The Department of Homeland Security is working with multiple Federal agencies to develop a new “risk radar” that will help agencies’ top executives contextualize cybersecurity risk and clarify where they need to apply focus and resources, according to Mark Kneidinger, director of the Federal Network Resilience division of DHS’ Office of Cybersecurity and Communications (CS&C).
The radar tool will serve to alert agencies’ top brass of the actual “consequences” of everyday cyber activity and make sense of threat information above the operational level, he said. Agency leaders, far removed from everyday security staff, will now get to see what should be on their radar, and “where you need to pay attention,” Kneidinger explained.
The proposed tool is currently in the planning phase, and Kneidinger, speaking today at a cybersecurity event hosted by Splunk, said DHS is expecting the radar tool to be drafted from a structural perspective by the second quarter of FY2019.
Kneidinger said that the risk radar will incorporate data from the Continuous Diagnostics and Mitigation (CDM) program, Federal Information Security Modernization Act (FISMA) reporting, and other government-wide data collection on cyber. CS&C has established a team spanning across government to develop criteria for the new radar.
“There’s a risk management subcommittee that’s been put in place. It has, I think, 15, 20 agencies on it,” Kneidinger said. “So they’re a key element in identifying various elements that should be part of it, but also the information stores that would be applied to support that.”
His division is running point on the new initiative, and he said the goal is to build a “common taxonomy” that can help agency leadership have more productive discussions with security personnel.
“It is being managed out of CS&C, specifically my division, Federal Network Resilience, and we’re leveraging a lot from the work that was done in the Cyber Risk Determination Plan and the NIST Risk Management Framework,” he said.
So why another cyber threat indicator among the myriad currently employed by DHS to help agencies examine threats, vulnerabilities, and gaps in security posture? With all the cyber risk information flowing into agencies, Kneidinger–who has served as CIO at multiple state and Federal agencies–pointed to a key fact: Much of the context is lost in translation as it moves up the chain.
The goal for the risk radar is to simplify the path from threat data to concrete action steps, and to tell those who hold the purse strings where to place resources.
“They’re getting this information from their CIOs, the stoplight charts and things of that nature. They have no idea really what that means,” he said. “What does that mean with regard to my mission? How should I invest to be able to support our mission as an agency? There’s a translation breakdown between that.”
CS&C and its Federal agency partners are looking across business and operational units to explore how to break down the language barrier and get to the common taxonomy Kneidinger mentioned, which will be based on the NIST RMF and DHS’ Cyber Risk Determination Report and Action Plan.
“In working with the government representatives, we’ve gone beyond just working with the CISOs and the operational levels and the CIOs. We’re also engaging with the CFOs and other agency executives,” Kneidinger said.
The DHS Risk Report was pretty clear. Released in May in response to President Trump’s cyber executive order, it found that three out of four Federal agencies were at serious cyber risk.
The new radar tool could finally align business units to tackle that pervasive problem. Kneidinger said it will help leaders determine “weighting and scaling, across consequence, posture, resource, budget, and threat.”
“That would provide the clarity that they’re looking for as to where their agency is in meeting specific types of threats, and basically where they need to focus attention,” he said.