recommended reading

DHS to give agencies free computer threat-detection packages

Jeff Gentner/AP

The Homeland Security Department in 2013 expects to present each agency with what amounts to security-in-a-box for computers. The free, three-piece package will include near real-time threat sensors, a control panel for prioritizing fixes and consulting services to make all the pieces work together, DHS officials said.

Under the department’s proposal, $202 million in DHS funding would subsidize what Homeland Security calls ”continuous monitoring as a service” at all federal offices. Officials made the announcement at a briefing for federal employees and contractors on Monday.

Homeland Security anticipates obtaining bulk pricing by awarding three contracts to cover the tools, dashboard-style displays and services. The plan is for companies providing agencies with software and hardware access online, or in the “cloud,” to buy the bundle at the government rate or demonstrate that their own surveillance offers equivalent protection, officials said.

“If we could combine the government’s requirements” for computer security testing, “we think we could lower those costs substantially,” John Streufert, director of the Homeland Security National Cyber Security Division, told Nextgov at the presentation. Annually, the federal government spends about $6 billion on computer security.

Defense agencies on the dot-mil domain, military contractors and municipal governments also would be able to purchase off of the federal contract.

The current approach to continuous monitoring, which started in 2010, requires each agency to independently apply devices and software that track weaknesses. While better than the previous method -- after-the-fact manual inspections every three years -- the present process is too expensive for smaller agencies and too inconsistent governmentwide, officials said.

Under the new concept, DHS will deploy, across the dot-gov network, sensors that check for between 60 and 80 billion vulnerabilities at least every 72 hours, according to presentation documents. The department also will install a diagnostic dashboard for each agency, providing customized reports alerting managers to severe risks that require immediate attention.

”Agencies will use the DHS-provided cyber dashboard to display the most serious cyber problems they need to fix each day,” the documents state. “These combined strategies will unify and modernize the methods of conducting continuous monitoring across all networks and [commercial] software of dot-gov organizations no matter how they are implemented.”

Agencies will be responsible for checking non-commercial software, according to the documents. Departments already owning continuous monitoring systems do not have to scrap them, but rather can replace them with the new service as contracts expire, DHS officials said.

A sample dashboard provided to vendors showed a single risk-level grade for one agency site – an “A+” in this instance -- and an itemized list of 11 security factors that contributed to that letter grade. Those 11 standard components include patches not applied, outdated anti-virus programs, unapproved operating systems and cybersecurity awareness training. Each factor is accompanied by a score of 0-400+, where a rating of less than 40 receives an “A+,” while a rating of at least 400 gets an “F- .”

Here’s how those numbers are calculated: Each time an agency neglects to apply a patch to fix a low-risk bug, the agency earns 3 points, and each time it misses a patch for a critical threat, the agency receives 10 such demerits. If anti-virus software has not been updated in more than six days, the agency is assessed 6 points per day overdue. The discovery of an unapproved operating system on the network racks up 100 points, with 100 additional points per month thereafter. Agencies that fail to retrain employees every year earn 1 demerit per day beyond the expiration date, up to a maximum of 90 points.

The State Department proved successful in adopting this method, Homeland Security officials said. During a one-year period, the department eliminated 89 percent of risks to personal computers and servers it monitored using the approach.

Threatwatch Alert

Network intrusion / Spear-phishing

Researchers: Bank-Targeting Malware Sales Rise in Dark Web Markets

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download

When you download a report, your information may be shared with the underwriters of that document.