A new Homeland Security initiative will help federal, state and local government agencies purchase discounted wares to safeguard against IT vulnerabilities. Nevada CISO Chris Ipsen, for example, sees the potential of big savings in the program.
"We assume we're going to save money; we're also assuming that we're going to improve security by standardizing what we're deploying and measuring," Ipsen says. "And, most importantly, when the governor asks if we are more or less secure, I don't have to say 'I don't know,' because I'll have some visibility into the environment."
See Also: Don't Be The Next OPM: Recognizing Risk
The DHS initiative is known as the Continuous Diagnostic and Mitigation program, or CDM. It will offer federal, state and local government agencies the ability to purchase discounted hardware, software and services to assess cybersecurity risk and present those risks in an automated and continuously updated dashboard - enhancing their ability to see and counteract day-to-day cyberthreats. DHS has not yet selected preferred vendors for the program.
DHS spokesman S.Y. Lee confirms reports that the initiative eventually could offer goods and services valued at $6 billion over five years, making it the federal government's biggest, unclassified cybersecurity program. The initiative's first contracts could be awarded later this year.
Allan Friedman, research director at the Brookings Institution Center for Technology Innovation, says the DHS initiative is very much needed.
"If the Department of State, with a much-lauded information assurance program, can be found to be poorly prepared by an inspector general, how can smaller organizations, with much less resources or focus on security, be expected to understand and address risk?" asks Friedman. A recent inspector general's report found that the State Department's Office of Information Assurance's lack of leadership creates confusion among departmental personnel on IT security requirements and guidance, which leaves the department's IT systems vulnerable [see State Department Security Office 'Irrelevant'.]
In a request for information aimed at providers to offer the hardware, software and services, the General Services Administration, acting as an agent for DHS, identified four tools to be incorporated into the program:
- Hardware asset management to foil attackers from exploiting unauthorized and unmanaged hardware by maintaining an inventory of hardware assets;
- Software asset management to avert attackers from exploiting unauthorized software;
- Configuration management to prevent exploiting weak configuration settings by defining an appropriate desired operational state for these settings and maintaining it in operation;
- Vulnerability management to foil attackers from exploring vulnerabilities by using the National Vulnerability Database and other tools to find and remove such vulnerabilities.
Eventually, the initiative also will include offerings to manage network and physical access controls; credentials and authentication; account access; incident response; contingency planning; and overall operational control limits.
Larry Clinton, chef executive of the trade group Internet Security Alliance, says the program is critical, but wonders how smoothly DHS can implement it with the announced resignations of some high-profile department leaders, including Secretary Janet Napolitano and top cybersecurity policymaker, Acting Deputy Undersecretary for Cybersecurity Bruce McConnell [see: DHS's Napolitano Resigns and Another Senior Cybersecurity Leader to Exit DHS]. "This is a consistent pattern at DHS," Clinton says. "In the decade since the deputy undersecretary for cybersecurity was created, only three people have held the position, and all for very short periods. The position has been open more times than it's been filled."
Brookings' Friedman cautions government agencies not to rely just on the DHS offerings, but to include them as part of a greater information security program. "Security cannot be seen as a commodity to be bolted on to existing architectures," Friedman says. "Good security reflects the risks and capacities of an organization, which differ wildly by function and history."
Nevada's Ipsen says that's exactly what his state is doing. Nevada has established continuous monitoring and diagnostic policies for state agencies and is considering extending its program to state municipalities and counties. Turning to the federal government to acquire the necessary goods and services could help the state because DHS, through the CDM initiative, would have already vetted vendors and providers.
"I see it as a huge advantage because we can leverage that buy without any challenges whatsoever," he says.
That's not the case when Nevada works with other entities that can reduce procurement costs. For example, it must vet the offerings of the Multistate-Information Sharing and Analysis Center, which has programs to help local and state governments acquire needed tools, because it is operated by the not-for-profit Center for Internet Security, rather than a government agency.
"Just because they're funded through DHS, doesn't mean that we, as a state, can buy from them as if they were a governmental entity; they're not," he says.