Research Report

Support, Signatures and Policies Will Matter

As the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program continues to roll out, certain factors that aren’t perhaps directly associated with the program could still have a big impact on how well it’s taken up, and how effective it eventually becomes. Those include executive support, attack signatures, and policy revisions.

Executive support: After the 2015 revelation of the systems breach at the Office of Personnel Management (OPM) and the potential compromise of millions of government employee records, the Obama Administration launched a 30-day “Cybersecurity Sprint.” This was intended to force federal agencies to take actions to immediately boost security. These actions include patching critical vulnerabilities and tightening up on authentication and privileged access practices.

It seemed to work. In one dramatic measure, the number of known critical vulnerabilities in federal systems dropped from 363 to just three just a few months. A big reason for that was public support from a number of senior executives, says Ken Ammon, a senior advisor with CA Technologies. Not every agency shared the same commitment to the Cybersprint, he says, but those that did had that kind of support.

“Problems that before would have taken months to solve ended up being dealt with in hours,” says Ammon. “As Stage 2 of CDM rolls out, those organizations that want to be successful with it will find they’ll have to have that same level of executive backing.”

Beyond signatures: One major problem looming for the CDM program, that has also afflicted the DHS EINSTEIN intrusion detection/prevention program, is the available incident and intrusion detection tools have only used known attack signatures. That’s useless against more stealthy attacks, such as Advanced Persistent Threats.

The DHS is moving to resolve that by putting so-called reputation-based tools onto these programs. DHS said in February it is piloting reputation scoring. This will prioritize threats by their likely severity, as a part of EINSTEIN. It will also be able to identify potential new threats.

That kind of capability will also be added to the tools available under the CDM program, which will eventually be integrated with EINSTEIN. The agency and federal dashboards that will be installed as part of the CDM program will also provide data that can be used for reputation scoring and emerging threat detection.

Circular A-130: The Office of Management and Budget (OMB) has proposed a revision to the federal government’s Circular A-130. This is the central governing document for policies affecting federal information resource management. The revision is meant to reflect changes prompted by IT that evolve faster than the last A-130 revision in 2000.

One central motivation of the revision is “the federal workforce managing IT must have the flexibility to address known and emerging threats while implementing continuous improvements,” according to the OMB.

Revision proposals include the need to “implement a risk management framework to guide and inform the categorization of Federal information and information systems; the selection, implementation, and assessment of security and privacy controls; the authorization of information systems and common controls; and the continuous monitoring of information systems and environments of operation.”

Other parts of the OMB’s suggested revisions, which also fit the goals of the CDM program, stress the need to focus on risk management as a central plank of government IT security. The larger goal of current government IT security improvements is to replace the “bolted-on” approach of the past with a more expansive and dynamic risk-oriented approach. This is also something the CDM program is intended to address.