DHS to set up continuous monitoring at civilian agencies
The Homeland Security Department will take a yet more active role in federal civilian agencies' cybersecurity efforts, the department announced June 25 in briefings to civil servants and the private sector.
The department says it wants to spend about $200 million in the coming fiscal year in the first of a three-year program to provide cybersecurity tools to federal agencies, including installation of continuous monitoring sensors that will look for unauthorized hardware and software, conduct configuration and vulnerability management, and deploy anti-virus measures. DHS officials say more than 80 percent of exploits target previously known vulnerabilities, meaning that more disciplined cybersecurity could prevent many network penetrations or data breaches.
Homeland Security officials said during a June 25 industry day the continuous monitoring functions, which should be bundled together with a dashboard, will be provided by commercial-off-the-shelf products and deployed to .gov domain agencies.
Subsequent years will add identity authentication and access control management, as well as event response and management. DHS says agencies will be able to hire contractors to run the continuous monitoring sensors if they want.
The continuous monitoring tools will scan agencies networks and devices every 36 to 72 hours, according to presentation slides (.pdf) from the industry day, perhaps finally resolving the heretofore unanswered question of how continuous continuous monitoring need be in order for it to be continuous.
According to a draft continuous monitoring document (.pdf) hardware continuous monitoring should include the ability to scan for USB and Internet protocol addressable devices, but not others. The document calls for both active and passive monitoring methods such as scanning and packet inspection, and appears to be based on a National Security Agency network security plan (.pdf) from April 2011.
When it comes to software scanning, the continuous monitoring function should include a whitelist for authorized applications and likewise include active and passive scanning methods, the draft requirements say.
The overall approach has already been tested by the State Department, DHS says, stating in a fact sheet (.pdf) that State "eliminated 89 percent of measured risk on personal computers and servers in 12 months, and one third of the remaining risk in 24 months."