All 23 Federal civilian CFO Act agencies covered under the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) Program will be connected to the governmentwide cybersecurity threat dashboard by September, CDM Program Manager Kevin Cox said today.
In June, Cox said that 20 of the 23 civilian agencies were reporting out to CDM’s Federal dashboard, which compiles and consolidates cybersecurity threat information from individual agency data feeds. Earlier this week, Federal CIO Suzette Kent said the administration was working with DHS and that getting the remaining three agencies on the governmentwide dashboard was a “critical focus.”
“We’ve been working with the remaining three. We have done a successful test with each of those folks. There’s some technical configurations we’re working through to finish up the data feeds, but we expect all 23 CFO Act agencies to be reporting out to the Federal dashboard by the end of September,” Cox said today at an event hosted by ATARC.
He said that DHS has now upgraded the CDM Federal dashboard to Release 5 and is working to upgrade each of the individual agency dashboards to the same release. As those agency dashboards inform data on the Federal dashboard and also direct operational cyber activities on a day-to-day basis, Cox said it’s important that they be optimized to provide the best information.
“We are working to make those agency dashboards even more useful to the agencies,” Cox said. “We’ve been working really diligently to make sure that with each new release of the dashboard, that we’ve got performance improvements and we’ve got reporting improvements.”
He said that process has involved outreach to agencies, aimed at “understanding what’s working, what’s not, what we’re able to run reports on, what we’re not.”
Also with Release 5, Cox said DHS will be implementing CDM’s Agency Wide Adaptive Risk Enumeration (AWARE) scoring algorithm, which will be operationalized over the next three to six months.
“The idea there is that we’re going to be able to take a look, agency by agency, to see how well agencies are doing with patching, configuration, et cetera, and be able to help ultimately get down to the system level as well,” he said.
The AWARE algorithm will serve to highlight where agencies stand within a range of cyber preparedness. “Similar to a credit score,” Cox said, but in reverse–the lower the score, the smaller the agency’s attack surface.
“We want to help agencies identify their overall security posture, cyber hygiene as quickly as possible,” he said.
Cox added that four of the smaller, non-CFO Act agencies are reporting to CDM’s shared service dashboard, with another 15 expected toward the end of September.