saying the key determinant on the timing is going to be the industry teaming arrangements. What about on the agency side, the six federal groupings, how do you assess their readiness for all of this?
What brings us to the ability to go out the industry now is the fact that every one of the participating elements of civilian government have signed a memorandum of agreement which established the legal relationship with our office and the Department of Homeland Security, and have completed both foundational and supplemental surveys to get ready. Those that are in the acquisition queue have actually signed off on the statement of work, which is about ready to go out to industry. So the level of readiness varies. It is most complete for those that are coming out at the beginning of the batting order and we are gradually assembling through a seven or more step cycle of preparedness from the foundational surveys up to a finalized statement of work through all of them.
The greatest level of completion is for those two groups that are closest to award to go out to industry within the coming weeks. So I think you will see universal readiness by the end of the calendar year and some of them would be ready if FEDSIM was to undertake the competition this moment if the proposals were done. So I think everyone is at the point that they want to discuss it, but you’ll see varying levels of completeness depending upon when we actually go in front of industry, simply because of the magnitude of the effort.
So we have six agency groupings coming out in task orders. Where will we see the biggest differences in terms of the RFPs that are coming out to these various groups?
Some of the departments and agencies have a several-year history of continuous monitoring in place. They’re looking for some labor to help them and round out their base to common equivalent footing for vulnerability management configuration setting compliance, hardware asset management and software asset management. Some of them have nothing on the other extreme, and some of them have a patchwork quilt. So the variations within the departments and agencies reflected in their reading rooms where industry will go out and look at the specifics to customize their core solution. We had to develop a method of response and interaction with industry which would accommodate all of those end states. So there are common themes at the enterprise level, but it was necessary, of course, for us to have customized solutions for everyone that is participating and that is the blend of the acquisition instrument that you see about to take place.
On the technical side: How will the CDM task orders relate or interface with agencies’ existing SOC and NOC [security operations centers and network operation centers] contracts and service level agreements? Will they be transitioned, consolidated, concurrent? How does that work?
This is another one of those questions that hinges in a very dominate way what the conditions were in the department and agency at the start. A number of our largest cabinet departments and agencies have very sophisticated security operation centers and methods for evaluating cyber security events. For those, the activity in the first phase of the diagnostics and mitigation program is somewhat like the finishing touches of paint on a picture or a piece of furniture which is largely complete and intact. For those, the CDM Program is adding a little bit of labor and a few tools to round them up and take them to a higher and standard state. For those that have no security operations center in place, the CDM Program will be putting foundational elements of good hygiene in place, and over the course of the CDM program in the coming months and years will add some of those elements that are common in dot-gov or commonplace in the military. So what you see in the relationship in those important categories that you mentioned will depend upon the condition which is in place, but the goal is to have the insertion of the diagnostics and mitigation be non-disruptive of whatever security mechanisms exist, either automated or manual or ongoing.
Your acquisition strategy is to go to single award task orders. By doing that, are you inviting a higher risk of protests after each award? Then also, are you perhaps adding a heavier than necessary load on those vendor teams who ultimately win that work? In other words, how confident are you in the vendor’s ability to scale this?
Well, we were faced with a challenge in our program on meeting the objectives of protecting each of the 124 departments and agencies, but ultimately an ability to establish for good security outcomes standard enterprise picture. If we had 124 awards with 124 unique solutions, the mandate from U.S. CIO Steve VanRoekel and our agreements with Congress would have been difficult to achieve. So I think with six solutions which are introduced represented as many as 10 to 15 team members below the winning solutions from private industry. I think you’re going to see a combination of rich diversity, customized to the needs of the departments and agencies, but with sufficient standardization and cohesion that the enterprise picture that we need can be accomplished. I think that undoubtedly we had to narrow the scale of the number of awards to be successful with the end objective. After all this expenditure of the taxpayer’s money, the security outcome has to be paramount. For those that are concerned about the narrower number awards for the network, I would mention that the broad number of delegations of procurement authority for the rest of the government sector are ultimately going to allow each of the CMAS vendors to bid many, many times over the five years for what I believe over the long-run will be the bigger part of the program which is protecting clouds and custom software.