DHS Blue Teams bear out agency compliance with cybersecurity rules

Monday - 7/16/2012, 5:25am EDT

Don Benack, program manager, cybersecurity assurance program, DHS

Download mp3

The Homeland Security Department is taking a deeper dive into each of the major agency's network security.

DHS is using four experts, known as Blue Teams, to analyze how agencies are meeting the cybersecurity standards for the Trusted Internet Connections (TIC) initiative, said Don Benack, the program manager for DHS' cybersecurity assurance program.

"We started with the Blue Teams assessing controls established by DHS and OMB, and there was also some cross agency participation in working groups to refine the capability statements," Benack said in an interview with Federal News Radio. "Our teams go into the field and look to validate those controls are in place. It's pretty straight forward. We look to see that technically the capability is in place, but we also look for policies and standard operation policies are in place and we talk to the staff."

He said starting in fiscal 2013 DHS' Blue Teams will perform similar assessments of departments are implementing continuous monitoring and two- factor authentication under Homeland Security Presidential Directive-12.

The use of Blue Teams is one prong of a two-pronged approach to improving cybersecurity governmentwide. DHS also is using Red Teams to hunt for weaknesses in agency networks.

The Red and Blue Teams are related, but more like cousins than siblings. The Red Teams try to find vulnerabilities in an agency's network. The customer agency invites them in and asks them to analyze specific systems or networks.

DHS is required by White House policy to assess agency compliance with TIC, and soon the other cyber initiatives as well.

Homeland Security's Blue Teams are four-person units that work with agency customers to find the best time to do a week-long review.

"It's really a validation capability focused on the tools and technologies, but also the people and processes. It's not enough to have the tool, but you have to know how to use the tool, maintain the tool and keep it running," Benack said.

DHS Blue Teams perform about 26-to-30 assessments annually, with a focus on the 18 agencies that are TIC Access Providers (TICAP), or major Internet access nodes.

Benack said the Blue Teams use the non-TICAP reviews to get a more complete view of how agencies are meeting the cyber standards.

All agencies get a report from the analysis highlighting what capabilities they are meeting and which ones they are not under TIC. Benack said the report is not a risk based assessment so DHS doesn't recommend which non-standard areas need to be addressed first.

In fact, he said, Red Teams can come behind Blue Teams and give advice based on the risk to the agency's systems.

"They look at the capabilities the agencies have and marry that with the vulnerability information and threat information that they have and say, 'based on the capabilities you don't have, the vulnerabilities present on your network and the threat information we do have, here is how we prioritize closing these holes,'" he said.

Still, he said, the benefits of Blue Teams are clear.

"We've found over the years there is about a 33 percent margin of error between what we see when we are on the ground and what we get from agency self reporting. It's not necessarily malicious," Benack said. "It's just one of the things Blue Teams get to do when they are onsite with an agency is educate the true intent and clarify the intent of some of the capabilities. The teams also give agencies insight and perspective and allow them to ask questions they may not have had an opportunity to ask or get a clear answer on. We are their captive audience for that week."

The Blue Team validates all data captured.

"It's actually pretty promising. It's an upward trend. Every year technical capabilities generally are trending in an upward trajectory for capability implementation," he said. "On the flip side, for reduction and consolidation the trend is downward, in a good way. There is more consolidation occurring. We are seeing more traffic being routed through TIC access points every time we get out."

Benack said comparing agency progress year-over-year is difficult because DHS ends up reviewing different Internet gateways each year and one could mature more than another as the agency's score drops. But when DHS looks at each individual TIC, they have implemented more security capabilities.

"We've had great success with agencies we have engaged with and some of them are fairly large, and we have made definite differences there," he said. "But there's so much work to be done and so many agencies to engage with, that we are only scratching the surface. We can make a difference one system at a time."

RELATED STORIES:

DHS hones dynamic approach to securing agency computer networks

Exclusive: DHS mandates HSPD-12 card use

Networx in home stretch, but another extension is possible

DHS teams hunt for weaknesses in federal cyber networks