recommended reading

DHS to give agencies free computer threat-detection packages

Jeff Gentner/AP

The Homeland Security Department in 2013 expects to present each agency with what amounts to security-in-a-box for computers. The free, three-piece package will include near real-time threat sensors, a control panel for prioritizing fixes and consulting services to make all the pieces work together, DHS officials said.

Under the department’s proposal, $202 million in DHS funding would subsidize what Homeland Security calls ”continuous monitoring as a service” at all federal offices. Officials made the announcement at a briefing for federal employees and contractors on Monday.

Homeland Security anticipates obtaining bulk pricing by awarding three contracts to cover the tools, dashboard-style displays and services. The plan is for companies providing agencies with software and hardware access online, or in the “cloud,” to buy the bundle at the government rate or demonstrate that their own surveillance offers equivalent protection, officials said.

“If we could combine the government’s requirements” for computer security testing, “we think we could lower those costs substantially,” John Streufert, director of the Homeland Security National Cyber Security Division, told Nextgov at the presentation. Annually, the federal government spends about $6 billion on computer security.

Defense agencies on the dot-mil domain, military contractors and municipal governments also would be able to purchase off of the federal contract.

The current approach to continuous monitoring, which started in 2010, requires each agency to independently apply devices and software that track weaknesses. While better than the previous method -- after-the-fact manual inspections every three years -- the present process is too expensive for smaller agencies and too inconsistent governmentwide, officials said.

Under the new concept, DHS will deploy, across the dot-gov network, sensors that check for between 60 and 80 billion vulnerabilities at least every 72 hours, according to presentation documents. The department also will install a diagnostic dashboard for each agency, providing customized reports alerting managers to severe risks that require immediate attention.

”Agencies will use the DHS-provided cyber dashboard to display the most serious cyber problems they need to fix each day,” the documents state. “These combined strategies will unify and modernize the methods of conducting continuous monitoring across all networks and [commercial] software of dot-gov organizations no matter how they are implemented.”

Agencies will be responsible for checking non-commercial software, according to the documents. Departments already owning continuous monitoring systems do not have to scrap them, but rather can replace them with the new service as contracts expire, DHS officials said.

A sample dashboard provided to vendors showed a single risk-level grade for one agency site – an “A+” in this instance -- and an itemized list of 11 security factors that contributed to that letter grade. Those 11 standard components include patches not applied, outdated anti-virus programs, unapproved operating systems and cybersecurity awareness training. Each factor is accompanied by a score of 0-400+, where a rating of less than 40 receives an “A+,” while a rating of at least 400 gets an “F- .”

Here’s how those numbers are calculated: Each time an agency neglects to apply a patch to fix a low-risk bug, the agency earns 3 points, and each time it misses a patch for a critical threat, the agency receives 10 such demerits. If anti-virus software has not been updated in more than six days, the agency is assessed 6 points per day overdue. The discovery of an unapproved operating system on the network racks up 100 points, with 100 additional points per month thereafter. Agencies that fail to retrain employees every year earn 1 demerit per day beyond the expiration date, up to a maximum of 90 points.

The State Department proved successful in adopting this method, Homeland Security officials said. During a one-year period, the department eliminated 89 percent of risks to personal computers and servers it monitored using the approach.

Threatwatch Alert

Stolen laptop

3.7M Hong Kong Voters' Personal Data Stolen

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.