The active critical vulnerabilities at the Department of Homeland Security have decreased by 99 percent and the time that it takes to detect problems has been cut in half in government agencies since October, according to Trevor Rudolph, chief of the Office of Management and Budget Cyber and National Security Unit.
“DHS is assessing data vulnerability risks and working with other agencies to address critical vulnerabilities,” said Mark Kneidinger, director of the Federal Network Resilience Division of DHS at MeriTalk’s Federal Forum. “It really puts the seriousness on what needed to be done.”
Now DHS is beginning phase four of its Continuous Diagnostics and Mitigation (CDM) program, which deals with data encryption, data masking, and micro-segmentation.
The Cybersecurity Strategy and Implementation Plan (CSIP) and Cybersecurity National Action Plan (CNAP) focused on bringing the whole Federal government up to speed on cybersecurity initiatives; however, some individual agencies developed their own way of protecting their digital information.
DHS implemented CDM, which scans all systems every 72 hours in order to install and update sensors, search for flaws, collect and analyze results, fix the worst problems first, and report progress.
DHS also opened a Silicon Valley office, which focuses on vendor engagement. Startup companies can take advantage of the FASTLANE program, which gets businesses through the approval process quicker to work with the Federal government.
CSIP and CNAP helped agencies engage with other partners in order to accomplish cybersecurity goals. “These programs allowed us to dramatically accelerate and not feel uncomfortable reaching out for help,” said Clifton Triplett, senior cyber and information technology adviser for the Office of Personnel Management.
OPM hired category managers to work on cybersecurity and communicate with technology vendors.
The Department of Defense found that CSIP and CNAP lined up with the goals that the agency already held for cybersecurity; however, now it can also reach out to the private sector with a common plan, according to Maj. Gen. Sarah E. Zabel, vice director of the Defense Information Systems Agency (DISA).
DISA gave visibility to the CIO, secretary of Defense, and chiefs of staff by keeping track of the basic hygiene of DOD’s cybersecurity systems by asking questions such as, does the agency have two-factor authentication.
Moving forward, the government should strive to combine physical and technical security, according to Rudolph. Also, officials must convince the next deputy secretaries that cybersecurity is important and give them a way to track flaws and see improvement.