When federal agencies first began to make cybersecurity a priority, many adopted a “castle and moat” approach, notes Rod Turk, CISO at the Commerce Department. Even if there were weaker defenses inside, a strong perimeter defense would keep an enterprise safe.
Today though, Turk said, agencies need to know about vulnerabilities that could allow adversaries to penetrate their defenses by going underneath the metaphorical wall. Further, Commerce is not solely focused on understanding and defending its networks and architecture, but also on segmenting that architecture to reduce threats, Turk explained.
And a major piece of how Commerce is approaching cybersecurity is its use of the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program, which will allow the Commerce Department to get a better sense of the threats headed its way.
Understanding and Segmenting Cybersecurity Architecture
When it comes to cybersecurity, Turk repeatedly stressed the importance of understanding the IT architecture and systems that an agency has in place. “You’ve got to know your architecture in the cybersecurity world,” he said. “You’ve got to know that you’ve got a hole underneath the wall. You have to understand how that hole could transpire into something that could be a vulnerability for you in your architecture.”
Continuing with the castle metaphor, he noted that many castles had a “keep” where the crown jewels were kept. So it must be within agencies, he said.
“That’s a metaphor for segmenting your architecture, protecting the things that you deem to be important and protecting them in a special way,” whether it is through encryption or a segmented architecture, in which different databases and networks are kept apart from one another.
“So the whole metaphor of the castle in the old days has actually transformed into something new,” Turk said. “There’s architectural things you have to consider within your cybersecurity to make sure that you’re secure.”
Recently, Turk said the crown jewels at Commerce in terms of data are personally identifiable information from the U.S. Census Bureau and the Patent and Trademark Office.
Turk said agencies need to be thinking about encrypting their databases where necessary, segmenting the information and having role-based access. With role-based access protocols, only those individuals who need to obtain the original data have access.
Additionally, he said, if agencies want to provide the data in the public, they can replicate the data, perhaps through virtualization, within a “demilitarized zone,” or DMZ. Similar to military DMZs, Turk explained, a DMZ in cybersecurity is a separate area in which agencies may want to post data that is available to the public but also may be exposed to greater level of vulnerabilities.
The data in the DMZ would not be the database of record — the central and original source of the data, Turk said. Agencies can then update the data in the DMZ for public use and consumption. However, if that data is then hacked or compromised, agencies can “just remove the data from the DMZ and just reload from the database of record. So what you’ve really done is you’ve segmented the database of record from the data that’s available to the public, that may be more exposed to issues.”
The Commerce Department is using a combination of those tools, depending on the bureau. Three core tenets of cybersecurity are data confidentiality, availability and integrity.
“Most times, we think of the confidentiality aspect,” Turk said. “But you also have to make sure that you have data available, not only to the people who need to work on the data but also to the greater public, because the public in many cases has the right to have access to the data that’s in the public domain.”
Commerce Embraces CDM
Turk and Commerce have wholeheartedly embraced DHS’ CDM program, a five-year, $6 billion effort to give civilian agencies the tools and services required to monitor their IT systems and then respond almost instantaneously to vulnerabilities.
CDM identifies cybersecurity risks on an ongoing basis, then prioritizes those risks based upon how severe they might be, in an effort to let cybersecurity personnel mitigate the most significant problems first.
The first phase of CDM focused on securing endpoints, managing hardware and software assets, as well as configuration management and vulnerability management. The second phase will focus on access control management; security-related behavior; and managing credentials, authentication and privileges.
Commerce is hosting its version of the CDM program at the National Institute of Standards and Technology, one of its components. Turk said Commerce is working to create a high-rated FIPS 199 environment, because data from one of its bureaus (which he declined to name) is highly sensitive, “so we want make sure that data being held in a CDM program is on a high-rated system.”
As Commerce develops its Information Security Continuous Monitoring program, of which CDM is the centerpiece, Turk said the department intends to feed information it gets out of the CDM program into its Enterprise Security Operations Center.
That will provide Commerce with data on its hardware, asset management, software asset management and vulnerability management that can then be provided to its bureaus. The bureaus will have access to the data as well.
“It’s not as though it will be a ‘gotcha’ or a surprise to them,” Turk said. “But they will also be able to see whether or not they have a vulnerability that needs to be remediated.”
Additionally, Commerce will also be able to detect whether the agency has software or hardware that is unknown to them.
“And that’s vitally important in mind, because you can’t do cybersecurity unless you know what software and hardware you have,” he said.
For more on federal cybersecurity, visit fedtechmag.com/security.
This content is made possible by FedTech. The editorial staff of Nextgov was not involved in its preparation.