Agencies figuring out how to take network vitals

Friday - 2/25/2011, 7:58am EST

WFED's Jason Miller

Click below to hear the report on the Federal Drive

Download mp3

By Jason Miller
Executive Editor
Federal News Radio

Agencies have about 18 months to put in place the capability to know the real-time security of their computer networks.

Similar to when patient visits a doctor and has their vital signs taken to assess their health, agency chief information officers and chief information security officers must install several different data collection tools that will make up the capability to continuously monitor their network infrastructure.

"Continuous monitoring is a philosophy about understanding your environment in a 24/7 construct," said Bobbie Stempfley, the director of the Homeland Security Department's National Cybersecurity Division after her speech at the FedScoop Cybersecurity conference in Washington Thursday. "Understanding how it is behaving, what it's configurations are and how it goes forward."

DHS, the Office of Management and Budget and the National Institute of Standards and Technology are providing an assortment of tools, and mandates for agencies to know the real health of their networks.

OMB directed in the fiscal 2012 IT budget passback that agencies must implement continuous monitoring capabilities by the end of 2012. Before moving to continuous monitoring, OMB also wants agencies to submit data to the cyberscope tool by Sept. 30.

To achieve both of these goals, Stempfley and other federal technology managers say there are several steps their counterparts must take.

Donna Dodson, NIST's computer security division chief, said the standards agency is working on several guidances. She said one would expand their security automation efforts beyond configurations of platforms and into network and applications. She said this will help move agencies toward continuous monitoring because CIOs could raise or lower security posture based on the threats they are seeing in real time.

"Those tools to support continuous monitoring, those security automation tools, we need them not just through the major platforms we are using, but we need those platforms to talk about to validated products that understand and talk the Secure Content Automation Protocols," Dodson said. "The end user doesn't have to know it's there. It needs to be in all the devices around the networks."

But before the SCAP protocols can be on all the devices, agencies must take the first step and know what's on their networks through asset management software collection tools.

Several agencies such as NASA and the State Department, are out in front of the curve to implement continuous monitoring and have implemented asset management software.

The Veterans Affairs Department last fall implemented a set of tools to give them visibility to their desktops.

Roger Baker, VA's assistant secretary for information and technology and CIO, said before the agency had this capacity it was way behind the private sector. Now VA has a better idea of its cybersecurity.

"Our visibility to desktop initiative is starting to give us that level of control," Baker said. "Our central network security and operations control center is giving us that level of control. I'd like to get to the point where we can implement black lists inside VA. Right now, my private sector compatriots are talking about moving to white lists, only allowing certain things to execute on their networks and nothing else can execute on their networks."

He added along with the asset management software, agencies need to implement two-factor authentication on all system administrator accounts.

"If you haven't done that, you don't own you networks," Baker said.

Along with VA, the Army is moving toward total asset visibility.

Mike Krieger, the Army's acting CIO, said the service can see about 70 percent of all hardware and software on its network.

"The hard part now that will take time is the implementation of the last phase of the architecture," Krieger said. "I directed we go to an XML database and move it into a secure data center, and let's find a robust enough cross-domain security solution. I'm going to put the database on the classified network and people on the unclassified network will have to feed it. I'm hoping we will do most of the continuous monitoring on the SIPRNET."

He added the Army is using three separate vendor products that all do different things to gain that visibility. The Army will achieve the final 30 percent view of its networks over the next year, Krieger said.

The last piece is using State' dashboard to show the health of the Army's network and help decision makers do their jobs.

"They are the first one to put on the street a really nice dashboard," Krieger said. "It's a dashboard effective for the user to do the continuous monitoring. That is the last part, how do you display this to you can make effective decisions."