DHS looks to automate cyber compliance
- By Derek B. Johnson
- Feb 05, 2020
The Department of Homeland Security said it plans to improve the ability of two existing programs, Continuous Diagnostics and Mitigation and CyberStat, to better validate whether agencies are complying with Binding Operational Directives addressing systemic vulnerabilities in the information systems and websites of civilian federal agencies.
While the overall findings of a Government Accountability Office report on DHS' efforts to strengthen federal cybersecurity through BODs were largely favorable to DHS and its component, the Cybersecurity and Infrastructure Security Agency, it did find gaps in the department's ability to validate data from agencies that largely self-report their compliance.
In its reply, DHS said that while automated reporting would be its preferred method for validating most compliance metrics, it's not always possible. DHS added that CISA is "working to advance technical capability to enable independent validation."
The Continuous Diagnostics and Mitigation program is designed to standardize the way federal agencies monitor their networks and data for cyber threats. Using pre-approved tools, agencies report information about devices and users connected to their networks up to a master dashboard, which DHS then uses to spot anomalous or suspicious activity.
"[CISA] is confident that full deployment and integration of Continuous Diagnostics and Mitigation program capabilities will significantly increase our ability to validate results similar to our current use of cyber hygiene scans," wrote Jim Crumpacker, director of the department's GAO-IG liaison office.
The department is also working with the Office of Management and Budget to refocus the structure of CyberStat reviews to ensure they include checking up on agency claims.
"[CISA] intends for this type of management review to not only validate agency-submitted results, but to also help identify support opportunities and specific actions to address agency problems, progress, challenges and restraints related to BOD implementation," Crumpacker wrote.
"One [principle] we tried to stick with religiously was the ability to independently measure compliance. That was very important to us," said Jeanette Manfra, then-assistant director for cybersecurity and communications with CISA in an interview last year. "Over the years, we've seen self-reporting that, when you go in and do an assessment, there's a lot of things that makes it difficult to rely on."
This article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.