Evaluating cybersecurity risk

Budget boost would trim CISA's risk assessment backlog

In an effort to reduce the backlog in cybersecurity vulnerability assessments conducted for state and local agencies, a Senate panel is moving to provide the Department of Homeland Security with an additional $58 million.

The new funding is intended to help trim a "12-month backlog in vulnerability assessments reported to the National Cybersecurity and Communications Integration Center," according to an explanatory statement accompanying the Senate Appropriations Committee's draft annual spending bill for DHS.

NCCIC, which is part of the Cybersecurity and Infrastructure Security Agency, has taken up the task of testing critical infrastructure -- election and otherwise -- for state and local agencies. The apparent backlog is outstanding from last year when lawmakers moved to provide additional funding to CISA for the same purpose.

CISA conducted 131 remote penetration tests and 59 onsite risk and vulnerability assessments for local election infrastructure, according to statistics supplied by CISA in mid-August.  Approximately 263 election officials around the country received weekly vulnerability scan reports, and thousands of election officials took online security courses.  "Last mile" election information was delivered to more than 5,500 localities, and CISA provided trend analysis about risk and vulnerabilities and the latest threats to election infrastructure to the election community.

In partnership with the Center for Internet Security, CISA deployed 276 Albert sensors across all 50 states, the District of Columbia and at least 222 local election networks. Endpoint detection and response programs have been implemented by some election jurisdictions as well as domain blocking and reporting tools that prevent elections offices and computers from connecting to known malicious websites, John Gilligan, president and CEO of the non-profit CIS during an Aug. 28 House Homeland Security Committee hearing.

The Senate appropriations committee is recommending CISA receive approximately $2 billion in fiscal year 2021 funding, $270 million more than the president's budget request sought.

Geoff Hale, director of CISA's Election Security Initiative, said last week that the high demand from state and local election officials for CISA to conduct risk vulnerability assessments drove the agency to scale up its efforts.

"We started with risk and vulnerability assessments which are resource intensive teams of six [people] flying out on location to do an in-depth assessment," he said at a Nov. 17 virtual event hosted by the Cyber Threat Alliance.

"But the demand for a more scalable service really drove us to develop remote penetration testing which the community has embraced in full," he continued.

The equivalent draft bill by the House Appropriations Committee does not contain a similar funding increase; the difference will have to be reconciled during legislative negotiations.

This article was first posted to FCW, a sibling site to GCN.

About the Author

Justin Katz covers cybersecurity for FCW. Previously he covered the Navy and Marine Corps for Inside Defense, focusing on weapons, vehicle acquisition and congressional oversight of the Pentagon. Prior to reporting for Inside Defense, Katz covered community news in the Baltimore and Washington D.C. areas. Connect with him on Twitter at @JustinSKatz.


Featured

  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected