The Department of Homeland Security (DHS) has been taking significant steps in recent weeks toward evolving the federal network security framework. After unveiling a new initiative set to bring continuous monitoring capabilities to more agencies, DHS officials have announced a two-pronged cybersecurity assessment strategy that will track policy compliance and test defensive capabilities within key government offices.
Adapting FISMA for modern threats
The Federal Information Security Management Act (FISMA) serves as the cornerstone of the U.S. government's cybersecurity stance, but several important developments have changed the threat landscape since the legislation was passed a decade ago. Security experts are particularly concerned by the fact that the law only calls for agencies to conduct comprehensive reviews of their systems, on average, once every three years.
To bridge the gap between FISMA's baseline intentions and today's cybersecurity realities, the DHS has taken the lead on expanding continuous monitoring capabilities across the public sector. According to GovInfoSecurity, project coordinators will distribute advanced sensors to "civilian, non-intelligence agencies in the federal government" to help generate between 60 billion and 80 billion automated vulnerability and configuration integrity checks every one to three days.
Coming off a year in which government officials responded to more than 106,000 separate cybersecurity attacks, this move is expected to significantly narrow the exploitation window available to hackers. This kind of situational awareness will also be a key component of expectations outlined in the Trusted Internet Connection (TIC) initiative intended to optimize and standardize external network connections used by federal agencies.
Alongside two-factor authentication, continuous monitoring has been tapped as a way to evolve Homeland Security Presidential Directive 12. Initially authored in August 2004, this mandate calls for the establishment of a common identification standard for all federal employees and contractors.
Assessing agency progress
Now that the task of outlining expectations has been completed, DHS officials will shift focus to ensuring policy translates into practice. In a recent interview with FederalNewsRadio, DHS cybersecurity assurance program manager Don Benack suggested he will be following a two-pronged strategy. Agency assessments will begin with the deployment of a "blue team," a four-person group of compliance experts observing if and how TIC cybersecurity requirements are being satisfied.
"We started with the blue teams assessing controls established by DHS and [the Office of Management and Budget], and there was also some cross agency participation in working groups to refine the capability statement," Benack explained. "Our teams go into the field and look to validate those controls are in place. It's pretty straightforward. We look to see that technically the capability is in place, but we also look for [what] policies and standard operation policies are in place and we talk to the staff."
Approximately 30 of these assessments will be conducted annually, according to Benack, with a primary focus on the 18 core agencies that serve as TIC Access Providers. Upon completion, agencies will receive a comprehensive report detailing what capabilities they are meeting and missing. DHS officials will outline possible risk factors, but how they are addressed – and in what order – is up to the agency.
The second prong of the DHS strategy is the deployment of "red teams" intent on proactively testing functional capabilities by hunting for network and data protection vulnerabilities. Agencies can invite red teams to conduct everything from network scanning and database testing to homegrown social engineering attacks meant to test employee awareness.
The red team's role is crucial, according to Benack, considering he has observed an approximate 33 percent margin of error between self-reported risks and the vulnerabilities that are ultimately uncovered.
Security News from SimplySecurity.com by Trend Micro