recommended reading

DHS to give agencies free computer threat-detection packages

Jeff Gentner/AP

The Homeland Security Department in 2013 expects to present each agency with what amounts to security-in-a-box for computers. The free, three-piece package will include near real-time threat sensors, a control panel for prioritizing fixes and consulting services to make all the pieces work together, DHS officials said.

Under the department’s proposal, $202 million in DHS funding would subsidize what Homeland Security calls ”continuous monitoring as a service” at all federal offices. Officials made the announcement at a briefing for federal employees and contractors on Monday.

Homeland Security anticipates obtaining bulk pricing by awarding three contracts to cover the tools, dashboard-style displays and services. The plan is for companies providing agencies with software and hardware access online, or in the “cloud,” to buy the bundle at the government rate or demonstrate that their own surveillance offers equivalent protection, officials said.

“If we could combine the government’s requirements” for computer security testing, “we think we could lower those costs substantially,” John Streufert, director of the Homeland Security National Cyber Security Division, told Nextgov at the presentation. Annually, the federal government spends about $6 billion on computer security.

Defense agencies on the dot-mil domain, military contractors and municipal governments also would be able to purchase off of the federal contract.

The current approach to continuous monitoring, which started in 2010, requires each agency to independently apply devices and software that track weaknesses. While better than the previous method -- after-the-fact manual inspections every three years -- the present process is too expensive for smaller agencies and too inconsistent governmentwide, officials said.

Under the new concept, DHS will deploy, across the dot-gov network, sensors that check for between 60 and 80 billion vulnerabilities at least every 72 hours, according to presentation documents. The department also will install a diagnostic dashboard for each agency, providing customized reports alerting managers to severe risks that require immediate attention.

”Agencies will use the DHS-provided cyber dashboard to display the most serious cyber problems they need to fix each day,” the documents state. “These combined strategies will unify and modernize the methods of conducting continuous monitoring across all networks and [commercial] software of dot-gov organizations no matter how they are implemented.”

Agencies will be responsible for checking non-commercial software, according to the documents. Departments already owning continuous monitoring systems do not have to scrap them, but rather can replace them with the new service as contracts expire, DHS officials said.

A sample dashboard provided to vendors showed a single risk-level grade for one agency site – an “A+” in this instance -- and an itemized list of 11 security factors that contributed to that letter grade. Those 11 standard components include patches not applied, outdated anti-virus programs, unapproved operating systems and cybersecurity awareness training. Each factor is accompanied by a score of 0-400+, where a rating of less than 40 receives an “A+,” while a rating of at least 400 gets an “F- .”

Here’s how those numbers are calculated: Each time an agency neglects to apply a patch to fix a low-risk bug, the agency earns 3 points, and each time it misses a patch for a critical threat, the agency receives 10 such demerits. If anti-virus software has not been updated in more than six days, the agency is assessed 6 points per day overdue. The discovery of an unapproved operating system on the network racks up 100 points, with 100 additional points per month thereafter. Agencies that fail to retrain employees every year earn 1 demerit per day beyond the expiration date, up to a maximum of 90 points.

The State Department proved successful in adopting this method, Homeland Security officials said. During a one-year period, the department eliminated 89 percent of risks to personal computers and servers it monitored using the approach.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.