How DHS Protects Federal Networks by Breaking into Them

Nearly 31,000 cybersecurity incidents hit the federal government in fiscal year 2016, according to the annual Federal Information Security Modernization Act report. The Department of Homeland Security wants to help agencies protect against those attacks by breaking into their networks.

DHS’s National Cybersecurity Assessments and Technical Services team (NCATS) has been building up its capabilities to help agency CIOs and CISOs assess their cybersecurityvulnerabilities. NCATS does this in part by conducting vulnerability testing and probing agencies’ networks for weaknesses.

NCATS, inside DHS’s National Cybersecurity and Communications Integration Center (NCCIC), has expanded its mission beyond protecting federal IT networks and systems. It also will conduct assessments of the nation’s critical infrastructure and operational technology (OT).

NCATS is being streamlined and is also looking to ramp up its cybersecurity assessments at agencies, according to a detailed report on the team in Federal News Radio. The goal is to help agencies better protect their high-value assets, or HVAs. The White House’s final report on IT modernization specifically notes that in 2018 and beyond, agencies must focus on protecting HVAs, and “prioritize modernization of legacy IT by focusing on enhancement of security and privacy controls for those assets that are essential for federal agencies to serve the American people and whose security posture is most vulnerable.”

Rob Karas, the director of the NCATS team, tells Federal News Radio about the changes the team is undergoing: 

“If there were three different groups doing assessments, now they are realigned under NCATS. We are no longer just doing the risk and vulnerability assessments and cyber hygiene now. We are getting the industrial control systems, which do the design and architecture reviews, the Network Architecture Verification and Validation (NAVV) review and Industrial Control Systems-Computer Emergency Readiness Team (ICS-CERT) Cyber Security Evaluation Tool (CSET) assessments. We will be able to take them and integrate what they have built with what we have built and have a better product for our customers and stakeholders.”

NCATS Assess Feds’ Cybersecurity Vulnerabilities

According to the DHS, NCATS leverages existing “best in breed” cybersecurity assessment methodologies, commercial best practices and integration of threat intelligence to give CIOs, CISOs and their staffs decision-making and risk management guidance and recommendations.

“NCATS provides an objective third-party perspective on the current cybersecurity posture of the stakeholder’s unclassified operational/business networks,” the agency notes. “NCATS security services are available at no cost to stakeholders and can range from one day to two weeks depending on the security services required.”

Despite having such an important job, NCATS is not a flashy outfit. As Federal News Radio reports, the team operates out of a nondescript building in Arlington, Va., just outside of the nation’s capital.

Karas tells Federal News Radio that the group has 615 federal, local and state government, and private-sector customers who receive reports on critical, high, medium and low vulnerabilities and how to address them. NCATS conducts 38 million scans of internet addresses daily, according to Karas.

The NCATS team is a mixture of ages and only in October 2017 had its first all-hands meeting in Arlington with about 50 employees from around the country.

NCATS was on pace to perform 30 federal agency penetration testing and risk assessments in 2017, up from just a handful a few years ago. Karas tells Federal News Radio that the assessments and penetration testing help agencies uncover longstanding vulnerabilities and give CIOs and CISOs the data and empowerment to protect HVAs. NCATS also helps agencies put in place several binding operational directives DHS issued over the past 18 months to improve agencies’ cybersecurity posture.

“We create scorecards and have reporting for all 105 agencies who are meeting the metrics,” Karas says. “It gives agencies the power to fix things that they may not have had the power to fix before because it’s now mandated.”

Don Benack, the cybersecurity assurance program manager for NCATS, tells Federal News Radio that NCATS’ scanning, vulnerability testing and cyberhygiene programs has helped agencies cut the amount of time it takes to fix critical vulnerabilities.

“It’s probably the most important metric in that program,” he says. “When we started scanning a number of years ago, there were hundreds of critical vulnerabilities present on federal systems, publicly accessible systems, and the average time to close those vulnerabilities was slightly over a year. Today, we have it down to a small handful of critical vulnerabilities and the average time has gone from just over a year down to 17 days. That is a dramatic improvement.”

NCATS has been able to identify the vulnerabilities of high-valued systems, Benack says, and also give key federal IT leaders the right data on vulnerabilities and the ability to promote best practices.

The goal, Benack says, is to lay out agencies’ vulnerabilities so that they can manage their risks, mitigate vulnerabilities and understand their networks and systems better.

“My vision is to be able to share the data within the NCCIC and make it a world-class leader in this curating industry,” he tells Federal News Radio. “IT changes in microseconds. We need to be able to adapt and get through the bureaucracy and be able to get the information and data out in a timely fashion.”

This content is made possible by FedTech. The editorial staff of Nextgov was not involved in its preparation.