$6 Billion DHS IT Security Plan Advances

Initiative Could Mean Big Savings for Fed, State, Local Agencies

By , July 30, 2013.
$6 Billion DHS IT Security Plan Advances

A new Homeland Security initiative will help federal, state and local government agencies purchase discounted wares to safeguard against IT vulnerabilities. Nevada CISO Chris Ipsen, for example, sees the potential of big savings in the program.

"We assume we're going to save money; we're also assuming that we're going to improve security by standardizing what we're deploying and measuring," Ipsen says. "And, most importantly, when the governor asks if we are more or less secure, I don't have to say 'I don't know,' because I'll have some visibility into the environment."

See Also: The Evolution of Advanced Malware

The DHS initiative is known as the Continuous Diagnostic and Mitigation program, or CDM. It will offer federal, state and local government agencies the ability to purchase discounted hardware, software and services to assess cybersecurity risk and present those risks in an automated and continuously updated dashboard - enhancing their ability to see and counteract day-to-day cyberthreats. DHS has not yet selected preferred vendors for the program.

DHS spokesman S.Y. Lee confirms reports that the initiative eventually could offer goods and services valued at $6 billion over five years, making it the federal government's biggest, unclassified cybersecurity program. The initiative's first contracts could be awarded later this year.

Long-Needed Program

Allan Friedman, research director at the Brookings Institution Center for Technology Innovation, says the DHS initiative is very much needed.

"If the Department of State, with a much-lauded information assurance program, can be found to be poorly prepared by an inspector general, how can smaller organizations, with much less resources or focus on security, be expected to understand and address risk?" asks Friedman. A recent inspector general's report found that the State Department's Office of Information Assurance's lack of leadership creates confusion among departmental personnel on IT security requirements and guidance, which leaves the department's IT systems vulnerable [see State Department Security Office 'Irrelevant'.]

In a request for information aimed at providers to offer the hardware, software and services, the General Services Administration, acting as an agent for DHS, identified four tools to be incorporated into the program:

  1. Hardware asset management to foil attackers from exploiting unauthorized and unmanaged hardware by maintaining an inventory of hardware assets;
  2. Software asset management to avert attackers from exploiting unauthorized software;
  3. Configuration management to prevent exploiting weak configuration settings by defining an appropriate desired operational state for these settings and maintaining it in operation;
  4. Vulnerability management to foil attackers from exploring vulnerabilities by using the National Vulnerability Database and other tools to find and remove such vulnerabilities.

Other Offerings

Eventually, the initiative also will include offerings to manage network and physical access controls; credentials and authentication; account access; incident response; contingency planning; and overall operational control limits.

Larry Clinton, chef executive of the trade group Internet Security Alliance, says the program is critical, but wonders how smoothly DHS can implement it with the announced resignations of some high-profile department leaders, including Secretary Janet Napolitano and top cybersecurity policymaker, Acting Deputy Undersecretary for Cybersecurity Bruce McConnell [see: DHS's Napolitano Resigns and Another Senior Cybersecurity Leader to Exit DHS]. "This is a consistent pattern at DHS," Clinton says. "In the decade since the deputy undersecretary for cybersecurity was created, only three people have held the position, and all for very short periods. The position has been open more times than it's been filled."

Brookings' Friedman cautions government agencies not to rely just on the DHS offerings, but to include them as part of a greater information security program. "Security cannot be seen as a commodity to be bolted on to existing architectures," Friedman says. "Good security reflects the risks and capacities of an organization, which differ wildly by function and history."

Providers Vetted

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Surveillance Report Demands Transparency

Parliament's Intelligence and Security Committee has called for a reboot of the regulations that...

Latest Tweets and Mentions

ARTICLE Surveillance Report Demands Transparency

Parliament's Intelligence and Security Committee has called for a reboot of the regulations that...

The ISMG Network