Kevin Cox, program manager for the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program, today discussed the program’s progress in generating AWARE (Agency-Wide Adaptive Risk Enumeration) algorithm scores for Federal agencies to track relative security status, and about how the program plans to refine the scoring process in the future.
Speaking at an event organized by FCW, Cox said DHS currently is generating AWARE scores for 35 Federal agencies, including the 23 CFO Act agencies. That agency total is up from 31 reported in September.
Cox described the AWARE version 1.0 as a “blunt instrument” currently, but one that would pave the way for refinements over the next year. He described in new detail how AWARE scores are tallied for agencies – including how DHS employs agency device counts and undertakes relatively weighting of that data.
But he also frankly admitted that the process is still so new that “we don’t know yet what is a good AWARE score and what is a bad AWARE score.”
AWARE scores won’t be made public in part so that adversaries don’t gain intelligence into agency security postures, but they will be available to DHS and Federal government leadership. Agencies will receive their own scores, and then a Federal agency average for comparison, along with advice from the CDM Program Office about how to improve scores.
“We are going to gather lessons learned from good scores, and then approach underperformers and say ‘what can you be doing better,’ and ‘how can we help you,’” Cox said. “We aren’t going to come in [to agencies] with a hammer,” he pledged.
At a MeriTalk event in October, Cox said the CDM program office planned to provide guidance to agencies on how to improve their AWARE scores through software patching and aligning with other FISMA (Federal Information Security Management Act) categories. He also said he viewed Fiscal Year 2020 as a “readiness year” to work with agencies “to get familiar with your score [and] get them in the Federal AWARE score average.
Elsewhere during his remarks today, Cox talked about progress on the new CDM dashboard that the program office contracted for earlier this year, and said pilots with agencies are planned for the second and third quarters of FY2020. He is targeting a rollout to CFO Act agencies by the end of the fiscal year.
Other FY2020 priorities include work on an ongoing CDM cloud migration pilot with the Small Business Administration, and cloud discovery pilots using native and third-party technologies, he said. Cox also spoke of the program’s ongoing shift to improve protection of agency high-value assets, and commented, “this is really the future of the program.”