OMB sets 2017 as deadline to move to dynamic cybersecurity

Tuesday - 11/19/2013, 4:30pm EST

The Office of Management and Budget is giving agencies the playbook to move to a dynamic, proactive cybersecurity environment after more than a decade of reacting to threats and vulnerabilities.

More than a year after making continuous diagnostics and mitigation (CDM) the new standard by which agencies should secure their systems, OMB issued a memo late Monday outlining specific deadlines they must meet to implement what many believe is a better approach to cybersecurity.

The Homeland Security Department, which is leading the operations effort, issued a new policy calling for agencies to move to CDM in June 2012. Since then, DHS and OMB have been putting the pieces in place for agencies to move to dynamic cybersecurity on a full-time basis.

"The requirement to manage information security risk on a continuous basis includes the requirement to monitor the security controls in federal information systems and the environments in which those systems operate on an ongoing basis- one of six steps in the National Institute of Standards and Technology (NIST) Risk Management Framework," wrote Sylvia Burwell, OMB director, in the memo to agency heads. "This allows agencies to maintain ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions."

3 years to fully implementation

Burwell said agencies will undertake a phased approach to fully implement, what now OMB is calling information security continuous monitoring (ISCM), instead of continuous diagnostics and mitigation, by 2017. Many expected OMB to issue this memo earlier in the fall, but Burwell pulled the memo back in late September to clarify which systems will be continuously monitored.

In the memo, agencies are required to develop a ISCM strategy by Feb. 28, addressing "all security controls selected and implemented by agencies, including the frequency of and degree of rigor associated with the monitoring process."

An OMB official, speaking on background in order to be more candid about the policy, said agencies should use the strategy to figure out the level of their maturity across programmatic, technical and management controls.

The official said strategy also will help agencies determine which one of three approaches they will take to implement ISCM:

  • Rely solely on internal capabilities
  • Rely solely on DHS
  • Partner with DHS

"The approach goes back to where each agency is technically and whether they possess the capabilities with regards to cyber," the official said. "As we thought about this, DHS provides services centrally and through standards across the government. It would be more cost efficient and helpful to agencies who may not have tools in house. Part of what agencies will realize as they complete the foundational survey is whether they will need to or how much they will need to work with DHS."

One cyber expert called the memo too process- and compliance-centric.

Robert Lentz, a former DoD official and now president of Cybersecurity Strategies, said in an email, "I strongly believe this focuses on the wrong priority. While this complicated mandate will force considerable resources to focus on 'hygiene' issues the real problem is advanced persistent threats/Zero day vulnerabilities that will cause much more serious problems. Finally, the only way to address this hygiene/traditional approach is to achieve 'enterprise' procurement across the government to drive down costs."

DHS is trying to address the enterprise procurement issue. In August, as part the build up to ISCM, DHS awarded 17 vendors a spot on a $6 billion blanket-purchase agreement to provide CDM tools and services.

New details on the cyber RFQ

And just last week, DHS, through the General Services Administration which runs the BPA, issued the first task order for CDM tools.

The request for quote, obtained by Federal News Radio, shows DHS wants tools for 33 agencies that support hardware asset management, software asset management, configuration management and vulnerability management.

The RFQ also stated the hardware- and software asset management needs to support functions such as knowledge fusion, application whitelisting, database scanning, Web application scanning and code review.

GSA and DHS say the tools and sensor will:

  • Simplify the security authorization process by helping to automate both security assessments and authorization processes.
  • Continuously monitor and report system security status to agencies information security personnel.
  • Provide specific details to help prioritize remediation efforts.
  • Allow system owners, risk managers, authorizing officials, and other stakeholders to make better risk-management decisions.
  • Report the security posture of monitored systems to the CyberScope application, thereby reducing the requirement for manual inputs.
DHS and GSA asked specifically for tens of thousands to hundreds of thousands of tools from seven vendors, including IBM, McAfee, Symantec, BDNA, Application Security Inc., Tenable and Hewlett-Packard.