Evaluating cybersecurity risk

DHS preps AWARE risk management tool for launch

Over the next two years, the Department of Homeland Security's Continuous Diagnostics and Mitigation program will focus on deploying its new risk scoring algorithm to help agencies prioritize mitigation activities and improve their basic cybersecurity hygiene.

The Agency-Wide Adaptive Risk Enumeration algorithm will have a "soft rollout" in October, according to CDM Program Manager Kevin Cox.  Speaking at a March 27 technology conference hosted by the Advanced Technology Academic Research Center, Cox described how AWARE will start with tracking basic agency metrics like vulnerability management, patching and configuration.

There's little point focusing on higher level attack vectors when "the front door is wide open" because agencies are still skimping on the fundamentals, he said. Adversaries go after "the easier targets to be able to get a foothold and then expand out and move laterally across the network."

Further down the line, Cox said, DHS wants AWARE to assess risk down to the individual system level.

Cox's comments are the latest reminder that, for all the discussion around advanced nation-state threats and the role emerging technologies like artificial intelligence and quantum computing can play in cybersecurity, the federal government remains far too susceptible to compromise through poor hygiene.

Attackers aren't burning high-value tools when targeting federal systems. The National Security Agency apparently hasn't responded to a Zero-day attack on government systems in the last four years, largely because hackers have found plenty of success through basic attack vectors like phishing and credential theft.

"This sounds incredibly silly to say, but the basic step of verifying that you actually own the networks that you think you do is really impactful," said Marshall Kuypers, senior director of cyber risk at Expanse, a cloud and cybersecurity company based in Silicon Valley.

While AWARE is scheduled to launch in October, agencies won't have to start looking over their shoulders right away.

"The idea is we're not going to turn it on and then immediately come down and beat the agencies up because they haven't patched their systems properly," Cox said. "We want to make sure the information they're seeing is the information we're seeing, help to identify the areas where they need to put more information on and then provide support."

DHS will also spend the year pulling smaller, non-CFO Act "micro" agencies onto a shared service CDM platform. The program expects to have 19 such organizations on the platform by the end of March.

Cox said agency leaders, member of Congress and the Office of Management and Budget have all pushed for more operational data from CDM. To that end, DHS expects to award a new dashboard contract in May that will build in new capabilities around data analytics and protecting high-value data for federal agencies.

This article was first posted to FCW, a sibling site to GCN.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at djohnson@fcw.com, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.