The Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) is standing up shared Continuous Diagnostics and Mitigation (CDM) cloud security resources for small agencies.
“That’s a rock star idea that’s coming to a government near you,” said Jeffrey Eisensmith, chief information security officer for DHS, at the CISQ Cyber Resilience Summit on Oct. 19.
Eisensmith said that cybersecurity isn’t a fair fight for small agencies that don’t have the same resources as large agencies.
“They’re going to get creamed,” in a cyber fight, Eisensmith said.
Eisensmith said that DHS is also working on a new acquisition management directive that includes agile processes for procurement. The directive is in its pilot phase and involves lighter deliverables on the front end of DHS systems. With the new framework deliverables are brought before the acquisition board more frequently.
“So far we’ve had great success with that,” Eisensmith said.
This agile process has the ability to bring new technologies to agencies more quickly.
“An incredibly important part of our jobs is to make sure we’re staying current,” said Jack Wilmer, cyber lead for the American Technology Council at the White House Office of Science and Technology Policy.
Eisensmith said that one process that moves platforms through the deployment process faster is building security into code as the software is created.
“The time to market for your ATOs [authority to operate] goes through the floor,” Eisensmith said.
Eisensmith said that DHS has been able to assign clearly defined metrics to security levels by using kill chain. For example, on a chain of links, if a potential breach gets stopped at link three, DHS can study why it didn’t get stopped at an earlier link and whether it could have gotten stopped at a later link. This way the agency can figure out what needs to be replaced and what further training the IT employees need to thwart attacks.
“If link five is not working, we can say, ‘hey, if you don’t want to make the investment that’s fine, but if something goes bump in the night you’ll know,’ ” Eisensmith said.
Eisensmith said that agencies struggle with updating legacy systems because of the way the budget is allocated.
“It takes more than one year’s budget to get from a legacy system to a brand new shiny platform and we get paid by the year,” Eisensmith said.
Former Federal CIO Tony Scott said that despite these challenges, agencies have actually been able to adopt cloud applications fairly quickly. Scott said that 60 percent to 70 percent of the government has moved to cloud-based email systems.
One opportunity that Scott said he sees is for agencies share one cloud-based case management system. Scott said that the case management system should contain the core capabilities that every agency needs and the agencies can add their own APIs to customize the platform based on their specific needs.
“Where all the dollars are frankly is in all of the heavy lifting applications,” Scott said. “I think the wrong thing to do–and I hope we don’t go down this path–is just a lift and shift.”