Continuous monitoring program would draw $200 million from Homeland Security’s 2013 budget.
The Homeland Security Department in 2013 expects to present each agency with what amounts to security-in-a-box for computers. The free, three-piece package will include near real-time threat sensors, a control panel for prioritizing fixes and consulting services to make all the pieces work together, DHS officials said.
Under the department’s proposal, $202 million in DHS funding would subsidize what Homeland Security calls ”continuous monitoring as a service” at all federal offices. Officials made the announcement at a briefing for federal employees and contractors on Monday.
Homeland Security anticipates obtaining bulk pricing by awarding three contracts to cover the tools, dashboard-style displays and services. The plan is for companies providing agencies with software and hardware access online, or in the “cloud,” to buy the bundle at the government rate or demonstrate that their own surveillance offers equivalent protection, officials said.
“If we could combine the government’s requirements” for computer security testing, “we think we could lower those costs substantially,” John Streufert, director of the Homeland Security National Cyber Security Division, told Nextgov at the presentation. Annually, the federal government spends about $6 billion on computer security.
Defense agencies on the dot-mil domain, military contractors and municipal governments also would be able to purchase off of the federal contract.
The current approach to continuous monitoring, which started in 2010, requires each agency to independently apply devices and software that track weaknesses. While better than the previous method -- after-the-fact manual inspections every three years -- the present process is too expensive for smaller agencies and too inconsistent governmentwide, officials said.
Under the new concept, DHS will deploy, across the dot-gov network, sensors that check for between 60 and 80 billion vulnerabilities at least every 72 hours, according to presentation documents. The department also will install a diagnostic dashboard for each agency, providing customized reports alerting managers to severe risks that require immediate attention.
”Agencies will use the DHS-provided cyber dashboard to display the most serious cyber problems they need to fix each day,” the documents state. “These combined strategies will unify and modernize the methods of conducting continuous monitoring across all networks and [commercial] software of dot-gov organizations no matter how they are implemented.”
Agencies will be responsible for checking non-commercial software, according to the documents. Departments already owning continuous monitoring systems do not have to scrap them, but rather can replace them with the new service as contracts expire, DHS officials said.
A sample dashboard provided to vendors showed a single risk-level grade for one agency site – an “A+” in this instance -- and an itemized list of 11 security factors that contributed to that letter grade. Those 11 standard components include patches not applied, outdated anti-virus programs, unapproved operating systems and cybersecurity awareness training. Each factor is accompanied by a score of 0-400+, where a rating of less than 40 receives an “A+,” while a rating of at least 400 gets an “F- .”
Here’s how those numbers are calculated: Each time an agency neglects to apply a patch to fix a low-risk bug, the agency earns 3 points, and each time it misses a patch for a critical threat, the agency receives 10 such demerits. If anti-virus software has not been updated in more than six days, the agency is assessed 6 points per day overdue. The discovery of an unapproved operating system on the network racks up 100 points, with 100 additional points per month thereafter. Agencies that fail to retrain employees every year earn 1 demerit per day beyond the expiration date, up to a maximum of 90 points.
The State Department proved successful in adopting this method, Homeland Security officials said. During a one-year period, the department eliminated 89 percent of risks to personal computers and servers it monitored using the approach.