Agencies slow to move out on DHS cyber program, survey says

Wednesday - 8/13/2014, 5:08am EDT

Jared Serbu reports.

Download mp3

A year after the Department of Homeland Security formally launched its effort to move agencies toward a continuous diagnostic and mitigation approach to cybersecurity, things are off to a slow start. On the plus side, the agencies that have gotten the ball rolling already are seeing good results.

The findings come from a survey of federal IT professionals, senior managers and contractors by the non-profit SANS Institute.

In the online poll, conducted in April and May, nearly a third of respondents said their agency still was unfamiliar with DHS' continuous diagnostics and mitigation (CDM) program.

Another 27 percent said what they did know came from press accounts or SANS publications rather than DHS outreach or communication from higher-ups in their agencies. And fewer than 5 percent said their agency had started using the $6 billion blanket purchase agreement DHS issued last August to buy products and services to start implementing a CDM program.

In general, the authors concluded that while DHS had done a fair amount of outreach to educate agencies on the push toward CDM, it's been focused so far on senior officials such as chief information officers and chief information security officers, not the operational-level employees who will need to implement CDM.

"We're seeing two types of reactions," said Kenneth Durbin, who manages the continuous monitoring practice at Symantec, one of the companies that sponsored the survey. "One is where the headquarters CISO does a great job of communicating downstream and everyone defines CDM in the same way and everyone's working toward the same goal. But we're still coming across agencies where the CISO is the cheerleader, and when you go talk to the sub-agency, they say, ‘They haven't talked to us yet. We don't know what they're doing.' But I think things are trending in the right direction."

Low recognition of CDM by auditors

In particular, the survey found extremely low levels of awareness of and support for CDM from agency inspectors general.

The authors called that finding "extremely troubling," since a primary goal of the program is to move organizations away from the costly and inefficient paperwork exercise of auditing and certifying IT systems on an annual basis and migrate toward a system that automates the process of identifying security weaknesses and uses that information to make improvements on an ongoing basis. The current approach to agency compliance with security controls is predominantly overseen by IGs.

"For something that's as comprehensive as the CDM program, you have to have all parts of the ecosystem participating. It's not good enough to just buy tools. That's not the point of the program," said Tony Sager, the director of the SANS Innovation Center. "The point is to pull together the questions of what problems you're trying to solve, what are the technologies you need to solve that problem and how you build workflows and processes to create a feedback loop that actually creates better cybersecurity, and the role of inspectors general is a vital one in terms of highlighting problems and pointing out areas for improvement. So that's clearly an area that's going to need some attention as the program matures."

According to the survey, agencies also have some additional work to do before they can begin to make good decisions about how and where to begin deploying CDM.

To receive funding for the CDM program, DHS told agencies they first needed to develop a baseline assessment that identified their current cybersecurity posture and the highest-priority gaps that could be filled through the use of a CDM strategy.

But only 21 percent of respondents said their agencies had done a formal gap assessment. Another 36 percent pointed to "informal" reviews of their agencies' security gaps, but 44 percent said their agency had never done a comprehensive assessment of its cybersecurity weaknesses.

The agencies which have begun to move forward with CDM in a meaningful way, however, are reporting positive results. Almost three quarters of the respondents whose organizations are participating in the program said they had seen either better cybersecurity, lower IT procurement costs, or both.

But the rest said it was too early to know whether CDM had improved their agencies' ability to measure the strength of their network defenses. Sager said the high number of uncertain responses highlighted the need to get meaningful, continuous metrics for security so that agencies can make informed decisions that make ongoing improvements to their networks.

"This, again, speaks to the need to create that feedback loop. We're not doing these things just because they're good things to do. We want specific improvements," he said. "Some of this is a statement of the relative newness of the program, and it also helps us be aware that we need to put in place a measurement system that helps us put in place the right technologies that help us manage the problem."