automated security (Alexander Supertramp/

DHS looks to automate cyber compliance

The Department of Homeland Security said it plans to improve the ability of two existing programs, Continuous Diagnostics and Mitigation and CyberStat, to better validate whether agencies are complying with Binding Operational Directives addressing systemic vulnerabilities in the information systems and websites of civilian federal agencies.

While the overall findings of a Government Accountability Office report on DHS' efforts to strengthen federal cybersecurity through BODs were largely favorable to DHS and its component, the Cybersecurity and Infrastructure Security Agency, it did find gaps in the department's ability to validate data from agencies that largely self-report their compliance.

In its reply, DHS said that while automated reporting would be its preferred method for validating most compliance metrics, it's not always possible. DHS added that CISA is "working to advance technical capability to enable independent validation."

The Continuous Diagnostics and Mitigation program is designed to standardize the way federal agencies monitor their networks and data for cyber threats. Using pre-approved tools, agencies report information about devices and users connected to their networks up to a master dashboard, which DHS then uses to spot anomalous or suspicious activity.

"[CISA] is confident that full deployment and integration of Continuous Diagnostics and Mitigation program capabilities will significantly increase our ability to validate results similar to our current use of cyber hygiene scans," wrote Jim Crumpacker, director of the department's GAO-IG liaison office.

The department is also working with the Office of Management and Budget to refocus the structure of CyberStat reviews to ensure they include checking up on agency claims.

"[CISA] intends for this type of management review to not only validate agency-submitted results, but to also help identify support opportunities and specific actions to address agency problems, progress, challenges and restraints related to BOD implementation," Crumpacker wrote.

"One [principle] we tried to stick with religiously was the ability to independently measure compliance. That was very important to us," said Jeanette Manfra, then-assistant director for cybersecurity and communications with CISA in an interview last year. "Over the years, we've seen self-reporting that, when you go in and do an assessment, there's a lot of things that makes it difficult to rely on."

This article was first posted to FCW, a sibling site to GCN.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected