Continuous monitoring deadlines push agencies to think big cyber thoughts

Friday - 2/21/2014, 4:11am EST

Listen to Jason Miller on the Federal Drive.

Download mp3

As part of the preparation to implement cybersecurity continuous monitoring, agencies have one week to send the Office of Management and Budget their initial ideas of how they will move to a dynamic approach to protecting their computers, data and networks.

Under the OMB memo from November, the administration wants agency strategies by Feb. 28 on how they plan to implement information security continuous monitoring by 2017. Along with the strategy, agencies are to begin buying products and services to implement phase one of continuous monitoring.

The General Services Administration, working as the acquisition arm of DHS, awarded task orders to four companies worth a combined $60.4 million for products in January under the continuous diagnostics and mitigation (CDM) contract.

These initial deadlines kick off a summer of target dates around the CDM effort to improve governmentwide cybersecurity.

By April 30, agencies have to submit to OMB an analysis of human resources skill gaps and the names of those in charge of implementing this effort.

The personnel challenges continue to be among the hardest obstacles to overcome.

"There's a lot of human capital employed on these cybersecurity tasks throughout all these agencies, whether it's direct services provisions or if it's intellectual discussions that are brought to bear," said Peter Gouldmann, the State Department's director of information risk programs, at a luncheon panel sponsored by AFFIRM Thursday in Washington. "Sometimes it feels like we are on the leading edge, and industry has quite caught up with us. Other times it's the other way around. What I would look for would be a meaningful partnering engagement on the intellectual side of this problem and the creativity you speak of. Everybody is a collector of their experience and brings their broad experience to play, and we'd like to leverage a lot of that and force multiply that. It's not enough to have that handful of cybersecurity experts at an agency. We really need hundreds, and it's sometimes difficult to get them. We grow often within, but we'd like to ask a general call to our industry partners to focus on that human capital just like we are."

Dashboard award imminent

By March 31, the National Institute of Standards and Technology will publish guidance establishing a process and criteria for agencies to conduct ongoing assessments and authorizations (A&A) to replace the certification and accreditation process under the Federal Information Security Management Act (FISMA).

Two months later, agencies need to be deploying information security continuous monitoring for all systems and ensure all systems have an authority to operate before initiating the CDM processes.

So over the next three months, OMB, NIST and other agencies have a lot of preparation for the changeover.

Agencies are waiting for a second cyber contract award for the dashboard that will collect and display cyber health data.

Steve Viar, the director of FEDSIM in GSA's Federal Acquisition Service, said the task order under the Alliant small business governmentwide acquisition contract should be awarded in the next few weeks.

But even after GSA awards the contract, agencies still will have to come up with metrics for the dashboard.

Margie Graves, the deputy CIO at the Homeland Security Department, said the dashboard and agency surveys filled out months ago will help bring, for the first time, a unified view of cybersecurity.

"We're all going to be involved in designing the metrics that will go on that dashboard, and what we want to make sure we do as we walk through that development is to pick those things that will be more relevant to us in order for us to be able to take those actions," Graves said. "When we exchange those metrics and look across government, we are able to derive themes and conclusions. If you see a certain effect of an attack, being able to know what might be the root cause of that and being able to attack it from the root cause perspective."

Graves says an interagency working group is just beginning the metric development process.

Ahead of the pack

While agencies are preparing for the move to dynamic cybersecurity, State and DHS already have taken those initial steps.

State, for example, widely is seen as the model for the CDM concept.

Gouldmann said State will have to make some changes to its current dashboard set up, called iPost. He's unsure exactly what those changes will be because GSA hasn't awarded a contract yet, and the metrics haven't been determined.

At the same time, however, he said State used a lot of custom coding and a lot of design, so using the standard set of vendors under the CDM contract will be beneficial to how the department secures its networks.