Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- Mission-critical Apps in the Cloud
- Mobile Device Management
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
OMB sets 2017 as deadline to move to dynamic cybersecurity
Tuesday - 11/19/2013, 4:30pm EST
The Office of Management and Budget is giving agencies the playbook to move to a dynamic, proactive cybersecurity environment after more than a decade of reacting to threats and vulnerabilities.
More than a year after making continuous diagnostics and mitigation (CDM) the new standard by which agencies should secure their systems, OMB issued a memo late Monday outlining specific deadlines they must meet to implement what many believe is a better approach to cybersecurity.
The Homeland Security Department, which is leading the operations effort, issued a new policy calling for agencies to move to CDM in June 2012. Since then, DHS and OMB have been putting the pieces in place for agencies to move to dynamic cybersecurity on a full-time basis.
"The requirement to manage information security risk on a continuous basis includes the requirement to monitor the security controls in federal information systems and the environments in which those systems operate on an ongoing basis- one of six steps in the National Institute of Standards and Technology (NIST) Risk Management Framework," wrote Sylvia Burwell, OMB director, in the memo to agency heads. "This allows agencies to maintain ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions."
3 years to fully implementation
Burwell said agencies will undertake a phased approach to fully implement, what now OMB is calling information security continuous monitoring (ISCM), instead of continuous diagnostics and mitigation, by 2017. Many expected OMB to issue this memo earlier in the fall, but Burwell pulled the memo back in late September to clarify which systems will be continuously monitored.
In the memo, agencies are required to develop a ISCM strategy by Feb. 28, addressing "all security controls selected and implemented by agencies, including the frequency of and degree of rigor associated with the monitoring process."
An OMB official, speaking on background in order to be more candid about the policy, said agencies should use the strategy to figure out the level of their maturity across programmatic, technical and management controls.
The official said strategy also will help agencies determine which one of three approaches they will take to implement ISCM:
- Rely solely on internal capabilities
- Rely solely on DHS
- Partner with DHS
"The approach goes back to where each agency is technically and whether they possess the capabilities with regards to cyber," the official said. "As we thought about this, DHS provides services centrally and through standards across the government. It would be more cost efficient and helpful to agencies who may not have tools in house. Part of what agencies will realize as they complete the foundational survey is whether they will need to or how much they will need to work with DHS."
One cyber expert called the memo too process- and compliance-centric.
Robert Lentz, a former DoD official and now president of Cybersecurity Strategies, said in an email, "I strongly believe this focuses on the wrong priority. While this complicated mandate will force considerable resources to focus on 'hygiene' issues the real problem is advanced persistent threats/Zero day vulnerabilities that will cause much more serious problems. Finally, the only way to address this hygiene/traditional approach is to achieve 'enterprise' procurement across the government to drive down costs."
DHS is trying to address the enterprise procurement issue. In August, as part the build up to ISCM, DHS awarded 17 vendors a spot on a $6 billion blanket-purchase agreement to provide CDM tools and services.
New details on the cyber RFQ
And just last week, DHS, through the General Services Administration which runs the BPA, issued the first task order for CDM tools.
The request for quote, obtained by Federal News Radio, shows DHS wants tools for 33 agencies that support hardware asset management, software asset management, configuration management and vulnerability management.
The RFQ also stated the hardware- and software asset management needs to support functions such as knowledge fusion, application whitelisting, database scanning, Web application scanning and code review.
GSA and DHS say the tools and sensor will:
- Simplify the security authorization process by helping to automate both security assessments and authorization processes.
- Continuously monitor and report system security status to agencies information security personnel.
- Provide specific details to help prioritize remediation efforts.
- Allow system owners, risk managers, authorizing officials, and other stakeholders to make better risk-management decisions.
- Report the security posture of monitored systems to the CyberScope application, thereby reducing the requirement for manual inputs.