DHS tweaking cyber 'credit score' program
A cyber hygiene “credit score” is in the works for federal agencies -- but don’t expect to see a public report card anytime soon.
Continuous Diagnostics and Mitigation Program Manager Kevin Cox said at FCW’s Nov. 28 CDM event that the Agency-Wide Adaptive Risk Enumeration (AWARE) algorithm is already ingesting data, and the plan is to put it “fully into production heading into FY2020.”
AWARE is intended to help agencies prioritize mitigation activities so they ca improve basic cybersecurity hygiene, according to Dave Otto, a risk management subject-matter expert with the Department of Homeland Security's federal network resilience division who spoke in a September webinar. The algorithm assigns a weighted cyber hygiene score based on unmitigated threats and promotes a "worst-problems first" approach when dealing with mitigation issues.
Cox told reporters after his Nov. 28 speech that AWARE could also be used to accelerate agencies’ response to a future zero-day vulnerability. “We wanted to have a mechanism that if a zero-day hit, [DHS officials] could dial up the response and say, ‘this is a priority patch,’” he said. Because the algorithm weights each indicator in the data streams, “we can turn up the weight on a particular vulnerability, shoot those scores up,” and immediately call agencies’ attention to the risk.
The relatively slow rollout of AWARE is to ensure that the data being crunched by the algorithm is accurate, Cox said, and that agencies are confident the resulting scores “reflect the reality of their systems.”
For now, AWARE simply shows how an agency compares to the cross-agency average. “But at the end of the day,” Cox said, “we don’t want to grade on a curve.”
“I don’t know that we’re going to get to an A-B-C-D-F framework,” he said, “but we want to at least get to a set of ranges where agencies know that they should aim for this range for their score.”
Even when AWARE moves into production, the risk scores still may not be public, Cox said, as they could effectively steer adversaries to the most vulnerable agencies.
The peer pressure that comes with scorecards can be valuable, he noted, and “we want to be as transparent as possible, but we don’t want to put the agencies at risk. So we have to find that balance.”
Cox also said that every CFO Act agency is now rolling up data to the federal dashboard, and that 16 non-CFO agencies are doing so through the CDM program’s shared-services platform.
Troy K. Schneider is editor-in-chief of FCW and GCN.
Prior to joining 1105 Media in 2012, Schneider was the New America Foundation’s Director of Media & Technology, and before that was Managing Director for Electronic Publishing at the Atlantic Media Company. The founding editor of NationalJournal.com, Schneider also helped launch the political site PoliticsNow.com in the mid-1990s, and worked on the earliest online efforts of the Los Angeles Times and Newsday. He began his career in print journalism, and has written for a wide range of publications, including The New York Times, WashingtonPost.com, Slate, Politico, National Journal, Governing, and many of the other titles listed above.
Schneider is a graduate of Indiana University, where his emphases were journalism, business and religious studies.
Click here for previous articles by Schneider, or connect with him on Twitter: @troyschneider.